Solved Avira free detected Ramnit.A

M

MrT0ad

Posts: 52   +0

Attachments

  • mbam-log-2010-10-02 (10-07-44).txt
    1.2 KB · Views: 1
  • 20101002 gmer scan.log
    4.2 KB · Views: 1
  • DDS 20101002.txt
    17 KB · Views: 1
  • Attach 20101002.txt
    22.5 KB · Views: 0
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
*Srv.exe 
DesktopLayer
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
System Look Scan log

SystemLook 04.09.10 by jpshortstuff
Log created at 17:12 on 02/10/2010 by User1
Administrator - Elevation successful

========== filefind ==========

Searching for "*Srv.exe "
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe --a---- 100864 bytes [09:36 18/02/2008] [09:36 18/02/2008] EA5DCE08B52ED0E9FA9E46F1EE5AB0C2
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe --a---- 89088 bytes [12:36 04/01/2008] [12:36 04/01/2008] DAE4DC972E7C37657F0966E7722ED3B1
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe --a---- 137728 bytes [07:46 22/02/2008] [07:46 22/02/2008] 3696CA6C2A45F47124FF1C8A8C945A92
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe --a---- 124928 bytes [11:23 25/03/2008] [11:23 25/03/2008] B4CD84211F68C4D9ADEB06DF13D700FD
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe --a---- 120320 bytes [08:11 22/02/2008] [08:11 22/02/2008] 7CE05DE53433201C0B57E4E0666C6D44
C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe --a---- 128512 bytes [07:46 22/02/2008] [07:46 22/02/2008] 51EA3952C1FA239DCFF633813DF3C28B
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe --a---- 130560 bytes [08:58 10/03/2008] [08:58 10/03/2008] 2A1BF3BCF15675083277C9357BE0FCAE
C:\WINDOWS\system32\clipsrv.exe --a---- 33280 bytes [12:00 14/04/2008] [12:00 14/04/2008] 34CBE729F38138217F9C80212A2A0C82
C:\WINDOWS\system32\qappsrv.exe --a---- 16896 bytes [17:59 25/06/2008] [12:00 28/02/2006] 1556473E920CA676702516DA38DCAC86
C:\WINDOWS\system32\dllcache\clipsrv.exe --a--c- 33280 bytes [12:00 14/04/2008] [12:00 14/04/2008] 34CBE729F38138217F9C80212A2A0C82
C:\WINDOWS\system32\dllcache\qappsrv.exe --a--c- 16896 bytes [17:59 25/06/2008] [12:00 28/02/2006] 1556473E920CA676702516DA38DCAC86
C:\WINDOWS\system32\dllcache\wmiapsrv.exe --a--c- 126464 bytes [17:59 25/06/2008] [00:12 14/04/2008] E0673F1106E62A68D2257E376079F821
C:\WINDOWS\system32\wbem\wmiapsrv.exe --a---- 126464 bytes [17:59 25/06/2008] [00:12 14/04/2008] E0673F1106E62A68D2257E376079F821

Searching for "DesktopLayer"
No files found.

-= EOF =-
 
I don't see Ramnit presence, yet.

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
ESET Scan results

C:\Documents and Settings\User1\My Documents\Downloads\ImTOO_DVD_Ripper_Ultimate_5.0.64.0409.rar a variant of Win32/Keygen.AT application
C:\Documents and Settings\User1\My Documents\Downloads\nxtserver.zip probably unknown NewHeur_PE virus
C:\Program Files\system\ssa3o.exe a variant of Win32/Cimag.DL trojan
C:\System Volume Information\_restore{77DD8FFE-4419-4C0B-994C-90BC086CCF94}\RP243\A0066403.dll a variant of Win32/Cimag.DL trojan
 
So far nothing about Ramnit, so let's continue with regular scans...

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
MBR Check log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000bd

