Win32.TDSS.reg Hijack

[johnnywayne]

Spybot found 2 instances of Win32.TDSS.reg. It can't erase because they are being used in memory. Safe mode no help. I got it from a song I downloaded (not P2P). Redirects most webpages unless url copied and pasted. I don't know if its relevant or a separate problem but neither of my two optical drives are recognized in programs, but device manager sees them. Normally use Avira Antivir Personal, turned off for scans. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:00 AM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\windows\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\windows\system32\WTablet\Wacom_TabletUser.exe
C:\windows\system32\Wacom_Tablet.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 1400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUA.EXE /FU "C:\WINDOWS\TEMP\E_S1EDE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O20 - AppInit_DLLs: ,
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 8734 bytes

 

[ken545]

Hello johnnywayne

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Lets clean you up a bit first and see what the scans detect.

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Rooter Rootkit Detector - Please Download from here to your Desktop:

• Doubleclick it to start the tool.
• A Notepad file containing the report will open, also found at %systemdrive% (usually C\Rooter.txt.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results along with a new HJT log please
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the Rooter log, the Malwarebytes log and a new HJT log please.

Ken

 

[johnnywayne]

Thanks for your time.

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 6.0.2900.5512
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:153 Go )
G:\ [CD_Rom]
H:\ [CD_Rom]
.
Scan : 09:21.17
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (592)
______ \??\C:\windows\system32\csrss.exe (648)
______ \??\C:\windows\system32\winlogon.exe (672)
______ C:\windows\system32\services.exe (716)
______ C:\windows\system32\lsass.exe (728)
______ C:\windows\system32\svchost.exe (920)
______ C:\windows\system32\svchost.exe (976)
______ C:\windows\System32\svchost.exe (1076)
______ C:\windows\system32\svchost.exe (1108)
______ C:\windows\system32\svchost.exe (1196)
______ C:\windows\system32\svchost.exe (1284)
______ C:\WINDOWS\system32\brsvc01a.exe (1552)
______ C:\WINDOWS\system32\brss01a.exe (1568)
______ C:\windows\system32\spoolsv.exe (1576)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1616)
______ C:\windows\system32\svchost.exe (1708)
______ C:\windows\Explorer.EXE (1956)
______ C:\windows\system32\RUNDLL32.EXE (160)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (156)
______ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (188)
______ C:\windows\system32\rundll32.exe (200)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (208)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (228)
______ C:\windows\system32\ctfmon.exe (252)
______ C:\Program Files\AIM6\aim6.exe (260)
______ C:\Program Files\Logitech\SetPoint\SetPoint.exe (332)
______ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE (436)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1176)
______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (1252)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1392)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (1444)
______ C:\windows\system32\nvsvc32.exe (1780)
______ C:\WINDOWS\system32\PSIService.exe (1828)
______ C:\windows\system32\svchost.exe (2060)
______ C:\windows\system32\Wacom_Tablet.exe (2188)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (2272)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (2308)
______ C:\windows\system32\WTablet\Wacom_TabletUser.exe (2476)
______ C:\windows\system32\Wacom_Tablet.exe (2656)
______ C:\windows\System32\alg.exe (3028)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3056)
______ C:\Program Files\AIM6\aolsoftware.exe (3104)
______ C:\windows\system32\wscntfy.exe (2404)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2904)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (3220)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500096991744)
.
----------------------\\ Scheduled Tasks
.
C:\windows\Tasks\Ad-Aware Update (Weekly).job
C:\windows\Tasks\desktop.ini
C:\windows\Tasks\SA.DAT
.
----------------------\\ Registry
.
Rootkit! ... [HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 09:21.28
.
C:\Rooter$\Rooter_2.txt - (14/07/2009 | 09:21.28)



Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/14/2009 9:23:04 AM
mbam-log-2009-07-14 (09-23-04).txt

Scan type: Quick Scan
Objects scanned: 97899
Time elapsed: 1 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:34 AM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\Explorer.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\windows\system32\WTablet\Wacom_TabletUser.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 8916 bytes

 

[johnnywayne]

I'm not sure if this is part of this problem, but I just noticed that when booting the screen very quickly says something about not finding the boot.ini.

 

[ken545]

Hi,

boot.ini <-- Not sure if this is related to your infection or if its a windows issue. Lets get you cleaned up and see if that fixes it.

You are infected with a Rootkit, Combofix should fix it if not we will have to remove it manually.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[johnnywayne]

Chugging along. When it tries to install Windows recovery the download reaches 100% then says "Boot partition can't be enumerated correctly". I assume I was supposed to run it anyway.

