Avira free detected Ramnit.A

Solved
By MrT0ad
Oct 2, 2010
Topic Status:
Not open for further replies.
  1. Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      *Srv.exe 
      DesktopLayer
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  3. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    System Look Scan log

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:12 on 02/10/2010 by User1
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*Srv.exe "
    C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe --a---- 100864 bytes [09:36 18/02/2008] [09:36 18/02/2008] EA5DCE08B52ED0E9FA9E46F1EE5AB0C2
    C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe --a---- 89088 bytes [12:36 04/01/2008] [12:36 04/01/2008] DAE4DC972E7C37657F0966E7722ED3B1
    C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe --a---- 137728 bytes [07:46 22/02/2008] [07:46 22/02/2008] 3696CA6C2A45F47124FF1C8A8C945A92
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe --a---- 124928 bytes [11:23 25/03/2008] [11:23 25/03/2008] B4CD84211F68C4D9ADEB06DF13D700FD
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe --a---- 120320 bytes [08:11 22/02/2008] [08:11 22/02/2008] 7CE05DE53433201C0B57E4E0666C6D44
    C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe --a---- 128512 bytes [07:46 22/02/2008] [07:46 22/02/2008] 51EA3952C1FA239DCFF633813DF3C28B
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe --a---- 130560 bytes [08:58 10/03/2008] [08:58 10/03/2008] 2A1BF3BCF15675083277C9357BE0FCAE
    C:\WINDOWS\system32\clipsrv.exe --a---- 33280 bytes [12:00 14/04/2008] [12:00 14/04/2008] 34CBE729F38138217F9C80212A2A0C82
    C:\WINDOWS\system32\qappsrv.exe --a---- 16896 bytes [17:59 25/06/2008] [12:00 28/02/2006] 1556473E920CA676702516DA38DCAC86
    C:\WINDOWS\system32\dllcache\clipsrv.exe --a--c- 33280 bytes [12:00 14/04/2008] [12:00 14/04/2008] 34CBE729F38138217F9C80212A2A0C82
    C:\WINDOWS\system32\dllcache\qappsrv.exe --a--c- 16896 bytes [17:59 25/06/2008] [12:00 28/02/2006] 1556473E920CA676702516DA38DCAC86
    C:\WINDOWS\system32\dllcache\wmiapsrv.exe --a--c- 126464 bytes [17:59 25/06/2008] [00:12 14/04/2008] E0673F1106E62A68D2257E376079F821
    C:\WINDOWS\system32\wbem\wmiapsrv.exe --a---- 126464 bytes [17:59 25/06/2008] [00:12 14/04/2008] E0673F1106E62A68D2257E376079F821

    Searching for "DesktopLayer"
    No files found.

    -= EOF =-
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    I don't see Ramnit presence, yet.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  5. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    ESET Scan results

    C:\Documents and Settings\User1\My Documents\Downloads\ImTOO_DVD_Ripper_Ultimate_5.0.64.0409.rar a variant of Win32/Keygen.AT application
    C:\Documents and Settings\User1\My Documents\Downloads\nxtserver.zip probably unknown NewHeur_PE virus
    C:\Program Files\system\ssa3o.exe a variant of Win32/Cimag.DL trojan
    C:\System Volume Information\_restore{77DD8FFE-4419-4C0B-994C-90BC086CCF94}\RP243\A0066403.dll a variant of Win32/Cimag.DL trojan
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    So far nothing about Ramnit, so let's continue with regular scans...

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    MBR Check log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000000bd

