Looks like that you have been reinfected.
I recommend that you stay offline as much as possible or attempting to clean makes little sense.
Please rerun combofix, allow combofix to update itself if it asks so and post back a fresh combofix log and a fresh HijackThis log.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
combo fix
ComboFix 09-03-06.02 - Owner 2009-03-08 10:55:03.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.756 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Install.txt
c:\windows\system32\1Kwf4nAc.dll
c:\windows\system32\4Iud7lXa.exe
c:\windows\system32\4Iud7lXa.exe.a_a
c:\windows\system32\afisicx.exe
c:\windows\system32\ajebobog.ini
c:\windows\system32\ar0Mi1YH.exe.a_a
c:\windows\system32\bajobifa.dll
c:\windows\system32\bihiwuko.dll
c:\windows\system32\buhepine.dll
c:\windows\system32\comsa32.sys
c:\windows\system32\ecagnw.dll
c:\windows\system32\eyadelod.ini
c:\windows\system32\fubuveva.dll
c:\windows\system32\jrohab.dll
c:\windows\system32\luzuhepi.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\sykfto.dll
c:\windows\system32\tpszxyd.sys
c:\windows\system32\unagumov.ini
c:\windows\system32\uratupij.ini
c:\windows\system32\wmtkwh.dll
----- BITS: Possible infected sites -----
hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_SOPIDKC
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_sopidkc
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.
2009-03-08 11:02 . 2009-03-08 11:02 1,807,280 ---hs---- c:\windows\system32\uratupij.ini
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-06 16:42 . 2009-03-08 11:01 <DIR> d-------- c:\program files\DNA
2009-03-06 16:42 . 2009-03-08 11:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\DNA
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-10 18:30 . 2009-02-10 18:30 0 --a------ C:\xfBA4.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 22:10 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-01 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 17:32 279,712 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-01-12 17:32 25,888 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-01-10 21:01 --------- d-----w c:\program files\directx
2009-01-10 20:59 --------- d-----w c:\program files\14 Degrees East
2009-01-10 18:55 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-10 18:28 --------- d-----w c:\program files\GameSpy Arcade
2009-01-08 09:27 --------- d-----w c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
2008-10-31 00:05 18,022 ----a-w c:\documents and settings\Owner\Application Data\hutazowuca.bin
2008-10-31 00:05 15,343 ----a-w c:\documents and settings\All Users\Application Data\agezezalic.exe
2008-10-31 00:05 14,472 ----a-w c:\documents and settings\All Users\Application Data\ihojuren.bat
2008-10-31 00:05 13,162 ----a-w c:\documents and settings\Owner\Application Data\fyryq.bat
2008-10-31 00:05 11,081 ----a-w c:\program files\Common Files\gived.bat
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\dowigemu.dll
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\tobuvuzi.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-03-04_10.13.57.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2008-04-28 06:21:44 70,944 ----a-w c:\windows\Downloaded Program Files\sprthelper.exe
+ 2008-04-28 06:22:00 292,224 ----a-w c:\windows\Downloaded Program Files\tgctlcm.dll
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-05 20:05:02 130,433 ----a-w c:\windows\FIOS\unins000.dat
+ 2009-03-05 20:04:55 741,146 ----a-w c:\windows\FIOS\unins000.exe
+ 2009-03-04 21:14:31 9,662 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\ARPPRODUCTICON.exe
+ 2009-03-04 21:14:31 10,134 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\checkForUpdatesSC_000E79B7E7254F01870AC12942B7F8E4.exe
+ 2009-03-04 21:14:31 10,134 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\visitWebsite_000E79B7E7254F01870AC12942B7F8E4.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\ARPPRODUCTICON.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\Comrade.exe_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\NewShortcut7_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\NewShortcut8_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 8,854 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\UNINST_Uninstall_Com_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-03-08 12:26:04 84,992 --sha-w c:\windows\system32\bojevama.dll
- 2008-04-14 12:00:00 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2009-03-07 12:25:37 79,872 ------w c:\windows\system32\doledaye.dll
- 2009-02-03 19:04:51 114,968 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-04 21:32:30 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-08 12:26:05 79,872 --sha-w c:\windows\system32\jiputaru.dll
- 2009-03-04 15:06:17 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-04 15:06:17 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 12:25:36 84,992 --sha-w c:\windows\system32\ruwokupa.dll
- 2008-04-14 12:00:00 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-03-07 00:25:09 84,992 --sha-w c:\windows\system32\vimoveta.dll
+ 2009-03-07 00:25:10 79,872 ------w c:\windows\system32\vomuganu.dll
- 2005-12-05 23:07:30 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
+ 2009-03-06 20:55:39 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
+ 2009-03-08 00:25:55 84,992 --sha-w c:\windows\system32\zodakifi.dll
+ 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
+ 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-08 15:01:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4fc.dat
+ 2009-03-08 15:02:02 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-23 04:49:12 95,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2005-09-23 06:16:02 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2005-09-23 06:16:06 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 06:16:08 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2005-09-23 06:16:10 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2005-09-23 05:58:06 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2005-09-23 05:58:06 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2005-09-23 05:58:06 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2005-09-23 05:58:06 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2005-09-23 05:58:06 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2005-09-23 05:58:06 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2005-09-23 06:35:10 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}]
48128 --ahs---- c:\windows\system32\dowigemu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [BU]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [BU]
