also @ TechSpot: Codemasters announces £125,000 special edition of GRID 2

Help remove rootkit virus identified by Malwarebytes

Discussion in 'Virus and Malware Removal' started by pachi, Nov 30, 2010.

Page 2 of 4

  1. pachi Newcomer, in training Posts: 46

    MBAM fails while updating current file (today's file) when at 25 %. Blue screen
    with system32\drivers\qevuue.sys IRQ .... error.

    should I try again now?
    pachi, Dec 2, 2010
    #21

  2. Broni Malware Annihilator Posts: 39,403   +177

    Broni, Dec 3, 2010
    #22

  3. pachi Newcomer, in training Posts: 46

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5236

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/3/2010 7:06:37 AM
    mbam-log-2010-12-03 (07-06-37).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 568038
    Time elapsed: 57 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    pachi, Dec 3, 2010
    #23

  4. pachi Newcomer, in training Posts: 46

    MBAM LOG : Rootkit.agent still exists.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5238

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/3/2010 9:18:57 AM
    mbam-log-2010-12-03 (09-18-57).txt

    Scan type: Quick scan
    Objects scanned: 483911
    Time elapsed: 8 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    pachi, Dec 3, 2010
    #24

  5. Broni Malware Annihilator Posts: 39,403   +177

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ==============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Dec 3, 2010
    #25

  6. pachi Newcomer, in training Posts: 46

    Here is the MBRCheck log...

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 132):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75F7000 jxctwn.sys
    0xF7508000 ACPI.sys
    0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF74F7000 pci.sys
    0xF7607000 isapnp.sys
    0xF7438000 qevuue.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7617000 MountMgr.sys
    0xF7419000 ftdisk.sys
    0xF798D000 dmload.sys
    0xF7871000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7627000 VolSnap.sys
    0xF7401000 atapi.sys
    0xF7637000 disk.sys
    0xF7647000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF7851000 fltmgr.sys
    0xF798F000 ghmon.sys
    0xF7657000 PxHelp20.sys
    0xF783A000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF795A000 NDIS.sys
    0xF7A35000 Mup.sys
    0xF7B21000 ghpcw2k.sys
    0xF7A84000 \SystemRoot\system32\DRIVERS\smsmdm.sys
    0xB9FC9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA181000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xB9F1B000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
    0xB9EF0000 \SystemRoot\System32\DRIVERS\b57xp32.sys
    0xF77FF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB9ECC000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7807000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB9E36000 \SystemRoot\system32\drivers\smwdm.sys
    0xB9E12000 \SystemRoot\system32\drivers\portcls.sys
    0xBA171000 \SystemRoot\system32\drivers\drmk.sys
    0xB9DEF000 \SystemRoot\system32\drivers\ks.sys
    0xF79CD000 \SystemRoot\system32\drivers\aeaudio.sys
    0xB9DDB000 \SystemRoot\System32\DRIVERS\parport.sys
    0xBA161000 \SystemRoot\System32\DRIVERS\serial.sys
    0xBA79C000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xBA151000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xBA141000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xBA131000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF780F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF79CF000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xF7A95000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF7697000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xBA794000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB9DC4000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF76A7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF76B7000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7817000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB9DB3000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF76C7000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF781F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF771F000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB9D83000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF76D7000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF7737000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF773F000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF79D1000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB9D25000 \SystemRoot\System32\DRIVERS\update.sys
    0xBA6C7000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF76F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7596000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79D7000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xA9BA3000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
    0xA9B81000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
    0xA9B6D000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    0xF793F000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF7586000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF7747000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xA99DB000 \SystemRoot\system32\DRIVERS\V0060Vid.sys
    0xF7576000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF774F000 \SystemRoot\system32\DRIVERS\V0060USB.SYS
    0xA98C6000 \SystemRoot\system32\DRIVERS\V0060EVX.SYS
    0xF7943000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF775F000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xF79DD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA039000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79DF000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7767000 \SystemRoot\System32\drivers\vga.sys
    0xF79E1000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79E5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA7DC000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xF7777000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF777F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA7D4000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xA981B000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xA97C2000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xA979C000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xA9761000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF7556000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xA9739000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xA9717000 \SystemRoot\System32\drivers\afd.sys
    0xF7546000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xA9615000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xA95EA000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xBA7CC000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
    0xA957A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xBA770000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA951C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA94FF000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xBA750000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA94E7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79ED000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA7A4000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77B7000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A64000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF040000 \SystemRoot\System32\ialmdev5.DLL
    0xBF065000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA938F000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xA8ECE000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA90CB000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA8BCB000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF7A09000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA88A3000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA81D2000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA7E2C000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\navex15.sys
    0xA7E18000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\naveng.sys
    0xA802A000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 60):
    0 System Idle Process
    4 System
    660 C:\WINDOWS\system32\smss.exe
    708 csrss.exe
    732 C:\WINDOWS\system32\winlogon.exe
    776 C:\WINDOWS\system32\services.exe
    788 C:\WINDOWS\system32\lsass.exe
    964 C:\WINDOWS\system32\svchost.exe
    1032 svchost.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1376 svchost.exe
    1472 svchost.exe
    1548 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    2040 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    276 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    340 C:\WINDOWS\system32\spoolsv.exe
    988 C:\WINDOWS\explorer.exe
    1444 svchost.exe
    1564 C:\WINDOWS\system32\hkcmd.exe
    1576 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1620 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    1616 C:\Program Files\Bonjour\mDNSResponder.exe
    1644 C:\PROGRA~1\SYMANT~1\VPTray.exe
    1664 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    1676 C:\Program Files\Symantec AntiVirus\DefWatch.exe
    1688 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    1800 C:\Program Files\QuickTime\QTTask.exe
    1952 C:\Program Files\Java\jre6\bin\jqs.exe
    1992 C:\Program Files\iTunes\iTunesHelper.exe
    516 C:\WINDOWS\system32\rundll32.exe
    584 C:\Program Files\Symantec\Ghost\ngctw32.exe
    1760 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1916 C:\WINDOWS\system32\ctfmon.exe
    1936 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    1948 C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
    1960 C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
    2120 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2228 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    2280 C:\Program Files\Symantec AntiVirus\SavRoam.exe
    2296 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    2348 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    2352 C:\Program Files\WinZip\WZQKPICK.EXE
    2436 C:\WINDOWS\system32\svchost.exe
    2608 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    2696 C:\Program Files\RealVNC\WinVNC\winvnc.exe
    2908 C:\WINDOWS\system32\searchindexer.exe
    3064 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    3068 C:\WINDOWS\system32\CCM\CcmExec.exe
    3168 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    3332 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3624 C:\WINDOWS\system32\svchost.exe
    3964 C:\Program Files\iPod\bin\iPodService.exe
    2420 alg.exe
    3272 wmiprvse.exe
    1372 wmiprvse.exe
    384 C:\Program Files\Internet Explorer\iexplore.exe
    3240 C:\Program Files\Internet Explorer\iexplore.exe
    4084 C:\WINDOWS\system32\HPZinw12.exe
    3900 C:\Program Files\Internet Explorer\iexplore.exe
    2656 C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4S1G3OZT\MBRCheck[1].exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-75HKA1, Rev: 14.03G14