    Kernel Drivers (total 139):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7B6F000 \WINDOWS\system32\KDCOM.DLL
    0xF7A7F000 \WINDOWS\system32\BOOTVID.dll
    0xF762E000 fltmgr.sys
    0xF7600000 ACPI.sys
    0xF7B71000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF75EF000 pci.sys
    0xF766F000 isapnp.sys
    0xF74D6000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF7C37000 PCIIde.sys
    0xF78EF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
    0xF7B73000 intelide.sys
    0xF767F000 MountMgr.sys
    0xF74B7000 ftdisk.sys
    0xF7B75000 dmload.sys
    0xF7491000 dmio.sys
    0xF78F7000 PartMgr.sys
    0xF768F000 VolSnap.sys
    0xF7479000 atapi.sys
    0xF769F000 disk.sys
    0xF76AF000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7467000 sr.sys
    0xF742F000 PCTCore.sys
    0xF76BF000 PxHelp20.sys
    0xF7411000 TPkd.sys
    0xF73FA000 KSecDD.sys
    0xF736D000 Ntfs.sys
    0xF7340000 NDIS.sys
    0xF732D000 sfvfs02.sys
    0xF78FF000 sfhlp02.sys
    0xF731B000 sfdrv01.sys
    0xF7301000 Mup.sys
    0xF773F000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF62E7000 \SystemRoot\system32\DRIVERS\e1000325.sys
    0xF6160000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF614C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7A47000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6128000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A4F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7A57000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF774F000 \SystemRoot\system32\drivers\ES1370MP.sys
    0xF6104000 \SystemRoot\system32\drivers\portcls.sys
    0xF775F000 \SystemRoot\system32\drivers\drmk.sys
    0xF60E1000 \SystemRoot\system32\drivers\ks.sys
    0xF7A5F000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7A67000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF777F000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF72B0000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF60BA000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF778F000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF779F000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7A6F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF77AF000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF5FC9000 \SystemRoot\system32\DRIVERS\btkrnl.sys
    0xF7A77000 \SystemRoot\system32\drivers\DsAudioDevice_310.sys
    0xF7CD3000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF77BF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B0F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5FB2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF77CF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF77EF000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF790F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5FA1000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF77FF000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7927000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF792F000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF5F71000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF780F000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7937000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF5F54000 \SystemRoot\system32\DRIVERS\mcdbus.sys
    0xF7BD1000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5EF6000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6B19000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF793F000 \SystemRoot\system32\DRIVERS\btport.sys
    0xF781F000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF63A2000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7BD3000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7B3B000 \SystemRoot\system32\DRIVERS\gameenum.sys
    0xF7947000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF7BD5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D45000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BD7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7957000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF795F000 \SystemRoot\System32\drivers\vga.sys
    0xF7BD9000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BDB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7967000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF796F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7B4F000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEDBDF000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEDB86000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEDB5E000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEDB38000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7B5F000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xF6382000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEDB16000 \SystemRoot\System32\drivers\afd.sys
    0xF6372000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7977000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xEDAEB000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xEDA7B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF6362000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7B6B000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF6352000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF72CC000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF7D79000 \SystemRoot\System32\Drivers\BANTExt.sys
    0xED677000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7BDF000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF72C4000 \SystemRoot\System32\drivers\aspi32.sys
    0xF6312000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xED65F000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BEB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF5EB2000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF79A7000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D4D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09A000 \SystemRoot\System32\atikvmag.dll
    0xBF0D0000 \SystemRoot\System32\ati3duag.dll
    0xBF362000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xED46B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xF72B4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xED1BE000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7C0B000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xECF37000 \SystemRoot\system32\DRIVERS\srv.sys
    0xECB12000 \SystemRoot\system32\drivers\wdmaud.sys
    0xECC47000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF79CF000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xEC8B9000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xED06E000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
    0xEC648000 \SystemRoot\System32\Drivers\HTTP.sys
    0xED20F000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xECE2B000 \SystemRoot\system32\DRIVERS\hidgame.sys
    0xF7C0F000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 58):
    0 System Idle Process
    4 SYSTEM
    616 C:\WINDOWS\system32\smss.exe
    664 csrss.exe
    692 C:\WINDOWS\system32\winlogon.exe
    736 C:\WINDOWS\system32\services.exe
    756 C:\WINDOWS\system32\lsass.exe
    932 C:\WINDOWS\system32\ati2evxx.exe
    948 C:\WINDOWS\system32\svchost.exe
    1040 svchost.exe
    1080 C:\Program Files\Windows Defender\MsMpEng.exe
    1120 C:\WINDOWS\system32\svchost.exe
    1144 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    1212 svchost.exe
    1280 svchost.exe
    1452 C:\WINDOWS\system32\spoolsv.exe
    1504 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1540 svchost.exe
    1624 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1636 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1672 C:\Program Files\Bonjour\mDNSResponder.exe
    1696 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    1768 C:\WINDOWS\system32\FsUsbExService.Exe
    1848 C:\Program Files\iDownload\iDownloadService.exe
    1920 C:\Program Files\Java\jre6\bin\jqs.exe
    1960 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2036 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    176 C:\Program Files\CDBurnerXP\NMSAccessU.exe
    268 C:\WINDOWS\system32\PnkBstrA.exe
    280 C:\WINDOWS\system32\PnkBstrB.exe
    352 C:\WINDOWS\system32\svchost.exe
    444 wdfmgr.exe
    472 C:\WINDOWS\system32\UAService7.exe
    508 C:\WINDOWS\system32\searchindexer.exe
    1348 C:\Program Files\Canon\CAL\CALMAIN.exe
    2108 C:\WINDOWS\system32\ati2evxx.exe
    2308 C:\WINDOWS\explorer.exe
    2684 alg.exe
    3328 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    3340 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3352 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    3376 C:\Program Files\AGEIA Technologies\TrayIcon.exe
    3420 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3428 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    3816 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    3844 C:\Program Files\DNA\btdna.exe
    3852 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3992 C:\WINDOWS\system32\ctfmon.exe
    4072 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    1792 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    2276 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3736 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3800 C:\WINDOWS\system32\svchost.exe
    2180 C:\Documents and Settings\User1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3124 C:\Documents and Settings\User1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    420 C:\WINDOWS\system32\searchprotocolhost.exe
    2720 searchfilterhost.exe
    2304 C:\Documents and Settings\User1\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD2500JD-75HBC0, Rev: 08.02D08
    PhysicalDrive1 Model Number: SAMSUNGSP0411C, Rev: UU100-05