"Comrade.exe"="c:\program files\GameSpy\Comrade\Comrade.exe" [2007-06-29 36864]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-06 321344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"yalajahubo"="c:\windows\system32\tobuvuzi.dll" [ 48128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"58d27dcb"="c:\windows\system32\jiputaru.dll" [2009-03-08 79872]
"CPM5be14e57"="c:\windows\system32\bojevama.dll" [2009-03-08 84992]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\bojevama.dll" [2009-03-08 84992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll [2009-03-08 84992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\bojevama.dll
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\fubuveva.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\WINDOWS\\explorer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-03-08 c:\windows\Tasks\At1.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At10.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At11.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At12.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At13.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At14.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At15.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At16.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At17.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At18.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At19.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At2.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At20.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At21.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At22.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At23.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At24.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At25.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At26.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At27.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At28.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At29.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At3.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At30.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At31.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At32.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At33.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At34.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At35.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At36.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At37.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At38.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At39.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At4.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-07 c:\windows\Tasks\At40.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At41.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At42.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-07 c:\windows\Tasks\At43.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At44.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At45.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At46.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At47.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At48.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-08 c:\windows\Tasks\At5.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At6.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At7.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At8.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-08 c:\windows\Tasks\At9.job
- c:\windows\system32\ar0Mi1YH.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{a9594de5-ab05-4858-b6ce-160d1fa4f981} - c:\windows\system32\ecagnw.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 11:02:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\java.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-08 11:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 15:07:38
ComboFix2.txt 2009-03-04 21:51:39
ComboFix3.txt 2009-03-04 15:14:37
ComboFix4.txt 2009-01-19 22:15:30
Pre-Run: 70,241,882,112 bytes free
Post-Run: 72,877,867,008 bytes free
463 --- E O F --- 2009-03-05 08:03:08
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:52 AM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\jiputaru.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "c:\windows\system32\bojevama.dll",a
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fubuveva.dll c:\windows\system32\bojevama.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5801 bytes
Sorry for delay, I got no email notification.
Please post next a fresh hijackthis log.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
thank you
Man my computer is getting worse. I went to restart it yesterday and it took 30 minutes to start up. It just keep rebooting at the windows screen.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:02 PM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\hilozepi.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "C:\WINDOWS\system32\zubadira.dll",a
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fubuveva.dll oflnvz.dll chomxv.dll fxbxac.dll lhenns.dll nqvkdc.dll coyfkz.dll gkizvv.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5451 bytes
Please re-run combofix and post back its log along with a fresh hijackthis log.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
cOMBO FIX
ComboFix 09-03-13.02 - Owner 2009-03-14 11:09:27.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1551 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\oriyabir.ini
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\aletotiz.ini
c:\windows\system32\chomxv.dll
c:\windows\system32\coyfkz.dll
c:\windows\system32\dibewori.dll
c:\windows\system32\ebosodoy.ini
c:\windows\system32\fimahafu.dll
c:\windows\system32\fxbxac.dll
c:\windows\system32\gkizvv.dll
c:\windows\system32\hagebuzi.dll
c:\windows\system32\ipezolih.ini
c:\windows\system32\isinutur.ini
c:\windows\system32\kgwssk.dll
c:\windows\system32\lasefoye.dll
c:\windows\system32\lhenns.dll
c:\windows\system32\nqvkdc.dll
c:\windows\system32\obubofiz.ini
c:\windows\system32\oflnvz.dll
c:\windows\system32\ogetedoz.ini
c:\windows\system32\oriyabir.ini
c:\windows\system32\ozavokal.ini
c:\windows\system32\rifofune.dll
c:\windows\system32\sazukojo.dll
c:\windows\system32\uhalotep.ini
c:\windows\system32\uratupij.ini
c:\windows\system32\vupowose.dll
c:\windows\system32\xidvcs.dll
c:\windows\system32\zasiyugi.dll
c:\windows\system32\zulagovi.dll
.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.
