Not really sure whats wrong

Shaba · Mar 8, 2009

Looks like that you have been reinfected.

I recommend that you stay offline as much as possible or attempting to clean makes little sense.

Please rerun combofix, allow combofix to update itself if it asks so and post back a fresh combofix log and a fresh HijackThis log.

Jammen690 · Mar 8, 2009

combo fix

ComboFix 09-03-06.02 - Owner 2009-03-08 10:55:03.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.756 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Install.txt
c:\windows\system32\1Kwf4nAc.dll
c:\windows\system32\4Iud7lXa.exe
c:\windows\system32\4Iud7lXa.exe.a_a
c:\windows\system32\afisicx.exe
c:\windows\system32\ajebobog.ini
c:\windows\system32\ar0Mi1YH.exe.a_a
c:\windows\system32\bajobifa.dll
c:\windows\system32\bihiwuko.dll
c:\windows\system32\buhepine.dll
c:\windows\system32\comsa32.sys
c:\windows\system32\ecagnw.dll
c:\windows\system32\eyadelod.ini
c:\windows\system32\fubuveva.dll
c:\windows\system32\jrohab.dll
c:\windows\system32\luzuhepi.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\sykfto.dll
c:\windows\system32\tpszxyd.sys
c:\windows\system32\unagumov.ini
c:\windows\system32\uratupij.ini
c:\windows\system32\wmtkwh.dll

----- BITS: Possible infected sites -----

hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_SOPIDKC
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_sopidkc

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-08 11:02 . 2009-03-08 11:02 1,807,280 ---hs---- c:\windows\system32\uratupij.ini
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-06 16:42 . 2009-03-08 11:01 <DIR> d-------- c:\program files\DNA
2009-03-06 16:42 . 2009-03-08 11:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\DNA
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-10 18:30 . 2009-02-10 18:30 0 --a------ C:\xfBA4.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 22:10 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-01 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 17:32 279,712 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-01-12 17:32 25,888 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-01-10 21:01 --------- d-----w c:\program files\directx
2009-01-10 20:59 --------- d-----w c:\program files\14 Degrees East
2009-01-10 18:55 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-10 18:28 --------- d-----w c:\program files\GameSpy Arcade
2009-01-08 09:27 --------- d-----w c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
2008-10-31 00:05 18,022 ----a-w c:\documents and settings\Owner\Application Data\hutazowuca.bin
2008-10-31 00:05 15,343 ----a-w c:\documents and settings\All Users\Application Data\agezezalic.exe
2008-10-31 00:05 14,472 ----a-w c:\documents and settings\All Users\Application Data\ihojuren.bat
2008-10-31 00:05 13,162 ----a-w c:\documents and settings\Owner\Application Data\fyryq.bat
2008-10-31 00:05 11,081 ----a-w c:\program files\Common Files\gived.bat
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\dowigemu.dll
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\tobuvuzi.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-04_10.13.57.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2008-04-28 06:21:44 70,944 ----a-w c:\windows\Downloaded Program Files\sprthelper.exe
+ 2008-04-28 06:22:00 292,224 ----a-w c:\windows\Downloaded Program Files\tgctlcm.dll
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-05 20:05:02 130,433 ----a-w c:\windows\FIOS\unins000.dat
+ 2009-03-05 20:04:55 741,146 ----a-w c:\windows\FIOS\unins000.exe
+ 2009-03-04 21:14:31 9,662 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\ARPPRODUCTICON.exe
+ 2009-03-04 21:14:31 10,134 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\checkForUpdatesSC_000E79B7E7254F01870AC12942B7F8E4.exe
+ 2009-03-04 21:14:31 10,134 ----a-r c:\windows\Installer\{000E79B7-E725-4F01-870A-C12942B7F8E4}\visitWebsite_000E79B7E7254F01870AC12942B7F8E4.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\ARPPRODUCTICON.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\Comrade.exe_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\NewShortcut7_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 57,344 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\NewShortcut8_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
+ 2009-03-04 21:16:15 8,854 ----a-r c:\windows\Installer\{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}\UNINST_Uninstall_Com_CD7D16AA9DCA4A66A4ABF9C1BE60B1B5.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-03-08 12:26:04 84,992 --sha-w c:\windows\system32\bojevama.dll
- 2008-04-14 12:00:00 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2009-03-07 12:25:37 79,872 ------w c:\windows\system32\doledaye.dll
- 2009-02-03 19:04:51 114,968 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-04 21:32:30 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-08 12:26:05 79,872 --sha-w c:\windows\system32\jiputaru.dll
- 2009-03-04 15:06:17 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-04 15:06:17 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 12:25:36 84,992 --sha-w c:\windows\system32\ruwokupa.dll
- 2008-04-14 12:00:00 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-03-07 00:25:09 84,992 --sha-w c:\windows\system32\vimoveta.dll
+ 2009-03-07 00:25:10 79,872 ------w c:\windows\system32\vomuganu.dll
- 2005-12-05 23:07:30 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
+ 2009-03-06 20:55:39 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
+ 2009-03-08 00:25:55 84,992 --sha-w c:\windows\system32\zodakifi.dll
+ 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
+ 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-08 15:01:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4fc.dat
+ 2009-03-08 15:02:02 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-23 04:49:12 95,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2005-09-23 06:16:02 1,093,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2005-09-23 06:16:06 1,079,808 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 06:16:08 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2005-09-23 06:16:10 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2005-09-23 05:58:06 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2005-09-23 05:58:06 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2005-09-23 05:58:06 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2005-09-23 05:58:06 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2005-09-23 05:58:06 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2005-09-23 05:58:06 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2005-09-23 05:58:06 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2005-09-23 06:35:10 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}]
48128 --ahs---- c:\windows\system32\dowigemu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [BU]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [BU]
"Comrade.exe"="c:\program files\GameSpy\Comrade\Comrade.exe" [2007-06-29 36864]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-06 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"yalajahubo"="c:\windows\system32\tobuvuzi.dll" [ 48128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"58d27dcb"="c:\windows\system32\jiputaru.dll" [2009-03-08 79872]
"CPM5be14e57"="c:\windows\system32\bojevama.dll" [2009-03-08 84992]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\bojevama.dll" [2009-03-08 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll [2009-03-08 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\bojevama.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\fubuveva.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP

HCP Discovery Service

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-08 c:\windows\Tasks\At1.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At10.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At11.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At12.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At13.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At14.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At15.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At16.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At17.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At18.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At19.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At2.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At20.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At21.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At22.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At23.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At24.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At25.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At26.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At27.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At28.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At29.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At3.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At30.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At31.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At32.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At33.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At34.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At35.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At36.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At37.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At38.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At39.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At4.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-07 c:\windows\Tasks\At40.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At41.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At42.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-07 c:\windows\Tasks\At43.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At44.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At45.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At46.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At47.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At48.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-08 c:\windows\Tasks\At5.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At6.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At7.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At8.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-08 c:\windows\Tasks\At9.job
- c:\windows\system32\ar0Mi1YH.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{a9594de5-ab05-4858-b6ce-160d1fa4f981} - c:\windows\system32\ecagnw.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 11:02:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\java.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-08 11:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 15:07:38
ComboFix2.txt 2009-03-04 21:51:39
ComboFix3.txt 2009-03-04 15:14:37
ComboFix4.txt 2009-01-19 22:15:30

Pre-Run: 70,241,882,112 bytes free
Post-Run: 72,877,867,008 bytes free

463 --- E O F --- 2009-03-05 08:03:08

Jammen690 · Mar 8, 2009

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:52 AM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\jiputaru.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "c:\windows\system32\bojevama.dll",a
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fubuveva.dll c:\windows\system32\bojevama.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojevama.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5801 bytes

Shaba · Mar 12, 2009

Sorry for delay, I got no email notification.

Please post next a fresh hijackthis log.

Jammen690 · Mar 14, 2009

thank you

Man my computer is getting worse. I went to restart it yesterday and it took 30 minutes to start up. It just keep rebooting at the windows screen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:02 PM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\hilozepi.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "C:\WINDOWS\system32\zubadira.dll",a
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fubuveva.dll oflnvz.dll chomxv.dll fxbxac.dll lhenns.dll nqvkdc.dll coyfkz.dll gkizvv.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5451 bytes

Shaba · Mar 14, 2009

Please re-run combofix and post back its log along with a fresh hijackthis log.