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    37 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    The above looks good :)
  9. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    ComboFix failed as it was writing report .... should I try in safe mode?
  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Yes, you can.
  11. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Combofix log in two parts (double checked to ensure no missing lines :) )

    ComboFix 10-10-01.07 - User1 03/10/2010 11:07:21.9.2 - x86 MINIMAL
    Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\User1\Application Data\inst.exe
    c:\documents and settings\User1\Application Data\PriceGong
    c:\documents and settings\User1\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\User1\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}
    c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome.manifest
    c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome\content\_cfg.js
    c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome\content\overlay.xul
    c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
    .

    2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
    2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
    2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
    2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
    2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
    2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
    2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
    2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
    2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
    2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB
    2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-03 09:58 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
    2010-10-03 09:50 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
    2010-10-03 09:49 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
    2010-10-03 09:47 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
    2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
    2010-10-02 08:22 . 2009-01-10 17:59 -------- d-----w- c:\program files\Microsoft
    2010-10-02 08:08 . 2009-10-05 01:31 -------- d-----w- c:\documents and settings\User1\Application Data\Goryyk
    2010-10-02 08:06 . 2009-08-07 07:02 -------- d-----w- c:\documents and settings\User1\Application Data\Agzuco
    2010-10-02 08:02 . 2008-12-27 11:11 -------- d-----w- c:\documents and settings\User1\Application Data\Fiase
    2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-30 19:27 . 2010-08-14 13:20 120 ----a-w- c:\windows\Iriqa.dat
    2010-09-30 19:27 . 2010-08-14 13:20 0 ----a-w- c:\windows\Ewavitixezoyipo.bin
    2010-09-30 19:25 . 2010-01-12 14:17 -------- d-----w- c:\documents and settings\User1\Application Data\Ciuviq
    2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
    2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
    2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
    2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
    2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
    2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
    2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
    2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
    2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
    2010-09-19 09:12 . 2009-05-09 21:37 -------- d-----w- c:\documents and settings\User1\Application Data\Akraec
    2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
    2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
    2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
    2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
    2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
    2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
    2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
    2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
    2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
    2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
    2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
    2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
    2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
    2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
    2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
    2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
    2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
    2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
    2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
    .
     