2009-03-14 11:13 . 2009-03-14 11:14 1,713,721 ---hs---- c:\windows\system32\oriyabir.ini
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\sidegiho.dll
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\hohohano.dll
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\gihovoji.dll
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-06 16:42 . 2009-03-14 10:59 <DIR> d-------- c:\program files\DNA
2009-03-06 16:42 . 2009-03-14 11:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\DNA
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-01 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
2008-10-31 00:05 18,022 ----a-w c:\documents and settings\Owner\Application Data\hutazowuca.bin
2008-10-31 00:05 15,343 ----a-w c:\documents and settings\All Users\Application Data\agezezalic.exe
2008-10-31 00:05 14,472 ----a-w c:\documents and settings\All Users\Application Data\ihojuren.bat
2008-10-31 00:05 13,162 ----a-w c:\documents and settings\Owner\Application Data\fyryq.bat
2008-10-31 00:05 11,081 ----a-w c:\program files\Common Files\gived.bat
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\dowigemu.dll
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\tobuvuzi.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-03-08_11.06.59.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-27 19:38:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-11 15:24:31 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-12 03:21:03 84,992 --sha-w c:\windows\system32\gasefifi.dll
+ 2009-03-09 12:26:32 84,992 --sha-w c:\windows\system32\jaharati.dll
+ 2009-03-11 00:26:57 84,992 --sha-w c:\windows\system32\jodozome.dll
+ 2009-03-09 00:26:08 79,872 ------w c:\windows\system32\lakovazo.dll
+ 2009-03-10 00:26:38 84,992 --sha-w c:\windows\system32\ludiyofu.dll
+ 2009-03-09 00:26:08 84,992 --sha-w c:\windows\system32\lufesoko.dll
- 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 15:03:26 55,530 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 15:03:26 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-11 00:26:57 79,872 ------w c:\windows\system32\petolahu.dll
+ 2009-03-14 03:06:54 79,872 --sha-w c:\windows\system32\ribayiro.dll
+ 2009-03-14 03:06:53 84,992 --sha-w c:\windows\system32\ruyutave.dll
+ 2009-03-11 15:21:02 84,992 --sha-w c:\windows\system32\sobamehu.dll
+ 2009-03-12 15:21:31 84,992 --sha-w c:\windows\system32\vidajadu.dll
+ 2009-03-13 15:06:55 84,992 --sha-w c:\windows\system32\zubadira.dll
- 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
+ 2009-03-14 15:13:50 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
- 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-14 15:13:50 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-14 15:13:37 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4cc.dat
- 2009-03-08 15:02:02 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-14 15:13:50 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}]
48128 --ahs---- c:\windows\system32\dowigemu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"yalajahubo"="c:\windows\system32\tobuvuzi.dll" [ 48128]
"58d27dcb"="c:\windows\system32\ribayiro.dll" [2009-03-13 79872]
"CPM5be14e57"="c:\windows\system32\ruyutave.dll" [2009-03-13 84992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\ruyutave.dll" [2009-03-13 84992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll [2009-03-13 84992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\ruyutave.dll,c:\windows\system32\fubuveva.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\fubuveva.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install
"yalajahubo"=Rundll32.exe "c:\windows\system32\tobuvuzi.dll",s
"58d27dcb"=rundll32.exe "c:\windows\system32\ribayiro.dll",b
"CPM5be14e57"=Rundll32.exe "c:\windows\system32\ruyutave.dll",a
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\explorer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-03-14 c:\windows\Tasks\At1.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At10.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At11.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At12.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At13.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At14.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At15.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At16.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At17.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At18.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At19.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At2.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At20.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At21.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At22.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At23.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At24.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At25.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At26.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At27.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At28.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At29.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At3.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At30.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At31.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At32.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At33.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At34.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At35.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At36.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At37.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At38.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At39.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At4.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-13 c:\windows\Tasks\At40.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At41.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At42.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At43.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-13 c:\windows\Tasks\At44.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At45.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At46.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At47.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At48.job