Jammen690 · Mar 14, 2009

cOMBO FIX

ComboFix 09-03-13.02 - Owner 2009-03-14 11:09:27.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1551 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oriyabir.ini
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\aletotiz.ini
c:\windows\system32\chomxv.dll
c:\windows\system32\coyfkz.dll
c:\windows\system32\dibewori.dll
c:\windows\system32\ebosodoy.ini
c:\windows\system32\fimahafu.dll
c:\windows\system32\fxbxac.dll
c:\windows\system32\gkizvv.dll
c:\windows\system32\hagebuzi.dll
c:\windows\system32\ipezolih.ini
c:\windows\system32\isinutur.ini
c:\windows\system32\kgwssk.dll
c:\windows\system32\lasefoye.dll
c:\windows\system32\lhenns.dll
c:\windows\system32\nqvkdc.dll
c:\windows\system32\obubofiz.ini
c:\windows\system32\oflnvz.dll
c:\windows\system32\ogetedoz.ini
c:\windows\system32\oriyabir.ini
c:\windows\system32\ozavokal.ini
c:\windows\system32\rifofune.dll
c:\windows\system32\sazukojo.dll
c:\windows\system32\uhalotep.ini
c:\windows\system32\uratupij.ini
c:\windows\system32\vupowose.dll
c:\windows\system32\xidvcs.dll
c:\windows\system32\zasiyugi.dll
c:\windows\system32\zulagovi.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 11:13 . 2009-03-14 11:14 1,713,721 ---hs---- c:\windows\system32\oriyabir.ini
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\sidegiho.dll
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\hohohano.dll
2009-03-10 08:27 . 2009-03-10 08:27 2,098 ---hs---- c:\windows\system32\gihovoji.dll
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-06 16:42 . 2009-03-14 10:59 <DIR> d-------- c:\program files\DNA
2009-03-06 16:42 . 2009-03-14 11:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\DNA
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-01 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
2008-10-31 00:05 18,022 ----a-w c:\documents and settings\Owner\Application Data\hutazowuca.bin
2008-10-31 00:05 15,343 ----a-w c:\documents and settings\All Users\Application Data\agezezalic.exe
2008-10-31 00:05 14,472 ----a-w c:\documents and settings\All Users\Application Data\ihojuren.bat
2008-10-31 00:05 13,162 ----a-w c:\documents and settings\Owner\Application Data\fyryq.bat
2008-10-31 00:05 11,081 ----a-w c:\program files\Common Files\gived.bat
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\dowigemu.dll
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\tobuvuzi.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-08_11.06.59.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-27 19:38:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-11 15:24:31 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-12 03:21:03 84,992 --sha-w c:\windows\system32\gasefifi.dll
+ 2009-03-09 12:26:32 84,992 --sha-w c:\windows\system32\jaharati.dll
+ 2009-03-11 00:26:57 84,992 --sha-w c:\windows\system32\jodozome.dll
+ 2009-03-09 00:26:08 79,872 ------w c:\windows\system32\lakovazo.dll
+ 2009-03-10 00:26:38 84,992 --sha-w c:\windows\system32\ludiyofu.dll
+ 2009-03-09 00:26:08 84,992 --sha-w c:\windows\system32\lufesoko.dll
- 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 15:03:26 55,530 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 15:03:26 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-11 00:26:57 79,872 ------w c:\windows\system32\petolahu.dll
+ 2009-03-14 03:06:54 79,872 --sha-w c:\windows\system32\ribayiro.dll
+ 2009-03-14 03:06:53 84,992 --sha-w c:\windows\system32\ruyutave.dll
+ 2009-03-11 15:21:02 84,992 --sha-w c:\windows\system32\sobamehu.dll
+ 2009-03-12 15:21:31 84,992 --sha-w c:\windows\system32\vidajadu.dll
+ 2009-03-13 15:06:55 84,992 --sha-w c:\windows\system32\zubadira.dll
- 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
+ 2009-03-14 15:13:50 16,384 ----a-w c:\windows\Temp\Cookies\index.dat
- 2009-03-08 15:02:02 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-14 15:13:50 16,384 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-14 15:13:37 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4cc.dat
- 2009-03-08 15:02:02 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-14 15:13:50 32,768 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}]
48128 --ahs---- c:\windows\system32\dowigemu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"yalajahubo"="c:\windows\system32\tobuvuzi.dll" [ 48128]
"58d27dcb"="c:\windows\system32\ribayiro.dll" [2009-03-13 79872]
"CPM5be14e57"="c:\windows\system32\ruyutave.dll" [2009-03-13 84992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\ruyutave.dll" [2009-03-13 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll [2009-03-13 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\ruyutave.dll,c:\windows\system32\fubuveva.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\fubuveva.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install
"yalajahubo"=Rundll32.exe "c:\windows\system32\tobuvuzi.dll",s
"58d27dcb"=rundll32.exe "c:\windows\system32\ribayiro.dll",b
"CPM5be14e57"=Rundll32.exe "c:\windows\system32\ruyutave.dll",a

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP

HCP Discovery Service

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-14 c:\windows\Tasks\At1.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At10.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At11.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At12.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At13.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At14.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At15.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At16.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At17.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At18.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At19.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At2.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At20.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At21.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At22.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At23.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At24.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At25.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At26.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At27.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At28.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At29.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At3.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At30.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At31.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At32.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At33.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At34.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At35.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At36.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At37.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At38.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At39.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At4.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-13 c:\windows\Tasks\At40.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At41.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At42.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At43.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-13 c:\windows\Tasks\At44.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At45.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At46.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At47.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At48.job
- c:\windows\system32\4Iud7lXa.exe []

2009-03-14 c:\windows\Tasks\At5.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At6.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At7.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At8.job
- c:\windows\system32\ar0Mi1YH.exe []

2009-03-14 c:\windows\Tasks\At9.job
- c:\windows\system32\ar0Mi1YH.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{02f1fab3-2865-4da0-ac42-0d18deb05bb9} - c:\windows\system32\gkizvv.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 11:13:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-14 11:19:11 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-14 15:19:08
ComboFix2.txt 2009-03-08 15:07:42
ComboFix3.txt 2009-03-04 21:51:39
ComboFix4.txt 2009-03-04 15:14:37
ComboFix5.txt 2009-03-14 14:51:21