ComboFix 09-07-13.01 - Owner 07/14/2009 11:15.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.1904 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-14 14:03 . 2009-07-14 14:21 -------- d-----w- C:\Rooter$
2009-07-14 01:27 . 2002-07-17 21:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-07-14 01:27 . 2002-07-17 21:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-07-14 01:25 . 2009-07-14 01:25 -------- d-----w- C:\adaptec
2009-07-14 00:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-14 00:36 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 00:36 . 2009-07-14 00:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 00:35 . 2009-07-14 00:35 -------- d-----w- c:\program files\Lavasoft
2009-07-14 00:02 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 00:02 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-14 00:02 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-14 00:02 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\program files\Avira
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 17:05 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:05 . 2009-07-14 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:05 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:09 . 2009-07-13 16:09 -------- d-----w- c:\program files\ERUNT
2009-07-12 14:20 . 2009-07-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\16356714
2009-07-10 03:58 . 2009-03-16 19:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-10 03:58 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-10 03:58 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-10 03:58 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-10 03:58 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-07-06 17:38 . 2009-07-14 14:00 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2009-07-06 17:38 . 2009-07-14 14:00 -------- d-----w- c:\docume~1\Owner\APPLIC~1\WTablet
2009-07-06 17:37 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-06 17:37 . 2008-07-11 17:16 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-06 17:37 . 2009-07-06 17:37 -------- d-----w- c:\windows\system32\WTablet
2009-07-06 17:37 . 2008-10-30 17:00 182056 ------w- c:\windows\system32\Wacom_Tablet.dll
2009-07-06 17:37 . 2008-10-30 16:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-06 17:37 . 2008-10-30 17:13 2749224 ------w- c:\windows\system32\Wacom_Tablet.exe
2009-07-04 16:48 . 2009-07-04 16:48 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-04 16:48 . 2009-07-05 18:21 -------- d-----w- c:\program files\World of Warcraft Trial
2009-07-03 21:05 . 2009-07-03 21:07 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-06-30 20:46 . 2008-10-06 16:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\documents and settings\Owner\Application Data\cucusoft
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\docume~1\Owner\APPLIC~1\cucusoft
2009-06-25 18:50 . 2009-06-26 00:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Audible
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\program files\iTunes
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-20 15:44 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-20 15:43 . 2009-06-20 15:43 -------- d-----w- c:\program files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 23:42 . 2007-08-30 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 15:29 . 2007-09-18 05:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-11 22:10 . 2007-08-11 01:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 17:37 . 2007-08-11 02:32 -------- d-----w- c:\program files\Tablet
2009-07-03 19:11 . 2007-08-10 09:29 -------- d-----w- c:\program files\Bonjour
2009-07-03 18:07 . 2008-01-01 01:35 -------- d-----w- c:\program files\Winamp
2009-07-03 18:07 . 2007-09-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\ScanSoft
2009-07-03 17:59 . 2008-09-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Codemasters
2009-07-03 17:41 . 2008-09-17 00:18 -------- d-----w- c:\program files\Common Files\Apple
2009-07-02 16:59 . 2008-04-25 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Extensis
2009-06-30 21:59 . 2007-08-10 23:47 59648 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 21:25 . 2008-03-27 18:42 -------- d-----w- c:\program files\NewsLeecher
2009-06-25 18:29 . 2008-09-17 00:18 -------- d-----w- c:\program files\QuickTime
2009-06-23 22:23 . 2009-01-19 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-21 22:41 . 2009-06-21 22:41 48188 ----a-w- c:\windows\Fonts\CACFCB__.TTF
2009-06-21 22:41 . 2009-06-21 22:41 42460 ----a-w- c:\windows\Fonts\CACFC___.TTF
2009-06-15 19:42 . 2008-11-19 02:55 -------- d-----w- c:\program files\AIM6
2009-06-15 19:40 . 2007-09-29 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\documents and settings\Owner\Application Data\NewsLeecher
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\docume~1\Owner\APPLIC~1\NewsLeecher
2009-06-11 03:04 . 2007-10-15 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 01:39 . 2009-06-06 01:39 -------- d-----w- c:\program files\ffdshow
2009-06-05 04:09 . 2007-08-11 01:26 -------- d-----w- c:\program files\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DivX
2009-06-02 03:19 . 2009-06-02 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\dvdcss
2009-05-22 18:38 . 2007-08-28 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Moyea
2009-05-15 21:17 . 2009-05-15 20:59 -------- d-----w- c:\program files\RACE 07 Offline
2009-05-13 19:04 . 2003-03-19 03:14 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2009-05-13 19:04 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-29 04:46 . 2006-02-28 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2008-01-01 01:35 129784 -c----w- c:\windows\system32\pxafs.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-06-12 20:37 . 2008-11-15 20:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-14_05.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 14:00 . 2009-07-14 14:00 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2009-07-14 14:00 . 2009-07-14 14:00 540672 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000002\UsrClass.dat
+ 2009-07-14 14:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-14-2009\ERDNT.EXE
+ 2009-07-14 14:00 . 2009-07-14 14:00 23556096 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NBService"=3 (0x3)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"CCALib8"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ashlar-Vellum\\Graphite v8\\graphite.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2009 7:36 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 7:02 PM 108289]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/6/2009 12:37 PM 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/30/2009 3:46 PM 15656]
S0 DigiFilter;DigiFilter; [x]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 DigiNet;Digidesign Ethernet Support; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [1/22/2008 10:52 AM 513152]
S3 MaplomL;MaplomL; [x]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflix.com\movielicense
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\sqauecuv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C751604-460E-DACE-1EFD-DCA4C900AEFA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oagmggpnilgjolnmeckgjbeejebdjg"=hex:6a,61,6b,64,6b,6d,6e,67,65,68,65,69,64,64,
6d,6b,70,62,65,61,00,f5
"nammcaoflkkimiimlkcbmdcomlig"=hex:6a,61,6b,64,6b,6d,6e,67,65,68,65,69,64,64,
6d,6b,70,62,65,61,00,f5

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D40AA1E2-D41C-3AE4-B764-AAF60B452F7F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaahcppdoa"=hex:66,61,6b,68,6e,61,61,6f,6e,64,61,63,00,31
"dabhdpak"=hex:64,62,65,6a,6f,6c,70,62,69,69,63,6a,6a,6a,62,65,64,65,67,6f,6c,
66,6c,6f,6b,64,62,70,67,62,6b,70,6f,62,6b,61,6f,70,64,6e,00,00
"iaikmhkgoccomabjei"=hex:69,61,6b,6c,62,6a,70,69,62,6d,67,6f,66,6e,6c,6e,64,69,
00,00
"hacjoicemfcadjdc"=hex:69,61,6b,6c,62,6a,70,69,62,6d,67,6f,66,6e,6c,6e,64,69,
00,00

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,41,c3,f8,a7,56,a8,61,72,7a,8d,de,91,ff,43,1a,41,f3,2d,10,60,77,a8,
1d,9b,01,c9,3b,61,b9,6f,48,63,a8,3c,51,27,21,0c,c7,05,e8,ae,59,85,b5,95,63,\
"??"=hex:69,3e,43,58,9f,64,ba,75,fe,6b,77,07,2a,78,dd,74

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:5c,24,08,91,f6,1c,c6,06,7f,0f,13,20,fe,93,37,40,bd,60,9e,b2,b0,
30,85,18,2f,1c,33,10,73,ae,36,83,6b,e3,96,4f,d2,52,6b,07,00,98,ee,a5,1c,e8,\
"rkeysecu"=hex:00,2a,c6,d7,65,28,8c,8a,81,72,0c,2a,82,16,72,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(1872)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-07-14 11:22
ComboFix-quarantined-files.txt 2009-07-14 16:21
ComboFix2.txt 2009-07-14 05:03

Pre-Run: 163,551,596,544 bytes free
Post-Run: 163,533,041,664 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
318 --- E O F --- 2009-06-24 03:01



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:14 AM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\windows\system32\WTablet\Wacom_TabletUser.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\windows\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 8892 bytes

Thanks again.

 

[ken545]

Checking things over, be back in a bit

 

[johnnywayne]

Take your time, it now doesn't seem to be redirecting and my optical drives work sometimes. Spybot now only finds one instance of the malware.

 

[ken545]

Hi,

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RegNull::

RegNull::
[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C751604-460E-DACE-1EFD-DCA4C900AEFA}*]
[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D40AA1E2-D41C-3AE4-B764-AAF60B452F7F}*]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




Lets make sure we got it all

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[johnnywayne]

Everything seems to be working correctly, but Spybot still finds 1 entry of Win32.TDSS.reg.