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
    pachi, Dec 4, 2010
    #26
     

  7. pachi Newcomer, in training Posts: 46

    Downloaded and ran Combofix from the link provided. Here is the log of it. Thanks Broni!

    ComboFix 10-12-03.03 - administrator 12/04/2010 14:25:22.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2153 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-04 21:34 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - qevuue

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-04 14:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(732)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(1432)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-04 14:37:58
    ComboFix-quarantined-files.txt 2010-12-04 21:37

    Pre-Run: 39,069,757,440 bytes free
    Post-Run: 39,080,644,608 bytes free

    - - End Of File - - 374AB6C2234F6BC25A79296229E80771
    pachi, Dec 4, 2010
    #27

  8. Broni Malware Annihilator Posts: 39,403   +177

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\Ppoluwenanojoway.bin
c:\windows\system32\drivers\qevuue.sys

Folder::

Driver::
qevuue

Rootkit::
c:\windows\system32\drivers\qevuue.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Dec 4, 2010
    #28

  9. pachi Newcomer, in training Posts: 46

    CFScript log

    ComboFix 10-12-06.01 - administrator 12/06/2010 22:35:27.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2119 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_QEVUUE
    -------\Service_qevuue


    ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-07 05:45 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-06 22:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3224)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Analog Devices\SoundMAX\spkrmon.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\RunDLL32.exe
    c:\program files\Symantec AntiVirus\DoScan.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\windows\system32\msiexec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\windows\system32\HPZinw12.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-06 22:57:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-07 05:57
    ComboFix2.txt 2010-12-04 21:37

    Pre-Run: 38,821,236,736 bytes free
    Post-Run: 38,952,255,488 bytes free

    - - End Of File - - 892B48FF03037EC6873B5D6791C72D8F
    pachi, Dec 7, 2010
    #29

  10. Broni Malware Annihilator Posts: 39,403   +177

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\Ppoluwenanojoway.bin
c:\windows\system32\drivers\qevuue.sys

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Dec 7, 2010
    #30

  11. pachi Newcomer, in training Posts: 46

    Getting the following prompt

    There's a newer version of ComboFix Available. Would you like to update ComboFix?