Pre-Run: 70,544,539,648 bytes free
Post-Run: 70,526,406,656 bytes free

416 --- E O F --- 2009-03-05 08:03:08

Jammen690 · Mar 14, 2009

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:57 AM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {812038b4-022b-413d-8650-1d082c449487} - C:\WINDOWS\system32\dowigemu.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [yalajahubo] Rundll32.exe "C:\WINDOWS\system32\tobuvuzi.dll",s
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\ribayiro.dll",b
O4 - HKLM\..\Run: [CPM5be14e57] Rundll32.exe "c:\windows\system32\ruyutave.dll",a
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O20 - AppInit_DLLs: c:\windows\system32\ruyutave.dll,C:\WINDOWS\system32\fubuveva.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruyutave.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5258 bytes

Shaba · Mar 14, 2009

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\oriyabir.ini
c:\windows\system32\sidegiho.dll
c:\windows\system32\hohohano.dll
c:\windows\system32\gihovoji.dll
c:\documents and settings\Owner\Application Data\hutazowuca.bin
c:\documents and settings\All Users\Application Data\agezezalic.exe
c:\documents and settings\All Users\Application Data\ihojuren.bat
c:\documents and settings\Owner\Application Data\fyryq.bat
c:\program files\Common Files\gived.bat
c:\windows\system32\dowigemu.dll
c:\windows\system32\tobuvuzi.dll
c:\windows\system32\gasefifi.dll
c:\windows\system32\jaharati.dll
c:\windows\system32\jodozome.dll
c:\windows\system32\lakovazo.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\petolahu.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\ruyutave.dll
c:\windows\system32\sobamehu.dll
c:\windows\system32\vidajadu.dll
c:\windows\system32\zubadira.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Folder::
c:\program files\DNA
c:\documents and settings\Owner\Application Data\DNA

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812038b4-022b-413d-8650-1d082c449487}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yalajahubo"=-
"58d27dcb"=-
"CPM5be14e57"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

DDS::
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Jammen690 · Mar 14, 2009

COMbo

ComboFix 09-03-13.02 - Owner 2009-03-14 14:49:53.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1432 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\agezezalic.exe
c:\documents and settings\All Users\Application Data\ihojuren.bat
c:\documents and settings\Owner\Application Data\fyryq.bat
c:\documents and settings\Owner\Application Data\hutazowuca.bin
c:\program files\Common Files\gived.bat
c:\windows\system32\dowigemu.dll
c:\windows\system32\gasefifi.dll
c:\windows\system32\gihovoji.dll
c:\windows\system32\hohohano.dll
c:\windows\system32\jaharati.dll
c:\windows\system32\jodozome.dll
c:\windows\system32\lakovazo.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\oriyabir.ini
c:\windows\system32\petolahu.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\ruyutave.dll
c:\windows\system32\sidegiho.dll
c:\windows\system32\sobamehu.dll
c:\windows\system32\tobuvuzi.dll
c:\windows\system32\vidajadu.dll
c:\windows\system32\zubadira.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\agezezalic.exe
c:\documents and settings\All Users\Application Data\ihojuren.bat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\DNA
c:\documents and settings\Owner\Application Data\DNA\dht.dat
c:\documents and settings\Owner\Application Data\DNA\dna.lng
c:\documents and settings\Owner\Application Data\DNA\resume.dat
c:\documents and settings\Owner\Application Data\DNA\resume.dat.old
c:\documents and settings\Owner\Application Data\DNA\rss.dat
c:\documents and settings\Owner\Application Data\DNA\settings.dat
c:\documents and settings\Owner\Application Data\DNA\settings.dat.old
c:\documents and settings\Owner\Application Data\fyryq.bat
c:\documents and settings\Owner\Application Data\hutazowuca.bin
c:\program files\Common Files\gived.bat
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\windows\Install.txt
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\dowigemu.dll
c:\windows\system32\gasefifi.dll
c:\windows\system32\gihovoji.dll
c:\windows\system32\hohohano.dll
c:\windows\system32\jaharati.dll
c:\windows\system32\jodozome.dll
c:\windows\system32\jomotewa.dll
c:\windows\system32\lakovazo.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\oriyabir.ini
c:\windows\system32\petolahu.dll
c:\windows\system32\ribayiro.dll
c:\windows\system32\ruyutave.dll
c:\windows\system32\sidegiho.dll
c:\windows\system32\sobamehu.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tobuvuzi.dll
c:\windows\system32\tpszxyd.sys
c:\windows\system32\umimiyop.ini
c:\windows\system32\vidajadu.dll
c:\windows\system32\zsowvw.dll
c:\windows\system32\zubadira.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

----- BITS: Possible infected sites -----

hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_SOPIDKC
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_sopidkc