  12. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Combofix log part 2


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
    "Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
    "AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
    "AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
    "Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
    "DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
    "c:\\Program Files\\iDownload\\iDownload.exe"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "c:\\Nexon\\Combat Arms EU\\Engine.exe"=
    "c:\\UT2004\\System\\UT2004.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Itunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "58989:TCP"= 58989:TCP:pando Media Booster
    "58989:UDP"= 58989:UDP:pando Media Booster

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
    S0 cerc6;cerc6; [x]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
    S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
    S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
    S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
    S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
    S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
    S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
    S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
    S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
    S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

    2010-10-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

    2010-10-03 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

    2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
    IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
    FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Omagiko - c:\windows\dsclok.dll
    HKLM-Run-Dtito - c:\windows\abiwiges.dll
    AddRemove-AVS4YOU Video Converter 6_is1 - c:\bens work\Downloads\Converter\Avs\AVSVideoConverter6\unins000.exe
    AddRemove-BKChem_is1 - c:\bens work\Chemistry\BKchem\BKChem\unins000.exe
    AddRemove-Media Converter SA Edition - c:\sim\Media Converter SA Edition\uninst.exe
    AddRemove-MediaCoder - c:\mediacoder\uninst.exe
    AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-03 11:19
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(264)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-10-03 11:24:55
    ComboFix-quarantined-files.txt 2010-10-03 10:24

    Pre-Run: 39,568,732,160 bytes free
    Post-Run: 39,541,571,584 bytes free

    - - End Of File - - 94F9FFDF4B10A30E25992A34E3DC3EE8
  13. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Managed to pull the Avira events 2 Oct 2010 relating to latest virus outbreak .... this may or may not help


    Exported events:

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
    detected in file 'C:\WINDOWS\dsclok.dll.
    Action performed: Move file to quarantine

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
    detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
    detected in file 'C:\WINDOWS\abiwiges.dll.
    Action performed: Move file to quarantine

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
    detected in file 'C:\WINDOWS\dsclok.dll.
    Action performed: Deny access

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
    detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:22 [Guard] Malware found
    Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
    detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:10 [Guard] Malware found
    Virus or unwanted program 'W32/Ramnit.A [virus]'
    detected in file 'C:\Documents and Settings\User1\My
    Documents\Downloads\Winflip\WFHook.dll.
    Action performed: Deny access

    02/10/2010 09:10 [Guard] Malware found
    Virus or unwanted program 'W32/Ramnit.A [virus]'
    detected in file 'C:\Documents and Settings\User1\My
    Documents\Downloads\Winflip\WFHook.dll.
    Action performed: Deny access

    02/10/2010 09:10 [Guard] Malware found
    Virus or unwanted program 'W32/Ramnit.A [virus]'
    detected in file 'C:\Documents and Settings\User1\My
    Documents\Downloads\Winflip\WinFlip.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:09 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\User1\Local Settings\Temporary
    Internet Files\Content.IE5\UI2T36BE\notifier_avira_com[1].htm.
    Action performed: Move file to quarantine

    02/10/2010 09:08 [Guard] Malware found
    Virus or unwanted program 'W32/Ramnit.A [virus]'
    detected in file 'C:\Documents and Settings\User1\Application
    Data\Goryyk\qoiz.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:02 [Guard] Malware found
    Virus or unwanted program 'TR/Spy.ZBot.apun [trojan]'
    detected in file 'C:\Documents and Settings\User1\Application
    Data\Fiase\ihnuq.exe.
    Action performed: Move file to quarantine

    02/10/2010 09:01 [Guard] Malware found
    Virus or unwanted program 'TR/Spy.ZBot.apun [trojan]'
    detected in file 'C:\Documents and Settings\User1\Application
    Data\Fiase\ihnuq.exe.
    Action performed: Deny access

    02/10/2010 09:01 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\All Users\Application
    Data\Avira\AntiVir Desktop\addr_file.html.
    Action performed: Deny access

    thanks Simon
  14. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    You might have been extremely lucky, regarding Ramnit infection.
    I can see it from Avira scan in some downloaded files, but hopefully, you didn't use those files yet, because I can't see any impact on your computer, except for this folder being present:
    - c:\program files\Microsoft
    The above folder is usually a sign of Ramnit infection.
    We'll keep checking....