ComboFix 09-07-13.01 - Owner 07/14/2009 17:02.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2898 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-14 21:18 . 2009-07-14 21:18 -------- d-----w- c:\windows\LastGood
2009-07-14 14:03 . 2009-07-14 14:21 -------- d-----w- C:\Rooter$
2009-07-14 01:27 . 2002-07-17 21:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-07-14 01:27 . 2002-07-17 21:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-07-14 01:25 . 2009-07-14 01:25 -------- d-----w- C:\adaptec
2009-07-14 00:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-14 00:36 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 00:36 . 2009-07-14 00:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 00:35 . 2009-07-14 00:35 -------- d-----w- c:\program files\Lavasoft
2009-07-14 00:02 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 00:02 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-14 00:02 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-14 00:02 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\program files\Avira
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 17:05 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:05 . 2009-07-14 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:05 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:09 . 2009-07-13 16:09 -------- d-----w- c:\program files\ERUNT
2009-07-12 14:20 . 2009-07-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\16356714
2009-07-10 03:58 . 2009-03-16 19:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-10 03:58 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-10 03:58 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-10 03:58 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-10 03:58 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-07-06 17:38 . 2009-07-14 16:50 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2009-07-06 17:38 . 2009-07-14 16:50 -------- d-----w- c:\docume~1\Owner\APPLIC~1\WTablet
2009-07-06 17:37 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-06 17:37 . 2008-07-11 17:16 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-06 17:37 . 2009-07-06 17:37 -------- d-----w- c:\windows\system32\WTablet
2009-07-06 17:37 . 2008-10-30 17:00 182056 ------w- c:\windows\system32\Wacom_Tablet.dll
2009-07-06 17:37 . 2008-10-30 16:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-06 17:37 . 2008-10-30 17:13 2749224 ------w- c:\windows\system32\Wacom_Tablet.exe
2009-07-04 16:48 . 2009-07-04 16:48 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-04 16:48 . 2009-07-05 18:21 -------- d-----w- c:\program files\World of Warcraft Trial
2009-07-03 21:05 . 2009-07-03 21:07 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-06-30 20:46 . 2008-10-06 16:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\documents and settings\Owner\Application Data\cucusoft
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\docume~1\Owner\APPLIC~1\cucusoft
2009-06-25 18:50 . 2009-06-26 00:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Audible
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\program files\iTunes
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-20 15:44 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-20 15:43 . 2009-06-20 15:43 -------- d-----w- c:\program files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 23:42 . 2007-08-30 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 15:29 . 2007-09-18 05:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-11 22:10 . 2007-08-11 01:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 17:37 . 2007-08-11 02:32 -------- d-----w- c:\program files\Tablet
2009-07-03 19:11 . 2007-08-10 09:29 -------- d-----w- c:\program files\Bonjour
2009-07-03 18:07 . 2008-01-01 01:35 -------- d-----w- c:\program files\Winamp
2009-07-03 18:07 . 2007-09-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\ScanSoft
2009-07-03 17:59 . 2008-09-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Codemasters
2009-07-03 17:41 . 2008-09-17 00:18 -------- d-----w- c:\program files\Common Files\Apple
2009-07-02 16:59 . 2008-04-25 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Extensis
2009-06-30 21:59 . 2007-08-10 23:47 59648 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 21:25 . 2008-03-27 18:42 -------- d-----w- c:\program files\NewsLeecher
2009-06-25 18:29 . 2008-09-17 00:18 -------- d-----w- c:\program files\QuickTime
2009-06-23 22:23 . 2009-01-19 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-21 22:41 . 2009-06-21 22:41 48188 ----a-w- c:\windows\Fonts\CACFCB__.TTF
2009-06-21 22:41 . 2009-06-21 22:41 42460 ----a-w- c:\windows\Fonts\CACFC___.TTF
2009-06-15 19:42 . 2008-11-19 02:55 -------- d-----w- c:\program files\AIM6
2009-06-15 19:40 . 2007-09-29 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\documents and settings\Owner\Application Data\NewsLeecher
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\docume~1\Owner\APPLIC~1\NewsLeecher
2009-06-11 03:04 . 2007-10-15 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 01:39 . 2009-06-06 01:39 -------- d-----w- c:\program files\ffdshow
2009-06-05 04:09 . 2007-08-11 01:26 -------- d-----w- c:\program files\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DivX
2009-06-02 03:19 . 2009-06-02 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\dvdcss
2009-05-22 18:38 . 2007-08-28 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Moyea
2009-05-13 19:04 . 2003-03-19 03:14 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2009-05-13 19:04 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-29 04:46 . 2006-02-28 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-06-12 20:37 . 2008-11-15 20:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-14_05.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 16:50 . 2009-07-14 16:50 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2009-07-14 14:00 . 2009-07-14 14:00 540672 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000002\UsrClass.dat
+ 2009-07-14 14:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-14-2009\ERDNT.EXE
+ 2009-07-14 14:00 . 2009-07-14 14:00 23556096 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NBService"=3 (0x3)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"CCALib8"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ashlar-Vellum\\Graphite v8\\graphite.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2009 7:36 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 7:02 PM 108289]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/6/2009 12:37 PM 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/30/2009 3:46 PM 15656]
S0 DigiFilter;DigiFilter; [x]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 DigiNet;Digidesign Ethernet Support; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [1/22/2008 10:52 AM 513152]
S3 MaplomL;MaplomL; [x]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflix.com\movielicense
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\sqauecuv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,41,c3,f8,a7,56,a8,61,72,7a,8d,de,91,ff,43,1a,41,f3,2d,10,60,77,a8,
1d,9b,01,c9,3b,61,b9,6f,48,63,a8,3c,51,27,21,0c,c7,05,e8,ae,59,85,b5,95,63,\
"??"=hex:69,3e,43,58,9f,64,ba,75,fe,6b,77,07,2a,78,dd,74

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:5c,24,08,91,f6,1c,c6,06,7f,0f,13,20,fe,93,37,40,bd,60,9e,b2,b0,
30,85,18,2f,1c,33,10,73,ae,36,83,6b,e3,96,4f,d2,52,6b,07,00,98,ee,a5,1c,e8,\
"rkeysecu"=hex:00,2a,c6,d7,65,28,8c,8a,81,72,0c,2a,82,16,72,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-07-14 17:10
ComboFix-quarantined-files.txt 2009-07-14 22:09
ComboFix2.txt 2009-07-14 16:22
ComboFix3.txt 2009-07-14 05:03

Pre-Run: 148,394,414,080 bytes free
Post-Run: 148,354,822,144 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
294 --- E O F --- 2009-06-24 03:01



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:27 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\windows\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\windows\system32\wscntfy.exe
C:\windows\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 8774 bytes



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

 

[ken545]

Do me a favor and go to C:\ComboFix.txt, post the one for the very first scan you ran.

Are you having problems running ESET?

Also run Rooter again and post the log, what it found is very nasty. We want to make sure this is gone
( It's a 'backdoor Trojan' capable of infecting removable drives)

 

[johnnywayne]

I didn't have any problems running ESET. It took about an hour and found 0 infected.

