TechSpot

Help remove rootkit virus identified by Malwarebytes

Solved
By pachi
Nov 30, 2010
Topic Status:
Not open for further replies.
  1. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Here is the MBRCheck log...

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 132):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75F7000 jxctwn.sys
    0xF7508000 ACPI.sys
    0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF74F7000 pci.sys
    0xF7607000 isapnp.sys
    0xF7438000 qevuue.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7617000 MountMgr.sys
    0xF7419000 ftdisk.sys
    0xF798D000 dmload.sys
    0xF7871000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7627000 VolSnap.sys
    0xF7401000 atapi.sys
    0xF7637000 disk.sys
    0xF7647000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF7851000 fltmgr.sys
    0xF798F000 ghmon.sys
    0xF7657000 PxHelp20.sys
    0xF783A000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF795A000 NDIS.sys
    0xF7A35000 Mup.sys
    0xF7B21000 ghpcw2k.sys
    0xF7A84000 \SystemRoot\system32\DRIVERS\smsmdm.sys
    0xB9FC9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA181000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xB9F1B000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
    0xB9EF0000 \SystemRoot\System32\DRIVERS\b57xp32.sys
    0xF77FF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB9ECC000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7807000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB9E36000 \SystemRoot\system32\drivers\smwdm.sys
    0xB9E12000 \SystemRoot\system32\drivers\portcls.sys
    0xBA171000 \SystemRoot\system32\drivers\drmk.sys
    0xB9DEF000 \SystemRoot\system32\drivers\ks.sys
    0xF79CD000 \SystemRoot\system32\drivers\aeaudio.sys
    0xB9DDB000 \SystemRoot\System32\DRIVERS\parport.sys
    0xBA161000 \SystemRoot\System32\DRIVERS\serial.sys
    0xBA79C000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xBA151000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xBA141000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xBA131000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF780F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF79CF000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xF7A95000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF7697000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xBA794000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB9DC4000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF76A7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF76B7000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7817000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB9DB3000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF76C7000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF781F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF771F000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB9D83000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF76D7000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF7737000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF773F000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF79D1000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB9D25000 \SystemRoot\System32\DRIVERS\update.sys
    0xBA6C7000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF76F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7596000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79D7000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xA9BA3000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
    0xA9B81000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
    0xA9B6D000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    0xF793F000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF7586000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF7747000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xA99DB000 \SystemRoot\system32\DRIVERS\V0060Vid.sys
    0xF7576000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF774F000 \SystemRoot\system32\DRIVERS\V0060USB.SYS
    0xA98C6000 \SystemRoot\system32\DRIVERS\V0060EVX.SYS
    0xF7943000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF775F000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xF79DD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA039000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79DF000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7767000 \SystemRoot\System32\drivers\vga.sys
    0xF79E1000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79E5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA7DC000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xF7777000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF777F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA7D4000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xA981B000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xA97C2000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xA979C000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xA9761000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF7556000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xA9739000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xA9717000 \SystemRoot\System32\drivers\afd.sys
    0xF7546000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xA9615000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xA95EA000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xBA7CC000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
    0xA957A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xBA770000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA951C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA94FF000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xBA750000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA94E7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79ED000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA7A4000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77B7000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A64000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF040000 \SystemRoot\System32\ialmdev5.DLL
    0xBF065000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA938F000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xA8ECE000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA90CB000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA8BCB000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF7A09000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA88A3000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA81D2000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA7E2C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\navex15.sys
    0xA7E18000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\naveng.sys
    0xA802A000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 60):
    0 System Idle Process
    4 System
    660 C:\WINDOWS\system32\smss.exe
    708 csrss.exe
    732 C:\WINDOWS\system32\winlogon.exe
    776 C:\WINDOWS\system32\services.exe
    788 C:\WINDOWS\system32\lsass.exe
    964 C:\WINDOWS\system32\svchost.exe
    1032 svchost.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1376 svchost.exe
    1472 svchost.exe
    1548 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    2040 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    276 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    340 C:\WINDOWS\system32\spoolsv.exe
    988 C:\WINDOWS\explorer.exe
    1444 svchost.exe
    1564 C:\WINDOWS\system32\hkcmd.exe
    1576 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1620 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    1616 C:\Program Files\Bonjour\mDNSResponder.exe
    1644 C:\PROGRA~1\SYMANT~1\VPTray.exe
    1664 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    1676 C:\Program Files\Symantec AntiVirus\DefWatch.exe
    1688 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    1800 C:\Program Files\QuickTime\QTTask.exe
    1952 C:\Program Files\Java\jre6\bin\jqs.exe
    1992 C:\Program Files\iTunes\iTunesHelper.exe
    516 C:\WINDOWS\system32\rundll32.exe
    584 C:\Program Files\Symantec\Ghost\ngctw32.exe
    1760 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1916 C:\WINDOWS\system32\ctfmon.exe
    1936 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    1948 C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
    1960 C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
    2120 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2228 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    2280 C:\Program Files\Symantec AntiVirus\SavRoam.exe
    2296 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    2348 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    2352 C:\Program Files\WinZip\WZQKPICK.EXE
    2436 C:\WINDOWS\system32\svchost.exe
    2608 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    2696 C:\Program Files\RealVNC\WinVNC\winvnc.exe
    2908 C:\WINDOWS\system32\searchindexer.exe
    3064 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    3068 C:\WINDOWS\system32\CCM\CcmExec.exe
    3168 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    3332 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3624 C:\WINDOWS\system32\svchost.exe
    3964 C:\Program Files\iPod\bin\iPodService.exe
    2420 alg.exe
    3272 wmiprvse.exe
    1372 wmiprvse.exe
    384 C:\Program Files\Internet Explorer\iexplore.exe
    3240 C:\Program Files\Internet Explorer\iexplore.exe
    4084 C:\WINDOWS\system32\HPZinw12.exe
    3900 C:\Program Files\Internet Explorer\iexplore.exe
    2656 C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S1G3OZT\MBRCheck[1].exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-75HKA1, Rev: 14.03G14