- c:\windows\system32\4Iud7lXa.exe []
2009-03-14 c:\windows\Tasks\At5.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At6.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At7.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At8.job
- c:\windows\system32\ar0Mi1YH.exe []
2009-03-14 c:\windows\Tasks\At9.job
- c:\windows\system32\ar0Mi1YH.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{02f1fab3-2865-4da0-ac42-0d18deb05bb9} - c:\windows\system32\gkizvv.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 11:13:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-14 11:19:11 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-14 15:19:08
ComboFix2.txt 2009-03-08 15:07:42
ComboFix3.txt 2009-03-04 21:51:39
ComboFix4.txt 2009-03-04 15:14:37
ComboFix5.txt 2009-03-14 14:51:21
Pre-Run: 70,544,539,648 bytes free
Post-Run: 70,526,406,656 bytes free
416 --- E O F --- 2009-03-05 08:03:08
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:57 AM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\ribayiro.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "c:\windows\system32\ruyutave.dll",a
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O20 - AppInit_DLLs: c:\windows\system32\ruyutave.dll,C:\WINDOWS\system32\fubuveva.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5258 bytes
Open notepad and copy/paste the text in the codebox below into it:
Save this as "CFScript"Code:File:: c:\windows\system32\oriyabir.ini c:\windows\system32\sidegiho.dll c:\windows\system32\hohohano.dll c:\windows\system32\gihovoji.dll c:\documents and settings\Owner\Application Data\hutazowuca.bin c:\documents and settings\All Users\Application Data\agezezalic.exe c:\documents and settings\All Users\Application Data\ihojuren.bat c:\documents and settings\Owner\Application Data\fyryq.bat c:\program files\Common Files\gived.bat c:\windows\system32\dowigemu.dll c:\windows\system32\tobuvuzi.dll c:\windows\system32\gasefifi.dll c:\windows\system32\jaharati.dll c:\windows\system32\jodozome.dll c:\windows\system32\lakovazo.dll c:\windows\system32\ludiyofu.dll c:\windows\system32\lufesoko.dll c:\windows\system32\petolahu.dll c:\windows\system32\ribayiro.dll c:\windows\system32\ruyutave.dll c:\windows\system32\sobamehu.dll c:\windows\system32\vidajadu.dll c:\windows\system32\zubadira.dll c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job Folder:: c:\program files\DNA c:\documents and settings\Owner\Application Data\DNA Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "yalajahubo"=- "58d27dcb"=- "CPM5be14e57"=- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe] "Debugger"=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 DDS:: FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
COMbo
ComboFix 09-03-13.02 - Owner 2009-03-14 14:49:53.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1432 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\documents and settings\All Users\Application Data\agezezalic.exe
c:\documents and settings\All Users\Application Data\ihojuren.bat
c:\documents and settings\Owner\Application Data\fyryq.bat
c:\documents and settings\Owner\Application Data\hutazowuca.bin
c:\program files\Common Files\gived.bat
c:\windows\system32\dowigemu.dll
c:\windows\system32\gasefifi.dll
c:\windows\system32\gihovoji.dll
c:\windows\system32\hohohano.dll
c:\windows\system32\jaharati.dll
c:\windows\system32\jodozome.dll
c:\windows\system32\lakovazo.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\oriyabir.ini
c:\windows\system32\petolahu.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\ruyutave.dll
c:\windows\system32\sidegiho.dll
c:\windows\system32\sobamehu.dll
c:\windows\system32\tobuvuzi.dll
c:\windows\system32\vidajadu.dll
c:\windows\system32\zubadira.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\agezezalic.exe
c:\documents and settings\All Users\Application Data\ihojuren.bat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\DNA
c:\documents and settings\Owner\Application Data\DNA\dht.dat
c:\documents and settings\Owner\Application Data\DNA\dna.lng
c:\documents and settings\Owner\Application Data\DNA\resume.dat
c:\documents and settings\Owner\Application Data\DNA\resume.dat.old
c:\documents and settings\Owner\Application Data\DNA\rss.dat
c:\documents and settings\Owner\Application Data\DNA\settings.dat
c:\documents and settings\Owner\Application Data\DNA\settings.dat.old
c:\documents and settings\Owner\Application Data\fyryq.bat
c:\documents and settings\Owner\Application Data\hutazowuca.bin
c:\program files\Common Files\gived.bat
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\windows\Install.txt
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\dowigemu.dll
c:\windows\system32\gasefifi.dll
c:\windows\system32\gihovoji.dll
c:\windows\system32\hohohano.dll
c:\windows\system32\jaharati.dll
c:\windows\system32\jodozome.dll
c:\windows\system32\jomotewa.dll
c:\windows\system32\lakovazo.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\oriyabir.ini
c:\windows\system32\petolahu.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\ruyutave.dll
c:\windows\system32\sidegiho.dll
c:\windows\system32\sobamehu.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tobuvuzi.dll
c:\windows\system32\tpszxyd.sys
c:\windows\system32\umimiyop.ini
c:\windows\system32\vidajadu.dll
c:\windows\system32\zsowvw.dll
c:\windows\system32\zubadira.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
----- BITS: Possible infected sites -----
hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_SOPIDKC
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_sopidkc
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:51 --------- d-----w c:\program files\Bethesda Softworks