ComboFix 09-07-13.01 - Owner 07/14/2009 11:15.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.1904 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-14 14:03 . 2009-07-14 14:21 -------- d-----w- C:\Rooter$
2009-07-14 01:27 . 2002-07-17 21:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-07-14 01:27 . 2002-07-17 21:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-07-14 01:25 . 2009-07-14 01:25 -------- d-----w- C:\adaptec
2009-07-14 00:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-14 00:36 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 00:36 . 2009-07-14 00:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 00:35 . 2009-07-14 00:35 -------- d-----w- c:\program files\Lavasoft
2009-07-14 00:02 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 00:02 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-14 00:02 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-14 00:02 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\program files\Avira
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 17:05 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:05 . 2009-07-14 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:05 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:09 . 2009-07-13 16:09 -------- d-----w- c:\program files\ERUNT
2009-07-12 14:20 . 2009-07-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\16356714
2009-07-10 03:58 . 2009-03-16 19:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-10 03:58 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-10 03:58 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-10 03:58 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-10 03:58 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-07-06 17:38 . 2009-07-14 14:00 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2009-07-06 17:38 . 2009-07-14 14:00 -------- d-----w- c:\docume~1\Owner\APPLIC~1\WTablet
2009-07-06 17:37 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-06 17:37 . 2008-07-11 17:16 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-06 17:37 . 2009-07-06 17:37 -------- d-----w- c:\windows\system32\WTablet
2009-07-06 17:37 . 2008-10-30 17:00 182056 ------w- c:\windows\system32\Wacom_Tablet.dll
2009-07-06 17:37 . 2008-10-30 16:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-06 17:37 . 2008-10-30 17:13 2749224 ------w- c:\windows\system32\Wacom_Tablet.exe
2009-07-04 16:48 . 2009-07-04 16:48 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-04 16:48 . 2009-07-05 18:21 -------- d-----w- c:\program files\World of Warcraft Trial
2009-07-03 21:05 . 2009-07-03 21:07 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-06-30 20:46 . 2008-10-06 16:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\documents and settings\Owner\Application Data\cucusoft
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\docume~1\Owner\APPLIC~1\cucusoft
2009-06-25 18:50 . 2009-06-26 00:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Audible
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\program files\iTunes
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-20 15:44 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-20 15:43 . 2009-06-20 15:43 -------- d-----w- c:\program files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 23:42 . 2007-08-30 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 15:29 . 2007-09-18 05:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-11 22:10 . 2007-08-11 01:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 17:37 . 2007-08-11 02:32 -------- d-----w- c:\program files\Tablet
2009-07-03 19:11 . 2007-08-10 09:29 -------- d-----w- c:\program files\Bonjour
2009-07-03 18:07 . 2008-01-01 01:35 -------- d-----w- c:\program files\Winamp
2009-07-03 18:07 . 2007-09-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\ScanSoft
2009-07-03 17:59 . 2008-09-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Codemasters
2009-07-03 17:41 . 2008-09-17 00:18 -------- d-----w- c:\program files\Common Files\Apple
2009-07-02 16:59 . 2008-04-25 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Extensis
2009-06-30 21:59 . 2007-08-10 23:47 59648 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 21:25 . 2008-03-27 18:42 -------- d-----w- c:\program files\NewsLeecher
2009-06-25 18:29 . 2008-09-17 00:18 -------- d-----w- c:\program files\QuickTime
2009-06-23 22:23 . 2009-01-19 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-21 22:41 . 2009-06-21 22:41 48188 ----a-w- c:\windows\Fonts\CACFCB__.TTF
2009-06-21 22:41 . 2009-06-21 22:41 42460 ----a-w- c:\windows\Fonts\CACFC___.TTF
2009-06-15 19:42 . 2008-11-19 02:55 -------- d-----w- c:\program files\AIM6
2009-06-15 19:40 . 2007-09-29 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\documents and settings\Owner\Application Data\NewsLeecher
2009-06-15 16:53 . 2007-08-11 01:52 -------- d-----w- c:\docume~1\Owner\APPLIC~1\NewsLeecher
2009-06-11 03:04 . 2007-10-15 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 01:39 . 2009-06-06 01:39 -------- d-----w- c:\program files\ffdshow
2009-06-05 04:09 . 2007-08-11 01:26 -------- d-----w- c:\program files\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-06-02 03:25 . 2009-06-02 03:21 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DivX
2009-06-02 03:19 . 2009-06-02 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-05-29 03:02 . 2007-08-17 02:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\dvdcss
2009-05-22 18:38 . 2007-08-28 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-05-20 19:03 . 2009-05-20 19:03 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Moyea
2009-05-15 21:17 . 2009-05-15 20:59 -------- d-----w- c:\program files\RACE 07 Offline
2009-05-13 19:04 . 2003-03-19 03:14 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2009-05-13 19:04 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-29 04:46 . 2006-02-28 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:25 . 2008-01-01 01:35 129784 -c----w- c:\windows\system32\pxafs.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-06-12 20:37 . 2008-11-15 20:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-14_05.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 14:00 . 2009-07-14 14:00 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2009-07-14 14:00 . 2009-07-14 14:00 540672 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000002\UsrClass.dat
+ 2009-07-14 14:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-14-2009\ERDNT.EXE
+ 2009-07-14 14:00 . 2009-07-14 14:00 23556096 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NBService"=3 (0x3)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"CCALib8"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ashlar-Vellum\\Graphite v8\\graphite.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2009 7:36 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 7:02 PM 108289]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/6/2009 12:37 PM 2749224]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/30/2009 3:46 PM 15656]
S0 DigiFilter;DigiFilter; [x]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 DigiNet;Digidesign Ethernet Support; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [1/22/2008 10:52 AM 513152]
S3 MaplomL;MaplomL; [x]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflix.com\movielicense
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\sqauecuv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8C751604-460E-DACE-1EFD-DCA4C900AEFA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oagmggpnilgjolnmeckgjbeejebdjg"=hex:6a,61,6b,64,6b,6d,6e,67,65,68,65,69,64,64,
6d,6b,70,62,65,61,00,f5
"nammcaoflkkimiimlkcbmdcomlig"=hex:6a,61,6b,64,6b,6d,6e,67,65,68,65,69,64,64,
6d,6b,70,62,65,61,00,f5

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D40AA1E2-D41C-3AE4-B764-AAF60B452F7F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaahcppdoa"=hex:66,61,6b,68,6e,61,61,6f,6e,64,61,63,00,31
"dabhdpak"=hex:64,62,65,6a,6f,6c,70,62,69,69,63,6a,6a,6a,62,65,64,65,67,6f,6c,
66,6c,6f,6b,64,62,70,67,62,6b,70,6f,62,6b,61,6f,70,64,6e,00,00
"iaikmhkgoccomabjei"=hex:69,61,6b,6c,62,6a,70,69,62,6d,67,6f,66,6e,6c,6e,64,69,
00,00
"hacjoicemfcadjdc"=hex:69,61,6b,6c,62,6a,70,69,62,6d,67,6f,66,6e,6c,6e,64,69,
00,00

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,41,c3,f8,a7,56,a8,61,72,7a,8d,de,91,ff,43,1a,41,f3,2d,10,60,77,a8,
1d,9b,01,c9,3b,61,b9,6f,48,63,a8,3c,51,27,21,0c,c7,05,e8,ae,59,85,b5,95,63,\
"??"=hex:69,3e,43,58,9f,64,ba,75,fe,6b,77,07,2a,78,dd,74