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Iriqa.dat
    c:\windows\Ewavitixezoyipo.bin
    
    
    Folder::
    c:\program files\Microsoft
    c:\documents and settings\User1\Application Data\Goryyk
    c:\documents and settings\User1\Application Data\Agzuco
    c:\documents and settings\User1\Application Data\Fiase
    c:\documents and settings\User1\Application Data\Ciuviq
    c:\documents and settings\User1\Application Data\Akraec
    C:\Documents and Settings\User1\My Documents\Downloads\Winflip
    
    DDS::
    uInternet Settings,ProxyOverride = <local>;*.local
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  15. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Broni did this and Combofix ran through all 50 phases ..... however when it started the deleting files phase it blue screened.

    Do we need to retry in Safe Mode?

    Is the BSOD a malware self defence mechanism? ... I have been assuming so

    thanks Simon
  16. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    It's hard to say...
    Try safe mode.
  17. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Safe Mode Combofix log part 1

    ComboFix 10-10-02.02 - User1 03/10/2010 18:48:29.11.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.727 [GMT 1:00]
    Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\User1\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "c:\windows\Ewavitixezoyipo.bin"
    "c:\windows\Iriqa.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Ewavitixezoyipo.bin
    c:\windows\Iriqa.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
    .

    2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
    2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
    2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
    2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
    2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
    2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
    2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
    2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
    2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
    2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-03 17:37 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
    2010-10-03 17:36 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
    2010-10-03 17:36 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
    2010-10-03 17:35 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
    2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
    2010-10-02 08:22 . 2009-01-10 17:59 -------- d-----w- c:\program files\Microsoft
    2010-10-02 08:08 . 2009-10-05 01:31 -------- d-----w- c:\documents and settings\User1\Application Data\Goryyk
    2010-10-02 08:06 . 2009-08-07 07:02 -------- d-----w- c:\documents and settings\User1\Application Data\Agzuco
    2010-10-02 08:02 . 2008-12-27 11:11 -------- d-----w- c:\documents and settings\User1\Application Data\Fiase
    2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-30 19:25 . 2010-01-12 14:17 -------- d-----w- c:\documents and settings\User1\Application Data\Ciuviq
    2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
    2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
    2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
    2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
    2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
    2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
    2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
    2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
    2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
    2010-09-19 09:12 . 2009-05-09 21:37 -------- d-----w- c:\documents and settings\User1\Application Data\Akraec
    2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
    2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
    2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
    2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
    2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
    2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel
    2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
    2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
    2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
    2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
    2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
    2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
    2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
    2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
    2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
    2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
    2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
    2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
    2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
    2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
    .
  18. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Safe Mode Combofix log part 2


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
    "Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
    "AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
    "AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
    "Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
    "DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
    "c:\\Program Files\\iDownload\\iDownload.exe"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "c:\\Nexon\\Combat Arms EU\\Engine.exe"=
    "c:\\UT2004\\System\\UT2004.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Itunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "58989:TCP"= 58989:TCP:pando Media Booster
    "58989:UDP"= 58989:UDP:pando Media Booster

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
    S0 cerc6;cerc6; [x]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
    S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
    S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
    S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
    S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
    S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
    S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
    S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
    S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
    S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

    2010-10-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

    2010-10-03 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

    2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
    IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
    FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-03 19:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(260)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-10-03 19:06:04
    ComboFix-quarantined-files.txt 2010-10-03 18:06
    ComboFix2.txt 2010-10-03 10:24

    Pre-Run: 39,483,887,616 bytes free
    Post-Run: 39,456,845,824 bytes free

    - - End Of File - - 100A67AFF194BBC61CB6F74ADDB2EEFC
     
  19. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Interesting that CF picks up Avira running in Safe Mode, this is only cleared by rebooting into normal windows running mode, disabling Avira and restaring in Safe Mode. This happened two or three times today. Each time cleared by the same action. ..

    thought this might be useful info
  20. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Unfortunately, those offending folders are still there.