2009-03-14 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-03-08_11.06.59.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-01 18:30:32 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-03-14 16:51:02 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2009-02-01 18:30:32 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2009-03-14 16:51:03 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2009-02-01 18:30:32 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-03-14 16:51:03 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2009-02-01 18:30:29 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:54 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:29 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:56 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:30 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:56 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:30 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:57 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:58 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:59 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:00 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:00 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:01 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:32 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:04 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:32 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2009-03-14 16:51:04 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2009-02-01 18:30:32 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2009-03-14 16:51:05 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2009-02-01 18:30:33 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2009-03-14 16:51:05 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2009-02-01 18:30:33 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2009-03-14 16:51:05 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2009-02-01 18:30:32 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-03-14 16:51:02 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2009-02-01 18:28:08 68,608 ----a-w c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-03-14 16:47:59 68,608 ----a-w c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-02-01 18:28:14 72,192 ----a-w c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-03-14 16:48:07 72,192 ----a-w c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-02-01 18:28:14 4,308,992 ----a-w c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-03-14 16:48:08 4,308,992 ----a-w c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-02-01 18:28:15 482,304 ----a-w c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-03-14 16:48:10 482,304 ----a-w c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-02-01 18:28:12 2,878,976 ----a-w c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-03-14 16:48:04 2,878,976 ----a-w c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-02-01 18:28:05 258,048 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-03-14 16:47:55 258,048 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-02-01 18:28:05 114,176 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-03-14 16:47:55 114,176 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-02-01 18:28:18 260,096 ----a-w c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-03-14 16:48:16 260,096 ----a-w c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-02-01 18:28:10 5,025,792 ----a-w c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-03-14 16:48:02 5,025,792 ----a-w c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-02-01 18:28:07 10,752 ----a-w c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-03-14 16:47:59 10,752 ----a-w c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-02-01 18:28:04 503,808 ----a-w c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-03-14 16:47:54 503,808 ----a-w c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-02-01 18:28:05 13,312 ----a-w c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-03-14 16:47:56 13,312 ----a-w c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-02-01 18:28:13 8,192 ----a-w c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-03-14 16:48:06 8,192 ----a-w c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-02-01 18:28:13 36,864 ----a-w c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-03-14 16:48:07 36,864 ----a-w c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-02-01 18:28:13 5,632 ----a-w c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-03-14 16:48:07 5,632 ----a-w c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-02-01 18:28:06 413,696 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-03-14 16:47:57 413,696 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-02-01 18:28:06 36,864 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-03-14 16:47:58 36,864 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-02-01 18:28:07 647,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-03-14 16:47:58 647,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-02-01 18:28:07 73,728 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-03-14 16:47:58 73,728 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-02-01 18:28:06 745,472 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-03-14 16:47:57 745,472 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-02-01 18:28:19 110,592 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-03-14 16:48:19 110,592 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-02-01 18:28:19 372,736 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-03-14 16:48:18 372,736 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-02-01 18:28:04 28,672 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-03-14 16:47:53 28,672 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-02-01 18:28:19 667,648 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-03-14 16:48:17 667,648 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-02-01 18:28:19 5,632 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-03-14 16:48:19 5,632 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-02-01 18:28:04 12,800 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-03-14 16:47:54 12,800 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-02-01 18:28:04 32,768 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-03-14 16:47:53 32,768 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-02-01 18:28:04 7,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-03-14 16:47:54 7,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-02-01 18:28:17 110,592 ----a-w c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-03-14 16:48:13 110,592 ----a-w c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-02-01 18:28:09 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-03-14 16:48:00 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-02-01 18:28:17 389,120 