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:5c,24,08,91,f6,1c,c6,06,7f,0f,13,20,fe,93,37,40,bd,60,9e,b2,b0,
30,85,18,2f,1c,33,10,73,ae,36,83,6b,e3,96,4f,d2,52,6b,07,00,98,ee,a5,1c,e8,\
"rkeysecu"=hex:00,2a,c6,d7,65,28,8c,8a,81,72,0c,2a,82,16,72,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(1872)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-07-14 11:22
ComboFix-quarantined-files.txt 2009-07-14 16:21
ComboFix2.txt 2009-07-14 05:03

Pre-Run: 163,551,596,544 bytes free
Post-Run: 163,533,041,664 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
318 --- E O F --- 2009-06-24 03:01


Mozilla Firefox 3.0.11 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:127 Go )
D:\ [CD_Rom]
G:\ [CD_Rom]
H:\ [CD_Rom]
.
Scan : 19:31.36
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (592)
______ \??\C:\windows\system32\csrss.exe (656)
______ \??\C:\windows\system32\winlogon.exe (680)
______ C:\windows\system32\services.exe (724)
______ C:\windows\system32\lsass.exe (736)
______ C:\windows\system32\svchost.exe (936)
______ C:\windows\system32\svchost.exe (980)
______ C:\windows\System32\svchost.exe (1080)
______ C:\windows\system32\svchost.exe (1120)
______ C:\windows\system32\svchost.exe (1188)
______ C:\windows\system32\svchost.exe (1288)
______ C:\WINDOWS\system32\brsvc01a.exe (1568)
______ C:\windows\system32\spoolsv.exe (1584)
______ C:\WINDOWS\system32\brss01a.exe (1592)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1672)
______ C:\windows\system32\svchost.exe (1840)
______ C:\windows\Explorer.EXE (184)
______ C:\windows\system32\rundll32.exe (404)
______ C:\windows\system32\RUNDLL32.EXE (412)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (428)
______ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (448)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (452)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (460)
______ C:\windows\system32\ctfmon.exe (484)
______ C:\Program Files\AIM6\aim6.exe (492)
______ C:\Program Files\Logitech\SetPoint\SetPoint.exe (520)
______ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE (944)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1448)
______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (1508)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1644)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (1740)
______ C:\windows\system32\nvsvc32.exe (1916)
______ C:\WINDOWS\system32\PSIService.exe (2040)
______ C:\windows\system32\svchost.exe (2208)
______ C:\windows\system32\Wacom_Tablet.exe (2220)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (2292)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (2380)
______ C:\windows\system32\Wacom_Tablet.exe (2636)
______ C:\Program Files\AIM6\aolsoftware.exe (3028)
______ C:\windows\System32\alg.exe (3036)
______ C:\Program Files\Mozilla Firefox\firefox.exe (260)
______ C:\Program Files\DAEMON Tools Lite\daemon.exe (3664)
______ C:\windows\system32\msiexec.exe (2700)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2832)
______ C:\windows\system32\wscntfy.exe (2816)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (2704)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500096991744)
.
----------------------\\ Scheduled Tasks
.
C:\windows\Tasks\Ad-Aware Update (Weekly).job
C:\windows\Tasks\desktop.ini
C:\windows\Tasks\SA.DAT
.
----------------------\\ Registry
.
Rootkit! ... [HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 19:32.55
.
C:\Rooter$\Rooter_3.txt - (14/07/2009 | 19:32.55)

 

[ken545]

Its still there.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::

Rootkit::
C:\WINDOWS\system32\drivers\msqpdxtjpuhwvj.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]

Driver::
msqpdxserv.sys


RegNULL::
[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\{8C751604-460E-DACE-1EFD-DCA4C900AEFA}*]
[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\{D40AA1E2-D41C-3AE4-B764-AAF60B452F7F}*]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

 

[johnnywayne]

When I run it, it automatically reboots and says do not run any programs while it is finishing. It never finishes. There are the programs that run on startup, could that be a problem?

 

[johnnywayne]

I got a log by rebooting to safe mode.