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:51 --------- d-----w c:\program files\Bethesda Softworks
2009-03-14 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-08_11.06.59.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-01 18:30:32 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-03-14 16:51:02 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2009-02-01 18:30:32 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2009-03-14 16:51:03 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2009-02-01 18:30:32 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-03-14 16:51:03 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2009-02-01 18:30:29 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:54 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:29 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:56 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:30 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:56 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:30 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:57 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:58 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:50:59 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:00 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:00 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:31 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:01 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:32 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-03-14 16:51:04 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-01 18:30:32 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2009-03-14 16:51:04 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2009-02-01 18:30:32 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2009-03-14 16:51:05 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2009-02-01 18:30:33 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2009-03-14 16:51:05 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2009-02-01 18:30:33 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2009-03-14 16:51:05 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2009-02-01 18:30:32 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-03-14 16:51:02 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2009-02-01 18:28:08 68,608 ----a-w c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-03-14 16:47:59 68,608 ----a-w c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-02-01 18:28:14 72,192 ----a-w c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-03-14 16:48:07 72,192 ----a-w c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-02-01 18:28:14 4,308,992 ----a-w c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-03-14 16:48:08 4,308,992 ----a-w c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-02-01 18:28:15 482,304 ----a-w c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-03-14 16:48:10 482,304 ----a-w c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-02-01 18:28:12 2,878,976 ----a-w c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-03-14 16:48:04 2,878,976 ----a-w c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-02-01 18:28:05 258,048 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-03-14 16:47:55 258,048 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-02-01 18:28:05 114,176 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-03-14 16:47:55 114,176 ----a-w c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-02-01 18:28:18 260,096 ----a-w c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-03-14 16:48:16 260,096 ----a-w c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-02-01 18:28:10 5,025,792 ----a-w c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-03-14 16:48:02 5,025,792 ----a-w c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-02-01 18:28:07 10,752 ----a-w c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-03-14 16:47:59 10,752 ----a-w c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-02-01 18:28:04 503,808 ----a-w c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-03-14 16:47:54 503,808 ----a-w c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-02-01 18:28:05 13,312 ----a-w c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-03-14 16:47:56 13,312 ----a-w c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-02-01 18:28:13 8,192 ----a-w c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-03-14 16:48:06 8,192 ----a-w c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-02-01 18:28:13 36,864 ----a-w c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-03-14 16:48:07 36,864 ----a-w c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-02-01 18:28:13 5,632 ----a-w c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-03-14 16:48:07 5,632 ----a-w c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-02-01 18:28:06 413,696 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-03-14 16:47:57 413,696 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-02-01 18:28:06 36,864 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-03-14 16:47:58 36,864 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-02-01 18:28:07 647,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-03-14 16:47:58 647,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-02-01 18:28:07 73,728 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-03-14 16:47:58 73,728 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-02-01 18:28:06 745,472 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-03-14 16:47:57 745,472 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-02-01 18:28:19 110,592 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-03-14 16:48:19 110,592 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-02-01 18:28:19 372,736 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-03-14 16:48:18 372,736 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-02-01 18:28:04 28,672 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-03-14 16:47:53 28,672 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-02-01 18:28:19 667,648 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-03-14 16:48:17 667,648 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-02-01 18:28:19 5,632 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-03-14 16:48:19 5,632 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-02-01 18:28:04 12,800 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-03-14 16:47:54 12,800 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-02-01 18:28:04 32,768 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-03-14 16:47:53 32,768 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-02-01 18:28:04 7,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-03-14 16:47:54 7,168 ----a-w c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-02-01 18:28:17 110,592 ----a-w c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-03-14 16:48:13 110,592 ----a-w c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-02-01 18:28:09 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-03-14 16:48:00 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-02-01 18:28:17 389,120 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-03-14 16:48:14 389,120 ----a-w c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-02-01 18:28:16 716,800 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-03-14 16:48:10 716,800 ----a-w c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-02-01 18:28:05 884,736 ----a-w c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-03-14 16:47:56 884,736 ----a-w c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-02-01 18:28:12 5,050,368 ----a-w c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-03-14 16:48:05 5,050,368 ----a-w c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-02-01 18:28:09 188,416 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-03-14 16:48:00 188,416 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-02-01 18:28:09 397,312 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-03-14 16:48:00 397,312 ----a-w c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-02-01 18:28:09 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-03-14 16:48:01 81,920 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-02-01 18:28:17 700,416 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-03-14 16:48:15 700,416 ----a-w c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-02-01 18:28:16 368,640 ----a-w c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-03-14 16:48:11 368,640 ----a-w c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-02-01 18:28:18 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-03-14 16:48:16 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-02-01 18:28:16 299,008 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-03-14 16:48:11 299,008 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-02-01 18:28:16 131,072 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-03-14 16:48:12 131,072 ----a-w c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-02-01 18:28:07 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-03-14 16:47:59 258,048 ----a-w c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-02-01 18:28:09 114,688 ----a-w c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-03-14 16:48:01 114,688 ----a-w c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-02-01 18:28:19 835,584 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-03-14 16:48:17 835,584 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-02-01 18:28:10 86,016 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-03-14 16:48:02 86,016 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-02-01 18:28:10 823,296 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-03-14 16:48:03 823,296 ----a-w c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-02-01 18:28:10 5,316,608 ----a-w c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-03-14 16:48:04 5,316,608 ----a-w c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-02-01 18:28:11 2,035,712 ----a-w c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-03-14 16:48:04 2,035,712 ----a-w c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-02-01 18:28:17 3,018,752 ----a-w c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-03-14 16:48:14 3,018,752 ----a-w c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-01-27 19:38:47 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
+ 2009-03-11 15:24:31 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
- 2009-03-04 21:32:30 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 18:55:27 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 16:07:14 84,992 --sha-w c:\windows\system32\pabipihe.dll
- 2009-03-07 01:19:42 55,530 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 16:48:26 66,462 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-07 01:19:42 393,528 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 16:48:26 418,400 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 16:07:13 79,872 --sha-w c:\windows\system32\poyimimu.dll
- 2006-06-29 18:07:36 14,048 ------w c:\windows\system32\spmsg2.dll
+ 2006-06-29 17:07:36 14,048 ------w c:\windows\system32\spmsg2.dll
- 2006-10-14 22:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\mxdwdrv.dll
+ 2006-10-14 21:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\mxdwdrv.dll
- 2006-10-15 01:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
+ 2006-10-15 00:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
- 2006-10-14 22:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\mxdwdrv.dll
+ 2006-10-14 21:12:14 737,792 ----a-w c:\windows\system32\spool\XPSEP\amd64\mxdwdrv.dll
- 2006-10-15 01:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
+ 2006-10-15 00:09:04 2,946,304 ----a-w c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
- 2006-10-14 21:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\mxdwdrv.dll
+ 2006-10-14 20:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\mxdwdrv.dll
- 2006-10-15 01:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\xpssvcs.dll
+ 2006-10-15 00:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\i386\xpssvcs.dll
- 2006-10-14 21:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\mxdwdrv.dll
+ 2006-10-14 20:43:18 751,104 ----a-w c:\windows\system32\spool\XPSEP\i386\mxdwdrv.dll
- 2006-10-15 01:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\xpssvcs.dll
+ 2006-10-15 00:22:00 1,698,048 ----a-w c:\windows\system32\spool\XPSEP\i386\xpssvcs.dll
- 2009-02-01 18:28:05 258,048 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-03-14 16:47:55 258,048 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-02-01 18:28:05 114,176 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-03-14 16:47:55 114,176 ----a-w c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install
"yalajahubo"=Rundll32.exe "c:\windows\system32\tobuvuzi.dll",s
"58d27dcb"=rundll32.exe "c:\windows\system32\ribayiro.dll",b
"CPM5be14e57"=Rundll32.exe "c:\windows\system32\ruyutave.dll",a