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
  2. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Downloaded and ran Combofix from the link provided. Here is the log of it. Thanks Broni!

    ComboFix 10-12-03.03 - administrator 12/04/2010 14:25:22.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2153 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-04 21:34 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - qevuue

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-04 14:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(732)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(1432)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-04 14:37:58
    ComboFix-quarantined-files.txt 2010-12-04 21:37

    Pre-Run: 39,069,757,440 bytes free
    Post-Run: 39,080,644,608 bytes free

    - - End Of File - - 374AB6C2234F6BC25A79296229E80771
  3. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Ppoluwenanojoway.bin
    c:\windows\system32\drivers\qevuue.sys
    
    Folder::
    
    Driver::
    qevuue
    
    Rootkit::
    c:\windows\system32\drivers\qevuue.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  4. pachi

    pachi TS Rookie Topic Starter Posts: 46

    CFScript log

    ComboFix 10-12-06.01 - administrator 12/06/2010 22:35:27.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2119 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_QEVUUE
    -------\Service_qevuue


    ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-07 05:45 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-06 22:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3224)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Analog Devices\SoundMAX\spkrmon.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\RunDLL32.exe
    c:\program files\Symantec AntiVirus\DoScan.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\windows\system32\msiexec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\windows\system32\HPZinw12.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-06 22:57:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-07 05:57
    ComboFix2.txt 2010-12-04 21:37

    Pre-Run: 38,821,236,736 bytes free
    Post-Run: 38,952,255,488 bytes free

    - - End Of File - - 892B48FF03037EC6873B5D6791C72D8F
  5. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Ppoluwenanojoway.bin
    c:\windows\system32\drivers\qevuue.sys
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  6. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Getting the following prompt

    There's a newer version of ComboFix Available. Would you like to update ComboFix?