ComboFix 09-07-14.07 - Owner 07/14/2009 21:42.6.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2827 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 00:01 . 2009-07-15 00:01 -------- d-----w- c:\program files\Microsoft Games
2009-07-14 22:31 . 2009-07-14 22:31 -------- d-----w- c:\program files\ESET
2009-07-14 22:21 . 2009-07-14 22:21 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-07-14 22:19 . 2009-07-14 22:19 -------- d-----w- c:\windows\ie8updates
2009-07-14 22:18 . 2009-07-14 22:18 -------- dc-h--w- c:\windows\ie8
2009-07-14 22:16 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-14 22:16 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-14 22:16 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-14 14:05 . 2009-07-14 14:05 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 14:03 . 2009-07-15 00:32 -------- d-----w- C:\Rooter$
2009-07-14 01:27 . 2002-07-17 21:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-07-14 01:27 . 2002-07-17 21:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-07-14 01:25 . 2009-07-14 01:25 -------- d-----w- C:\adaptec
2009-07-14 00:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-14 00:36 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 00:36 . 2009-07-14 00:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 00:36 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-14 00:35 . 2009-07-14 00:35 -------- d-----w- c:\program files\Lavasoft
2009-07-14 00:02 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 00:02 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-14 00:02 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-14 00:02 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\program files\Avira
2009-07-14 00:02 . 2009-07-14 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 17:05 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:05 . 2009-07-14 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:05 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 16:09 . 2009-07-13 16:09 -------- d-----w- c:\program files\ERUNT
2009-07-12 14:20 . 2009-07-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\16356714
2009-07-10 03:58 . 2009-03-16 19:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-10 03:58 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-10 03:58 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-10 03:58 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-10 03:58 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-10 03:58 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-07-06 17:38 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2009-07-06 17:37 . 2007-02-15 23:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-07-06 17:37 . 2008-07-11 17:16 13352 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-07-06 17:37 . 2009-07-06 17:37 -------- d-----w- c:\windows\system32\WTablet
2009-07-06 17:37 . 2008-10-30 17:00 182056 ------w- c:\windows\system32\Wacom_Tablet.dll
2009-07-06 17:37 . 2008-10-30 16:50 172840 ------w- c:\windows\system32\Wintab32.dll
2009-07-06 17:37 . 2008-10-30 17:13 2749224 ------w- c:\windows\system32\Wacom_Tablet.exe
2009-07-04 16:48 . 2009-07-04 16:48 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-04 16:48 . 2009-07-05 18:21 -------- d-----w- c:\program files\World of Warcraft Trial
2009-07-03 21:05 . 2009-07-03 21:07 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-06-30 20:46 . 2008-10-06 16:53 15656 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2009-06-25 20:15 . 2009-06-25 20:15 -------- d-----w- c:\documents and settings\Owner\Application Data\cucusoft
2009-06-25 18:50 . 2009-06-26 00:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Audible
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\program files\iTunes
2009-06-25 18:31 . 2009-06-25 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-23 19:10 . 2009-06-23 19:10 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-22 20:22 . 2008-12-04 06:25 120832 -c--a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-21 22:17 . 2008-09-29 06:06 90112 -c--a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
2009-06-21 22:17 . 2008-09-29 06:06 1003520 -c--a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpCtp.dll
2009-06-20 15:44 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-20 15:43 . 2009-06-20 15:43 -------- d-----w- c:\program files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 00:27 . 2007-08-11 01:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 00:35 . 2007-09-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-13 23:42 . 2007-08-30 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 15:29 . 2007-09-18 05:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 17:37 . 2007-08-11 02:32 -------- d-----w- c:\program files\Tablet
2009-07-03 19:11 . 2007-08-10 09:29 -------- d-----w- c:\program files\Bonjour
2009-07-03 18:07 . 2008-01-01 01:35 -------- d-----w- c:\program files\Winamp
2009-07-03 18:07 . 2007-09-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-03 18:06 . 2008-12-29 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-03 18:05 . 2007-10-19 20:21 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2009-07-03 17:59 . 2008-09-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Codemasters
2009-07-03 17:41 . 2008-09-17 00:18 -------- d-----w- c:\program files\Common Files\Apple
2009-07-02 16:59 . 2008-04-25 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Extensis
2009-06-30 21:59 . 2007-08-10 23:47 59648 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 21:25 . 2008-03-27 18:42 -------- d-----w- c:\program files\NewsLeecher
2009-06-25 18:29 . 2008-09-17 00:18 -------- d-----w- c:\program files\QuickTime
2009-06-23 22:23 . 2009-01-19 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-21 22:41 . 2009-06-21 22:41 48188 ----a-w- c:\windows\Fonts\CACFCB__.TTF
2009-06-21 22:41 . 2009-06-21 22:41 42460 ----a-w- c:\windows\Fonts\CACFC___.TTF
2009-06-15 19:42 . 2008-11-19 02:55 -------- d-----w- c:\program files\AIM6
2009-05-13 19:04 . 2003-03-19 03:14 499712 -c--a-w- c:\windows\system32\msvcp71.dll
2009-05-13 19:04 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 01:44 . 2009-05-05 01:44 966808 -c--a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2009-05-05 00:41 . 2009-04-03 06:01 152576 -c--a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-06-12 20:37 . 2008-11-15 20:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-14_05.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-11 01:35 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
+ 2009-01-11 00:20 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 46592 c:\windows\system32\pngfilt.dll
- 2006-02-28 12:00 . 2009-07-03 18:29 71674 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-07-14 22:28 71674 c:\windows\system32\perfc009.dat
+ 2006-06-29 14:05 . 2009-01-07 23:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-29 14:05 . 2006-06-29 14:05 23552 c:\windows\system32\normaliz.dll
+ 2006-06-28 23:59 . 2009-01-07 23:20 24576 c:\windows\system32\nlsdl.dll
- 2006-06-28 23:59 . 2006-06-28 23:59 24576 c:\windows\system32\nlsdl.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 48128 c:\windows\system32\mshtmler.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 09:31 . 2009-03-08 09:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 09:31 . 2009-03-08 09:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-02-28 12:00 . 2009-03-08 09:34 43008 c:\windows\system32\licmgr10.dll
+ 2006-02-28 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 94720 c:\windows\system32\inseng.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 34816 c:\windows\system32\imgutil.dll
+ 2007-08-14 00:39 . 2009-03-08 09:32 36864 c:\windows\system32\ieudinit.exe
+ 2006-02-28 12:00 . 2009-03-08 09:32 71680 c:\windows\system32\iesetup.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 55808 c:\windows\system32\iernonce.dll
- 2006-06-29 14:05 . 2006-06-29 14:05 26112 c:\windows\system32\idndl.dll
+ 2006-06-29 14:05 . 2009-01-07 23:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 09:31 . 2009-03-08 09:31 59904 c:\windows\system32\icardie.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 13894 c:\windows\system32\dllcache\zonelibm.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 13894 c:\windows\system32\dllcache\zonelibm.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 29760 c:\windows\system32\dllcache\znetm.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 29760 c:\windows\system32\dllcache\znetm.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 41029 c:\windows\system32\dllcache\zcorem.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 41029 c:\windows\system32\dllcache\zcorem.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 36937 c:\windows\system32\dllcache\zclientm.exe
+ 2009-07-14 22:28 . 2006-02-28 12:00 36937 c:\windows\system32\dllcache\zclientm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 32339 c:\windows\system32\dllcache\uniansi.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 32339 c:\windows\system32\dllcache\uniansi.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 42573 c:\windows\system32\dllcache\shvlzm.exe
+ 2009-07-14 22:28 . 2006-02-28 12:00 42573 c:\windows\system32\dllcache\shvlzm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 66113 c:\windows\system32\dllcache\shvl.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 66113 c:\windows\system32\dllcache\shvl.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 42574 c:\windows\system32\dllcache\rvsezm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 42574 c:\windows\system32\dllcache\rvsezm.exe
+ 2009-07-14 22:28 . 2006-02-28 12:00 48706 c:\windows\system32\dllcache\rvse.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 48706 c:\windows\system32\dllcache\rvse.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-01-10 23:57 . 2009-03-08 09:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-02-28 12:00 . 2009-03-08 09:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-02-28 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-01-10 23:57 . 2009-03-08 09:31 59904 c:\windows\system32\dllcache\icardie.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 42573 c:\windows\system32\dllcache\hrtzzm.exe
+ 2009-07-14 22:28 . 2006-02-28 12:00 42573 c:\windows\system32\dllcache\hrtzzm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 57409 c:\windows\system32\dllcache\hrtz.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 57409 c:\windows\system32\dllcache\hrtz.dll
+ 2007-08-10 23:35 . 2009-03-08 09:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 42575 c:\windows\system32\dllcache\chkrzm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 42575 c:\windows\system32\dllcache\chkrzm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 40515 c:\windows\system32\dllcache\chkr.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 40515 c:\windows\system32\dllcache\chkr.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 42577 c:\windows\system32\dllcache\bckgzm.exe
+ 2009-07-14 22:28 . 2006-02-28 12:00 42577 c:\windows\system32\dllcache\bckgzm.exe
- 2007-08-10 23:35 . 2006-02-28 12:00 82501 c:\windows\system32\dllcache\bckg.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 82501 c:\windows\system32\dllcache\bckg.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2009-07-14 22:19 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll
+ 2009-07-14 22:19 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 37888 c:\windows\ie8\url.dll
+ 2009-07-14 22:18 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 39424 c:\windows\ie8\pngfilt.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 96256 c:\windows\ie8\occache.dll
+ 2009-07-14 22:18 . 2008-04-13 16:26 56832 c:\windows\ie8\mshtmler.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 29184 c:\windows\ie8\mshta.exe