    Yes / NO .. should i say Yes and continue?
    pachi, Dec 7, 2010
    #31

  12. Broni Malware Annihilator Posts: 39,403   +177

    Always :)...............
    Broni, Dec 7, 2010
    #32

  13. pachi Newcomer, in training Posts: 46

    ComboFix 10-12-06.03 - administrator 12/06/2010 23:29:06.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2418 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-07 05:45 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 05:46 . 2010-12-07 05:46 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-06 23:37
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3456)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-06 23:41:21
    ComboFix-quarantined-files.txt 2010-12-07 06:41
    ComboFix2.txt 2010-12-07 05:57
    ComboFix3.txt 2010-12-04 21:37

    Pre-Run: 39,000,653,824 bytes free
    Post-Run: 38,978,084,864 bytes free

    - - End Of File - - C3B88B6AA17F81B57C199090D4CD3E3A
    pachi, Dec 7, 2010
    #33

  14. pachi Newcomer, in training Posts: 46

    Did it, thanks Broni! I have posted the log above.
    pachi, Dec 7, 2010
    #34

  15. pachi Newcomer, in training Posts: 46

    past midnight here.. retiring for the night. Please let me know the next step and i will continue tomorrow morning. Appreciate all your help!,,, Thank you so mucho!
    pachi, Dec 7, 2010
    #35

  16. pachi Newcomer, in training Posts: 46

    updated and ran the MBAM. Rootkit still exists.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5259

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/7/2010 9:42:11 AM
    mbam-log-2010-12-07 (09-42-11).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 570588
    Time elapsed: 57 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    pachi, Dec 7, 2010
    #36

  17. Broni Malware Annihilator Posts: 39,403   +177

    Post fresh Combofix log, please.
    Broni, Dec 7, 2010
    #37

  18. pachi Newcomer, in training Posts: 46

    ComboFix.log from today's run.

    ComboFix 10-12-08.02 - administrator 12/08/2010 21:39:57.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2111 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    "c:\windows\system32\drivers\qevuue.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 16:44 . 2010-12-07 16:44 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-08 21:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(2328)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-08 21:53:43
    ComboFix-quarantined-files.txt 2010-12-09 04:53
    ComboFix2.txt 2010-12-07 06:41
    ComboFix3.txt 2010-12-07 05:57
    ComboFix4.txt 2010-12-04 21:37

    Pre-Run: 38,714,212,352 bytes free
    Post-Run: 38,688,083,968 bytes free

    - - End Of File - - E366BE3F256FD866A28ADD88DFCEE6D6
    pachi, Dec 8, 2010
    #38

  19. Broni Malware Annihilator Posts: 39,403   +177

    Good. One stubborn file is gone.
    Let's get rid of the other one....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\Ppoluwenanojoway.bin

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Dec 9, 2010
    #39

  20. pachi Newcomer, in training Posts: 46

    Here is the log from Combofix

    ComboFix 10-12-08.02 - administrator 12/08/2010 22:12:42.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2196 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\Ppoluwenanojoway.bin"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
    .

    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-12-03 04:59 . 2010-12-03 04:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-02 21:40 . 2010-12-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- C:\HouseBeautiful
    2010-12-02 17:50 . 2010-12-02 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla
    2010-12-02 17:49 . 2010-12-02 17:49 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-12-01 03:43 . 2010-12-01 03:43 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-01 03:43 . 2010-12-01 03:43 -------- d-----w- c:\program files\Trend Micro
    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 19:49 . 2010-11-10 19:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-03 04:59 . 2010-01-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-02 18:14 . 2010-12-02 17:55 467558392 ----a-w- C:\HouseBeautiful.zip
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-04_21.33.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-07 16:44 . 2010-12-07 16:44 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 79936 c:\windows\system32\perfc009.dat
    + 2003-07-16 16:35 . 2010-12-05 16:14 466814 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-08 22:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL

    - - - - - - - > 'explorer.exe'(3732)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-08 22:24:22
    ComboFix-quarantined-files.txt 2010-12-09 05:24
    ComboFix2.txt 2010-12-09 04:53
    ComboFix3.txt 2010-12-07 06:41
    ComboFix4.txt 2010-12-07 05:57
    ComboFix5.txt 2010-12-09 05:11

    Pre-Run: 38,705,025,024 bytes free
    Post-Run: 38,686,527,488 bytes free

    - - End Of File - - D200E85DF939DD5038EE8DFCA2FE2F00
    pachi, Dec 9, 2010
    #40
Page 2 of 4
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.