    Let's try one more time....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\program files\Microsoft
    c:\documents and settings\User1\Application Data\Goryyk
    c:\documents and settings\User1\Application Data\Agzuco
    c:\documents and settings\User1\Application Data\Fiase
    c:\documents and settings\User1\Application Data\Ciuviq
    c:\documents and settings\User1\Application Data\Akraec
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  21. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    latest Combofix log part 1


    ComboFix 10-10-02.02 - User1 03/10/2010 20:38:03.12.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.716 [GMT 1:00]
    Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\User1\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\User1\Application Data\Agzuco
    c:\documents and settings\User1\Application Data\Akraec
    c:\documents and settings\User1\Application Data\Ciuviq
    c:\documents and settings\User1\Application Data\Fiase
    c:\documents and settings\User1\Application Data\Goryyk
    c:\program files\Microsoft
    c:\program files\Microsoft\Office Live\muauth.cab
    c:\program files\Microsoft\Office Live\npOLW.dll
    c:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
    c:\program files\Microsoft\Office Live\OLConnector.dll
    c:\program files\Microsoft\Office Live\OLConnectorResources.dll
    c:\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe
    c:\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
    .

    2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
    2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
    2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
    2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
    2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
    2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
    2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
    2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
    2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
    2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
    2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-03 19:25 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
    2010-10-03 18:11 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
    2010-10-03 18:10 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
    2010-10-03 18:09 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
    2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
    2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
    2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
    2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ---ha-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 47360 ---ha-w- c:\documents and settings\User1\Application Data\pcouffin.sys
    2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
    2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
    2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
    2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
    2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
    2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
    2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
    2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
    2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
    2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
    2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
    2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
    2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel
    2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
    2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
    2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
    2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
    2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
    2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
    2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
    2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
    2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
    2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
    2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
    2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
    2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
    2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
    .
  22. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    latest Combofix log part 2

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
    "Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
    "AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
    "AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
    "Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
    "iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
    "DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
    "c:\\Program Files\\iDownload\\iDownload.exe"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
    "c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
    "c:\\Nexon\\Combat Arms EU\\Engine.exe"=
    "c:\\UT2004\\System\\UT2004.exe"=
    "c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Itunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "58989:TCP"= 58989:TCP:pando Media Booster
    "58989:UDP"= 58989:UDP:pando Media Booster

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
    S0 cerc6;cerc6; [x]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
    S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
    S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
    S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
    S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
    S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
    S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
    S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
    S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
    S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
    S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
    S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

    2010-10-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

    2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
    - c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

    2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

    2010-10-03 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

    2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
    IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
    FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-03 20:50
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(268)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-10-03 20:54:59
    ComboFix-quarantined-files.txt 2010-10-03 19:54
    ComboFix2.txt 2010-10-03 18:06
    ComboFix3.txt 2010-10-03 10:24

    Pre-Run: 39,479,689,216 bytes free
    Post-Run: 39,449,731,072 bytes free

    - - End Of File - - 7319545AFDF9A555D2B0E44967DB353B
  23. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    OK. Bad folders are gone, but I can see we removed one legit folder, so we have to get it back.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DEQUARANTINE::
    C:\Qoobox\Quarantine\C\program files\Microsoft
    QUIT::
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  24. MrT0ad

    MrT0ad Newcomer, in training Topic Starter Posts: 52

    Combofix dequarantine log


    C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\muauth.cab -> C:\program files\Microsoft\Office Live\muauth.cab
    C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\npOLW.dll -> C:\program files\Microsoft\Office Live\npOLW.dll
    C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OfficeLiveSignIn.exe -> C:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
    C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OLConnector.dll -> C:\program files\Microsoft\Office Live\OLConnector.dll
    C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OLConnectorResources.dll -> C:\program files\Microsoft\Office Live\OLConnectorResources.dll
    C:\Qoobox\Quarantine\C\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe -> C:\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe
    C:\Qoobox\Quarantine\C\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll -> C:\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll
    7 File(s) copied
  25. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good :)

    Any current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.