+ 2009-07-14 22:18 . 2009-04-29 04:55 52224 c:\windows\ie8\msfeedsbs.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 22016 c:\windows\ie8\licmgr10.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 15872 c:\windows\ie8\jsproxy.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 96256 c:\windows\ie8\inseng.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 35840 c:\windows\ie8\imgutil.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 93184 c:\windows\ie8\iexplore.exe
+ 2009-07-14 22:18 . 2008-04-14 00:11 62976 c:\windows\ie8\iesetup.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 48640 c:\windows\ie8\iernonce.dll
+ 2009-07-14 22:18 . 2009-04-29 04:55 78336 c:\windows\ie8\ieencode.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 34304 c:\windows\ie8\ie4uinit.exe
+ 2009-07-14 22:18 . 2009-04-29 04:55 63488 c:\windows\ie8\icardie.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 38912 c:\windows\ie8\hmmapi.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 35328 c:\windows\ie8\corpol.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 99840 c:\windows\ie8\advpack.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 61440 c:\windows\ie8\admparse.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 4677 c:\windows\system32\dllcache\zeeverm.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 4677 c:\windows\system32\dllcache\zeeverm.dll
+ 2009-07-14 22:19 . 2009-03-08 09:35 2048 c:\windows\ie8updates\KB971930-IE8\iecompat.dll
+ 2008-08-22 21:20 . 2009-01-07 23:21 121856 c:\windows\system32\xmllite.dll
- 2008-08-22 21:20 . 2008-04-14 00:12 121856 c:\windows\system32\xmllite.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2006-02-28 12:00 . 2009-03-08 09:34 236544 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 420352 c:\windows\system32\vbscript.dll
+ 2006-02-28 12:00 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
- 2006-02-28 12:00 . 2009-07-03 18:29 442026 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-07-14 22:28 442026 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-03-08 09:34 109568 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2009-03-08 09:34 193536 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2009-03-08 09:22 156160 c:\windows\system32\msls31.dll
+ 2007-04-30 21:50 . 2007-04-30 21:50 903072 c:\windows\system32\msidcrl40.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 265720 c:\windows\system32\msdbg2.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll
+ 2009-03-08 09:22 . 2009-03-08 09:22 164352 c:\windows\system32\ieui.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 183808 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2009-04-30 21:22 385536 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 09:11 . 2009-03-08 09:11 445952 c:\windows\system32\ieapfltr.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 163840 c:\windows\system32\ieakui.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 229376 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 125952 c:\windows\system32\ieakeng.dll
+ 2006-02-28 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
+ 2006-02-28 12:00 . 2009-03-08 09:31 216064 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 348160 c:\windows\system32\dxtmsft.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 113222 c:\windows\system32\dllcache\zoneclim.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 113222 c:\windows\system32\dllcache\zoneclim.dll
+ 2008-04-21 06:44 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-10 23:36 . 2009-03-08 09:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 753236 c:\windows\system32\dllcache\rvseres.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 753236 c:\windows\system32\dllcache\rvseres.dll
+ 2009-03-08 09:34 . 2009-03-08 09:34 109568 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-02-28 12:00 . 2009-03-08 09:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2009-03-08 09:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2009-01-10 23:57 . 2009-03-08 09:32 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2007-08-10 23:35 . 2009-03-08 19:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2006-02-28 12:00 . 2009-03-08 09:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2006-02-28 12:00 . 2009-04-30 21:22 385536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-01-10 23:57 . 2009-03-08 09:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-02-28 12:00 . 2009-03-08 09:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-02-28 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-02-28 12:00 . 2009-03-08 09:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-02-28 12:00 . 2009-03-08 09:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 217160 c:\windows\system32\dllcache\cmnclim.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 217160 c:\windows\system32\dllcache\cmnclim.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 780885 c:\windows\system32\dllcache\chkrres.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 780885 c:\windows\system32\dllcache\chkrres.dll
+ 2009-03-08 09:32 . 2009-03-08 09:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2006-02-28 12:00 . 2009-03-08 09:32 128512 c:\windows\system32\advpack.dll
+ 2009-07-15 00:27 . 2009-07-15 00:27 791552 c:\windows\Installer\5c04db.msi
+ 2009-07-15 00:10 . 2009-07-15 00:10 454656 c:\windows\Installer\{1170D24F-42B7-40CF-AA1B-6395CE562354}\ARPPRODUCTICON.exe
+ 2009-07-14 22:19 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971930-IE8\spuninst\updspapi.dll
+ 2009-07-14 22:19 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971930-IE8\spuninst\spuninst.exe
+ 2009-07-14 22:19 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll
+ 2009-07-14 22:19 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll
+ 2009-07-14 22:19 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe
+ 2009-07-14 22:19 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll
+ 2009-07-14 22:19 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll
+ 2009-07-14 22:19 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe
+ 2009-07-14 22:18 . 2009-04-29 04:46 666624 c:\windows\ie8\wininet.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 276480 c:\windows\ie8\webcheck.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 851968 c:\windows\ie8\vgx.dll
+ 2009-07-14 22:18 . 2008-05-09 10:53 430080 c:\windows\ie8\vbscript.dll
+ 2009-07-14 22:18 . 2009-04-29 04:46 620032 c:\windows\ie8\urlmon.dll
+ 2009-07-14 22:18 . 2009-01-07 23:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2009-07-14 22:18 . 2009-01-07 23:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2009-07-14 22:18 . 2008-04-14 00:12 532480 c:\windows\ie8\mstime.dll
+ 2009-07-14 22:18 . 2008-04-14 00:12 146432 c:\windows\ie8\msrating.dll
+ 2009-07-14 22:18 . 2006-02-28 12:00 146432 c:\windows\ie8\msls31.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 449024 c:\windows\ie8\mshtmled.dll
+ 2009-07-14 22:18 . 2009-04-29 04:55 459264 c:\windows\ie8\msfeeds.dll
+ 2009-07-14 22:18 . 2008-05-09 10:53 512000 c:\windows\ie8\jscript.dll
+ 2009-07-14 22:18 . 2009-04-29 04:55 268288 c:\windows\ie8\iertutil.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 251904 c:\windows\ie8\iepeers.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 323584 c:\windows\ie8\iedkcs32.dll
+ 2009-07-14 22:18 . 2009-04-29 04:55 383488 c:\windows\ie8\ieapfltr.dll
+ 2009-07-14 22:18 . 2006-02-28 12:00 221184 c:\windows\ie8\ieakui.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 216576 c:\windows\ie8\ieaksie.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 143360 c:\windows\ie8\ieakeng.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 205312 c:\windows\ie8\dxtrans.dll
+ 2009-07-14 22:18 . 2008-04-14 00:11 357888 c:\windows\ie8\dxtmsft.dll
+ 2009-07-14 14:00 . 2009-07-14 14:00 540672 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000002\UsrClass.dat
+ 2009-07-14 14:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-14-2009\ERDNT.EXE
+ 2007-08-08 00:22 . 2007-08-08 00:22 8607552 c:\windows\system32\xlive.dll
+ 2006-02-28 12:00 . 2009-04-30 21:22 1207808 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll
+ 2009-03-08 09:32 . 2009-04-30 21:22 1985024 c:\windows\system32\iertutil.dll
+ 2009-02-07 02:07 . 2009-02-07 02:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2008-06-26 08:15 . 2009-04-30 21:22 1207808 c:\windows\system32\dllcache\urlmon.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 2178131 c:\windows\system32\dllcache\shvlres.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 2178131 c:\windows\system32\dllcache\shvlres.dll
+ 2008-04-21 06:44 . 2009-05-13 05:15 5936128 c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-10 23:57 . 2009-04-30 21:22 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2009-01-10 23:57 . 2009-02-07 02:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
- 2007-08-10 23:35 . 2006-02-28 12:00 1175635 c:\windows\system32\dllcache\hrtzres.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 1175635 c:\windows\system32\dllcache\hrtzres.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 1039955 c:\windows\system32\dllcache\cmnresm.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 1039955 c:\windows\system32\dllcache\cmnresm.dll
+ 2009-01-07 23:20 . 2009-01-07 23:20 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2009-07-14 22:28 . 2006-02-28 12:00 1817687 c:\windows\system32\dllcache\bckgres.dll
- 2007-08-10 23:35 . 2006-02-28 12:00 1817687 c:\windows\system32\dllcache\bckgres.dll
+ 2009-07-15 00:10 . 2009-07-15 00:10 1048064 c:\windows\Installer\5c04d6.msi
+ 2009-07-14 22:19 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll
+ 2009-07-14 22:19 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll
+ 2009-07-14 22:19 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll
+ 2009-07-14 22:18 . 2009-04-29 04:46 3068928 c:\windows\ie8\mshtml.dll
+ 2009-07-14 22:18 . 2009-04-29 04:55 6066176 c:\windows\ie8\ieframe.dll
+ 2009-07-14 22:18 . 2008-07-09 14:25 2455488 c:\windows\ie8\ieapfltr.dat
+ 2007-08-08 00:22 . 2007-08-08 00:22 13653824 c:\windows\system32\xlivefnt.dll
+ 2008-01-01 01:18 . 2009-07-07 13:10 24539592 c:\windows\system32\MRT.exe
+ 2009-03-08 09:39 . 2009-04-30 21:22 11064832 c:\windows\system32\ieframe.dll
+ 2009-01-10 23:57 . 2009-04-30 21:22 11064832 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-14 22:19 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll
+ 2009-07-14 14:00 . 2009-07-14 14:00 23556096 c:\windows\ERDNT\AutoBackup\7-14-2009\Users\00000001\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
backup=c:\windows\pss\Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NBService"=3 (0x3)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"CCALib8"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ashlar-Vellum\\Graphite v8\\graphite.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2009 7:36 PM 64160]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/30/2009 3:46 PM 15656]
S0 DigiFilter;DigiFilter; [x]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/13/2009 7:02 PM 108289]
S2 DigiNet;Digidesign Ethernet Support; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/6/2009 12:37 PM 2749224]
S3 DrmCDriverV32;DrmCDriverV32;c:\windows\system32\drivers\DrmCDriverV32.sys [1/22/2008 10:52 AM 513152]
S3 MaplomL;MaplomL; [x]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DIGINET
*NewlyCreated* - PARPORT
*NewlyCreated* - SERIAL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://netflix.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflix.com\movielicense
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\createandprint@ag.com\platform\WINNT_x86-msvc\plugins\NpPopup.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sqauecuv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 21:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,41,c3,f8,a7,56,a8,61,72,7a,8d,de,91,ff,43,1a,41,f3,2d,10,60,77,a8,
1d,9b,01,c9,3b,61,b9,6f,48,63,a8,3c,51,27,21,0c,c7,05,e8,ae,59,85,b5,95,63,\
"??"=hex:69,3e,43,58,9f,64,ba,75,fe,6b,77,07,2a,78,dd,74