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\nxtepad.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP

HCP Discovery Service

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a5c5e03d-128d-4ab7-a1c1-01599b2ceb6a} - c:\windows\system32\zsowvw.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 14:55:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\java.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-14 15:01:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 19:01:33
ComboFix2.txt 2009-03-14 15:19:12
ComboFix3.txt 2009-03-08 15:07:42
ComboFix4.txt 2009-03-04 21:51:39
ComboFix5.txt 2009-03-14 18:48:13

Pre-Run: 69,720,182,784 bytes free
Post-Run: 70,001,475,584 bytes free

568 --- E O F --- 2009-03-05 08:03:08

Jammen690 · Mar 14, 2009

Hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:07 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4665 bytes

Shaba · Mar 14, 2009

Better but still something:

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\pabipihe.dll
c:\windows\system32\poyimimu.dll

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"yalajahubo"=-
"58d27dcb"=-
"CPM5be14e57"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Jammen690 · Mar 14, 2009

combofix

ComboFix 09-03-13.02 - Owner 2009-03-14 16:59:02.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1455 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\pabipihe.dll
c:\windows\system32\poyimimu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Install.txt
c:\windows\system32\pabipihe.dll
c:\windows\system32\poyimimu.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 14:58 . 2009-03-14 14:58 <DIR> d-------- c:\windows\LastGood
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects
2009-02-14 19:07 . 2009-02-14 19:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:51 --------- d-----w c:\program files\Bethesda Softworks
2009-03-14 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-03-11 15:24 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-08 12:26 84,992 --sha-w c:\windows\system32\bojevama.dll
2009-03-08 00:25 84,992 --sha-w c:\windows\system32\zodakifi.dll
2009-03-07 12:25 84,992 --sha-w c:\windows\system32\ruwokupa.dll
2009-03-07 00:25 84,992 --sha-w c:\windows\system32\vimoveta.dll
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-05 20:50 42,320 ----a-w c:\windows\system32\xfcodec.dll
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 19:26 4,034 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-14_15.00.58.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 16:48:26 66,462 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 18:59:50 66,462 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-14 16:48:26 418,400 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 18:59:50 418,400 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 18:55:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_43c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\nxtepad.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP

HCP Discovery Service

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 17:01:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
Completion time: 2009-03-14 17:06:27
ComboFix-quarantined-files.txt 2009-03-14 21:06:25
ComboFix2.txt 2009-03-14 19:01:36
ComboFix3.txt 2009-03-14 15:19:12
ComboFix4.txt 2009-03-08 15:07:42
ComboFix5.txt 2009-03-14 20:58:15

Pre-Run: 70,030,798,848 bytes free
Post-Run: 70,011,158,528 bytes free

221 --- E O F --- 2009-03-05 08:03:08

Jammen690 · Mar 14, 2009

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:33 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4571 bytes

Shaba · Mar 15, 2009

Still somehting there:

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\bojevama.dll
c:\windows\system32\zodakifi.dll
c:\windows\system32\ruwokupa.dll
c:\windows\system32\vimoveta.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Jammen690 · Mar 15, 2009

combo

ComboFix 09-03-14.01 - Owner 2009-03-15 13:54:22.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1443 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.log
* Created a new restore point

FILE ::
c:\windows\system32\bojevama.dll
c:\windows\system32\ruwokupa.dll
c:\windows\system32\vimoveta.dll
c:\windows\system32\zodakifi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bojevama.dll
c:\windows\system32\ruwokupa.dll
c:\windows\system32\vimoveta.dll
c:\windows\system32\zodakifi.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 03:00 . 2008-04-14 08:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-06 19:19 . 2009-03-06 19:19 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-06 18:07 . 2009-03-06 18:07 <DIR> d-------- c:\documents and settings\Owner\My Games
2009-03-06 18:06 . 2009-03-06 16:55 32,768 --a------ c:\windows\system32\mf.dll
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Microsoft
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Games
2009-03-06 16:57 . 2009-03-06 16:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Microsoft Game Studios
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\windows\FIOS
2009-03-05 16:04 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-03-05 15:57 . 2009-03-05 16:04 <DIR> d-------- c:\program files\Verizon
2009-03-04 23:03 . 2005-04-19 11:11 239 --a------ c:\windows\SIERRA.INI
2009-03-04 17:16 . 2009-03-04 17:16 <DIR> d-------- c:\program files\GameSpy
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 17:15 . 2009-03-04 17:15 22,328 --a------ c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-03-04 17:14 . 2009-03-04 17:14 669,184 --a------ c:\windows\system32\pbsvc.exe
2009-03-04 17:14 . 2009-03-04 17:14 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2009-03-04 17:14 . 2009-03-04 17:14 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-03-01 14:47 . 2007-11-14 16:18 553 --a------ c:\windows\USetup.iss
2009-03-01 14:45 . 2005-05-03 19:43 69,632 --a------ c:\windows\Alcmtr.exe
2009-03-01 14:30 . 2009-03-01 14:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 14:30 . 2009-03-01 14:30 287 --a------ c:\windows\game.ini
2009-03-01 14:08 . 2009-03-01 14:08 <DIR> d-------- c:\program files\Activision
2009-03-01 13:56 . 2009-03-01 13:56 0 --a------ C:\xf75.tmp
2009-02-28 20:51 . 2009-02-28 20:51 <DIR> d---s---- c:\documents and settings\NetworkService\UserData
2009-02-28 12:09 . 2009-02-28 12:09 32 --a------ c:\windows\system32\work.ini
2009-02-28 12:08 . 2009-03-02 05:24 <DIR> d-------- c:\windows\system32\3361
2009-02-28 12:08 . 2009-02-28 12:08 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-28 12:08 . 2009-02-28 12:08 228 --a------ c:\windows\system32\hgset.ini
2009-02-28 09:00 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 08:59 . 2009-03-01 00:28 <DIR> d-------- c:\windows\system32\inf
2009-02-23 13:41 . 2009-02-23 13:41 <DIR> d-------- C:\My InstallShield 11 Projects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 16:51 --------- d-----w c:\program files\Bethesda Softworks
2009-03-14 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2009-03-11 15:24 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-06 20:59 --------- d-----w c:\program files\Microsoft Games
2009-03-04 21:07 --------- d-----w c:\program files\Electronic Arts
2009-03-02 20:11 --------- d-----w c:\program files\Steam
2009-03-01 18:45 --------- d-----w c:\program files\Realtek
2009-03-01 18:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 18:00 --------- d-s---w c:\program files\Xfire
2009-03-01 04:24 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-18 19:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 23:07 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 23:06 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 20:50 42,320 ----a-w c:\windows\system32\xfcodec.dll
2009-01-29 00:20 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2009-01-28 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 19:26 4,034 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-01-28 03:16 --------- d-----w c:\program files\WESTWOOD
2009-01-27 19:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 19:25 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-01-27 19:15 --------- d-----w c:\program files\Firaxis Games
2009-01-23 17:31 --------- d-----w c:\program files\Common Files\INCA Shared
2009-01-23 06:38 --------- d-----w c:\program files\Gpotato
2009-01-22 03:04 --------- d-----w c:\program files\Deep Silver
2009-01-21 00:10 --------- d-----w c:\program files\WebEx
2009-01-20 02:13 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-14_15.00.58.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
- 2008-04-14 12:00:00 144,384 -c--a-w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 06:54:55 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 03:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2009-03-14 18:55:27 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-15 07:10:07 117,360 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-03-14 16:48:26 66,462 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-15 07:14:22 66,462 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-14 16:48:26 418,400 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-15 07:14:22 418,400 ----a-w c:\windows\system32\perfh009.dat
- 2008-04-14 12:00:00 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-09-25 21:58:48 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 13:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2007-06-12 03:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-03-15 07:10:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_204.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-10-04 1757]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\VPC32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Left4Dead (PC) (ENG)(NON-STEAM) (ALREADY CRACKED) (DIRECT PLAY) [blaze69]\\Left4Dead\\Left4Dead\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\nxtepad.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP

HCP Discovery Service

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2008-04-14 2304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 13:57:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:b1,8f,96,3a,c0,c1,d4,64,e9,fe,4c,d1,dc,4a,f6,4b,58,e5,33,d5,8f,
19,99,07,b6,0c,73,20,4e,a6,16,27,65,8a,55,ae,9d,50,f4,0f,82,fb,f8,4b,6b,66,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
Completion time: 2009-03-15 14:01:33
ComboFix-quarantined-files.txt 2009-03-15 18:01:32
ComboFix2.txt 2009-03-14 21:06:28
ComboFix3.txt 2009-03-14 19:01:36
ComboFix4.txt 2009-03-14 15:19:12
ComboFix5.txt 2009-03-15 17:53:37

Pre-Run: 70,023,290,880 bytes free
Post-Run: 70,006,390,784 bytes free

252 --- E O F --- 2009-03-15 07:03:51

Jammen690 · Mar 15, 2009

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:45 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4571 bytes

Shaba · Mar 15, 2009

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here

Jammen690 · Mar 15, 2009

Man this scan takes forever. 2 Hours in and only 50% done. Im going to have to leave for work soon ill post the results for u in the morning.

Jammen690 · Mar 16, 2009

Online kaspersky report

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 15, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 15, 2009 19:43:38
Records in database: 1909319
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 180817
Threat name 12
Infected objects 33
Suspicious objects 0
Duration of the scan 03:10:23

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00CC0000.VBN Infected: Trojan.Win32.Agent.bsgv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN Infected: Trojan.Win32.Agent.bsgv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0001.VBN Infected: Trojan.Win32.Agent.bsgv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CD00000.VBN Infected: Trojan.Win32.BHO.ncb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F700000.VBN Infected: Trojan.Win32.Agent.arzx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F700001.VBN Infected: Trojan.Win32.Agent.arzx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F700002.VBN Infected: Trojan-Downloader.Win32.Agent.bjuj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F700003.VBN Infected: Trojan-Downloader.Win32.Agent.bjuj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0000.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0001.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0004.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0005.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0006.VBN Infected: Trojan.Win32.Agent.btax 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0007.VBN Infected: Trojan.Win32.Agent.btax 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0008.VBN Infected: Trojan-Downloader.Win32.Agent.bkaf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0009.VBN Infected: Trojan-Downloader.Win32.Agent.bkaf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC000A.VBN Infected: Backdoor.Win32.Hupigon.gfse 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC000B.VBN Infected: Backdoor.Win32.Hupigon.gfse 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC000C.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC000D.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0012.VBN Infected: Trojan.Win32.Buzus.aocw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0013.VBN Infected: Trojan.Win32.Buzus.aocw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0016.VBN Infected: Trojan-GameThief.Win32.OnLineGames.bkvv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0017.VBN Infected: Trojan-GameThief.Win32.OnLineGames.bkvv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0018.VBN Infected: Trojan.Win32.Agent.arzx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10BC0019.VBN Infected: Trojan-Downloader.Win32.Agent.bjuj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir Infected: Trojan.Win32.FraudPack.kho 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kabumure.dll.vir Infected: Trojan.Win32.Monder.bldc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\raganapo.dll.vir Infected: Trojan.Win32.Monder.bldc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vivodiha.dll.vir Infected: Trojan.Win32.Monder.bldc 1
C:\WINDOWS\system32\umtcdtw.sys Infected: Trojan.Win32.Agent2.eni 1
The selected area was scanned.

Not really sure whats wrong

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member