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-03-14 16:48:14 389,120 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-02-01 18:28:16 716,800 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-03-14 16:48:10 716,800 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-02-01 18:28:05 884,736 ----a-w c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-03-14 16:47:56 884,736 ----a-w c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-02-01 18:28:12 5,050,368 ----a-w c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-03-14 16:48:05 5,050,368 ----a-w c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-02-01 18:28:09 188,416 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-03-14 16:48:00 188,416 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-02-01 18:28:09 397,312 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-03-14 16:48:00 397,312 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-02-01 18:28:09 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-03-14 16:48:01 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-02-01 18:28:17 700,416 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-03-14 16:48:15 700,416 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-02-01 18:28:16 368,640 ----a-w c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-03-14 16:48:11 368,640 ----a-w c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-02-01 18:28:18 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-03-14 16:48:16 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-02-01 18:28:16 299,008 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-03-14 16:48:11 299,008 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-02-01 18:28:16 131,072 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-03-14 16:48:12 131,072 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-02-01 18:28:07 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-03-14 16:47:59 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-02-01 18:28:09 114,688 ----a-w c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-03-14 16:48:01 114,688 ----a-w c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-02-01 18:28:19 835,584 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-03-14 16:48:17 835,584 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-02-01 18:28:10 86,016 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-03-14 16:48:02 86,016 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-02-01 18:28:10 823,296 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-03-14 16:48:03 823,296 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-02-01 18:28:10 5,316,608 ----a-w c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-03-14 16:48:04 5,316,608 ----a-w c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-02-01 18:28:11 2,035,712 ----a-w c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-03-14 16:48:04 2,035,712 ----a-w c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-02-01 18:28:17 3,018,752 ----a-w c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-03-14 16:48:14 3,018,752 ----a-w c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-01-27 19:38:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-11 15:24:31 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
- 2009-03-04 21:32:30 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 18:55:27 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 16:07:14 84,992 --sha-w c:\windows\system32\pabipihe.dll
- 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 16:48:26 66,462 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 16:48:26 418,400 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 16:07:13 79,872 --sha-w c:\windows\system32\poyimimu.dll
- 2006-06-29 18:07:36 14,048 ------w c:\windows\system32\spmsg2.dll
+ 2006-06-29 17:07:36 14,048 ------w c:\windows\system32\spmsg2.dll
- 2006-10-14 22:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\mxdwdrv.dll
+ 2006-10-14 21:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\mxdwdrv.dll
- 2006-10-15 01:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
+ 2006-10-15 00:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
- 2006-10-14 22:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\mxdwdrv.dll
+ 2006-10-14 21:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\mxdwdrv.dll
- 2006-10-15 01:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
+ 2006-10-15 00:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
- 2006-10-14 21:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\mxdwdrv.dll
+ 2006-10-14 20:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\mxdwdrv.dll
- 2006-10-15 01:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\xpssvcs.dll
+ 2006-10-15 00:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\xpssvcs.dll
- 2006-10-14 21:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\mxdwdrv.dll
+ 2006-10-14 20:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\mxdwdrv.dll
- 2006-10-15 01:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\xpssvcs.dll
+ 2006-10-15 00:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\xpssvcs.dll
- 2009-02-01 18:28:05 258,048 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-03-14 16:47:55 258,048 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-02-01 18:28:05 114,176 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-03-14 16:47:55 114,176 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install
"yalajahubo"=Rundll32.exe "c:\windows\system32\tobuvuzi.dll",s
"58d27dcb"=rundll32.exe "c:\windows\system32\ribayiro.dll",b
"CPM5be14e57"=Rundll32.exe "c:\windows\system32\ruyutave.dll",a
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\nxtepad.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{a5c5e03d-128d-4ab7-a1c1-01599b2ceb6a} - c:\windows\system32\zsowvw.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 14:55:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5
[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\java.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-14 15:01:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 19:01:33
ComboFix2.txt 2009-03-14 15:19:12
ComboFix3.txt 2009-03-08 15:07:42
ComboFix4.txt 2009-03-04 21:51:39
ComboFix5.txt 2009-03-14 18:48:13
Pre-Run: 69,720,182,784 bytes free
Post-Run: 70,001,475,584 bytes free
568 --- E O F --- 2009-03-05 08:03:08
Posting Permissions