[HKEY_USERS\S-1-5-21-1708537768-842925246-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:5c,24,08,91,f6,1c,c6,06,7f,0f,13,20,fe,93,37,40,bd,60,9e,b2,b0,
30,85,18,2f,1c,33,10,73,ae,36,83,6b,e3,96,4f,d2,52,6b,07,00,98,ee,a5,1c,e8,\
"rkeysecu"=hex:00,2a,c6,d7,65,28,8c,8a,81,72,0c,2a,82,16,72,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e4,26,a1,18,14,28,a2,af,ef,b2,4d,2b,8b,0c,f9,ef,5d,66,5a,0d,f1,
65,62,cb,8f,7e,03,91,8c,65,b0,a6,ee,1b,e0,6f,61,ff,5c,58,66,0a,1b,55,22,d5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(780)
c:\windows\system32\WININET.dll
.
Completion time: 2009-07-15 22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 02:59
ComboFix2.txt 2009-07-14 22:10
ComboFix3.txt 2009-07-14 16:22
ComboFix4.txt 2009-07-14 05:03

Pre-Run: 136,989,601,792 bytes free
Post-Run: 137,064,751,104 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
514 --- E O F --- 2009-06-24 03:01



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:09 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 7769 bytes

 

[ken545]

Rerun Rooter and lets make sure its gone

 

[johnnywayne]

Hello. It's still there. What happens if I manually delete that file from the registry, does it have other things associated with it?

 

[ken545]

Lets do it this way..

Step 1: Disable msqpdxserv.sys trojan driver.

* Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
* Click Properties.
* Click Hardware Tab.
* Click Device Manager.
* In the top menu, click View and click Show Hidden Drivers.
* Scroll down to non Plug and Play drivers.
* Click + at left.
* In the list of drivers right click msqpdxserv.sys.
* Click Disable.
* Click YES for confirm.
* Close all windows and reboot your computer.



Step 2

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Wait until the program has finished scanning, then please exit the program.

The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.



Step 3

1. Please download The Avenger by Swandog46 and SAVE it to your Desktop.

• After download has completed,
• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the lines of text in the code box below (including blank lines and comments) to your Clipboard by highlighting them with your mouse, then Right clicking and choosing Copy:

Drivers to delete:
msqpdxserv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage your system!

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

3. The Avenger will automatically do the following:

• It will Restart your computer.
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be locatedatC:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
• Please delete C:\avenger <=this folder; Do NOT delete C:\avenger.txt <=this file

Please post the contents of C:\Avenger.txt; and run Rooter again to see if its gone

 

[johnnywayne]

Driver doesn't appear in device manager, ran everything anyway. Avenger says this:

Rootkit scan active.
No rootkits found!
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

I looked through the registry and as Rooter says that file is in ControlSet001. Does this make any difference?

 

[ken545]

CCS will take out CC1 if its there

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.