    Yes / NO .. should i say Yes and continue?
  7. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    Always :)...............
  8. pachi

    pachi TS Rookie Topic Starter Posts: 46

    ComboFix 10-12-06.03 - administrator 12/06/2010 23:29:06.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2418 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-07 05:45 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 05:46 . 2010-12-07 05:46 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-06 23:37
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3456)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-06 23:41:21
    ComboFix-quarantined-files.txt 2010-12-07 06:41
    ComboFix2.txt 2010-12-07 05:57
    ComboFix3.txt 2010-12-04 21:37

    Pre-Run: 39,000,653,824 bytes free
    Post-Run: 38,978,084,864 bytes free

    - - End Of File - - C3B88B6AA17F81B57C199090D4CD3E3A
  9. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Did it, thanks Broni! I have posted the log above.
  10. pachi

    pachi TS Rookie Topic Starter Posts: 46

    past midnight here.. retiring for the night. Please let me know the next step and i will continue tomorrow morning. Appreciate all your help!,,, Thank you so mucho!
  11. pachi

    pachi TS Rookie Topic Starter Posts: 46

    updated and ran the MBAM. Rootkit still exists.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5259

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/7/2010 9:42:11 AM
    mbam-log-2010-12-07 (09-42-11).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 570588
    Time elapsed: 57 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    Post fresh Combofix log, please.
  13. pachi

    pachi TS Rookie Topic Starter Posts: 46

    ComboFix.log from today's run.

    ComboFix 10-12-08.02 - administrator 12/08/2010 21:39:57.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2111 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 16:44 . 2010-12-07 16:44 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-08 21:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(2328)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-08 21:53:43
    ComboFix-quarantined-files.txt 2010-12-09 04:53
    ComboFix2.txt 2010-12-07 06:41
    ComboFix3.txt 2010-12-07 05:57
    ComboFix4.txt 2010-12-04 21:37

    Pre-Run: 38,714,212,352 bytes free
    Post-Run: 38,688,083,968 bytes free

    - - End Of File - - E366BE3F256FD866A28ADD88DFCEE6D6
  14. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    Good. One stubborn file is gone.
    Let's get rid of the other one....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Ppoluwenanojoway.bin
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  15. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Here is the log from Combofix

    ComboFix 10-12-08.02 - administrator 12/08/2010 22:12:42.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2196 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 16:44 . 2010-12-07 16:44 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-08 22:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(3732)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-08 22:24:22
    ComboFix-quarantined-files.txt 2010-12-09 05:24
    ComboFix2.txt 2010-12-09 04:53
    ComboFix3.txt 2010-12-07 06:41
    ComboFix4.txt 2010-12-07 05:57
    ComboFix5.txt 2010-12-09 05:11

    Pre-Run: 38,705,025,024 bytes free
    Post-Run: 38,686,527,488 bytes free

    - - End Of File - - D200E85DF939DD5038EE8DFCA2FE2F00
  16. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    Hmmm....

    Please download The Avenger by Swandog46 to your Desktop.
    - Right click on the Avenger.zip folder and select Extract All...
    - Follow the prompts and extract the avenger folder to your desktop

    Double click on avenger.exe.
    Click OK in pop-up window.

    Avenger window will open.

    Click on Execute button.
    Click OK in two consecutive pop-up windows.

    Your computer will re-boot now.

    Upon re-boot, Notepad window will open.
    Select all text, copy it, and paste it into next reply.

    NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
  17. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Hi Broni, i have completed the above step and pasted its log. Please let me know how the machine looks now....?
  18. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    I see no log :)
  19. pachi

    pachi TS Rookie Topic Starter Posts: 46

    mhh my bad. i didn't realize we had moved to page-3. I was still looking at page-2. I need to do the Avenger step yet.
  20. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    My bed time is coming, so I'll check on you tomorrow :)

    How is computer doing anyway?
  21. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Completed script processing.

    *******************

    Finished! Terminate.
  22. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Hi Broni, Thank you very much for your help.

    I have pasted the logs from Avenger above. Let me know what you think..

    The system performance is definitely better but I am unsure of the rootkit since I lost one machine already.
  23. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Drivers to delete:
    
    Files to delete:
    c:\windows\Ppoluwenanojoway.bin
    
    

    2. Now, open the Avenger folder and start The Avenger program by clicking on its icon.

    * Right click on the window under Input script here:, and select Paste.
    * You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    * Click on Execute
    * Answer "Yes" twice when prompted.


    3. The Avenger will automatically do the following:

    * It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    * On reboot, it will briefly open a black command window on your desktop, this is normal.
    * After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    * The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    4. Please copy/paste the content of c:\avenger.txt into your reply
  24. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "c:\windows\Ppoluwenanojoway.bin" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
  25. Broni

    Broni Malware Annihilator Posts: 46,805   +254

    Good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.