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7B6F000 \WINDOWS\system32\KDCOM.DLL
0xF7A7F000 \WINDOWS\system32\BOOTVID.dll
0xF762E000 fltmgr.sys
0xF7600000 ACPI.sys
0xF7B71000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF75EF000 pci.sys
0xF766F000 isapnp.sys
0xF74D6000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7C37000 PCIIde.sys
0xF78EF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7B73000 intelide.sys
0xF767F000 MountMgr.sys
0xF74B7000 ftdisk.sys
0xF7B75000 dmload.sys
0xF7491000 dmio.sys
0xF78F7000 PartMgr.sys
0xF768F000 VolSnap.sys
0xF7479000 atapi.sys
0xF769F000 disk.sys
0xF76AF000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7467000 sr.sys
0xF742F000 PCTCore.sys
0xF76BF000 PxHelp20.sys
0xF7411000 TPkd.sys
0xF73FA000 KSecDD.sys
0xF736D000 Ntfs.sys
0xF7340000 NDIS.sys
0xF732D000 sfvfs02.sys
0xF78FF000 sfhlp02.sys
0xF731B000 sfdrv01.sys
0xF7301000 Mup.sys
0xF773F000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF62E7000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF6160000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF614C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7A47000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6128000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A4F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7A57000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF774F000 \SystemRoot\system32\drivers\ES1370MP.sys
0xF6104000 \SystemRoot\system32\drivers\portcls.sys
0xF775F000 \SystemRoot\system32\drivers\drmk.sys
0xF60E1000 \SystemRoot\system32\drivers\ks.sys
0xF7A5F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF776F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A67000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF777F000 \SystemRoot\system32\DRIVERS\serial.sys
0xF72B0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF60BA000 \SystemRoot\system32\DRIVERS\parport.sys
0xF778F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF779F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7A6F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF5FC9000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7A77000 \SystemRoot\system32\drivers\DsAudioDevice_310.sys
0xF7CD3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B0F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5FB2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF790F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5FA1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7927000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF792F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5F71000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF780F000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7937000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF5F54000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xF7BD1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5EF6000 \SystemRoot\system32\DRIVERS\update.sys
0xF6B19000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF793F000 \SystemRoot\system32\DRIVERS\btport.sys
0xF781F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF63A2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BD3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B3B000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF7947000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7BD5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7D45000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BD7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7957000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF795F000 \SystemRoot\System32\drivers\vga.sys
0xF7BD9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BDB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7967000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF796F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7B4F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDBDF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDB86000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDB5E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDB38000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7B5F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF6382000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEDB16000 \SystemRoot\System32\drivers\afd.sys
0xF6372000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7977000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xEDAEB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDA7B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6362000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7B6B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6352000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF72CC000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7D79000 \SystemRoot\System32\Drivers\BANTExt.sys
0xED677000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7BDF000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF72C4000 \SystemRoot\System32\drivers\aspi32.sys
0xF6312000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED65F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BEB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF5EB2000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79A7000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D4D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xED46B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xF72B4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xED1BE000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7C0B000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xECF37000 \SystemRoot\system32\DRIVERS\srv.sys
0xECB12000 \SystemRoot\system32\drivers\wdmaud.sys
0xECC47000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79CF000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEC8B9000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xED06E000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xEC648000 \SystemRoot\System32\Drivers\HTTP.sys
0xED20F000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xECE2B000 \SystemRoot\system32\DRIVERS\hidgame.sys
0xF7C0F000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 SYSTEM
616 C:\WINDOWS\system32\smss.exe
664 csrss.exe
692 C:\WINDOWS\system32\winlogon.exe
736 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
932 C:\WINDOWS\system32\ati2evxx.exe
948 C:\WINDOWS\system32\svchost.exe
1040 svchost.exe
1080 C:\Program Files\Windows Defender\MsMpEng.exe
1120 C:\WINDOWS\system32\svchost.exe
1144 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1212 svchost.exe
1280 svchost.exe
1452 C:\WINDOWS\system32\spoolsv.exe
1504 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1540 svchost.exe
1624 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1636 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1672 C:\Program Files\Bonjour\mDNSResponder.exe
1696 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
1768 C:\WINDOWS\system32\FsUsbExService.Exe
1848 C:\Program Files\iDownload\iDownloadService.exe
1920 C:\Program Files\Java\jre6\bin\jqs.exe
1960 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2036 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
176 C:\Program Files\CDBurnerXP\NMSAccessU.exe
268 C:\WINDOWS\system32\PnkBstrA.exe
280 C:\WINDOWS\system32\PnkBstrB.exe
352 C:\WINDOWS\system32\svchost.exe
444 wdfmgr.exe
472 C:\WINDOWS\system32\UAService7.exe
508 C:\WINDOWS\system32\searchindexer.exe
1348 C:\Program Files\Canon\CAL\CALMAIN.exe
2108 C:\WINDOWS\system32\ati2evxx.exe
2308 C:\WINDOWS\explorer.exe
2684 alg.exe
3328 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3340 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3352 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
3376 C:\Program Files\AGEIA Technologies\TrayIcon.exe
3420 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3428 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3816 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
3844 C:\Program Files\DNA\btdna.exe
3852 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3992 C:\WINDOWS\system32\ctfmon.exe
4072 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
1792 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
2276 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3736 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3800 C:\WINDOWS\system32\svchost.exe
2180 C:\Documents and Settings\User1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3124 C:\Documents and Settings\User1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
420 C:\WINDOWS\system32\searchprotocolhost.exe
2720 searchfilterhost.exe
2304 C:\Documents and Settings\User1\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500JD-75HBC0, Rev: 08.02D08
PhysicalDrive1 Model Number: SAMSUNGSP0411C, Rev: UU100-05

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
37 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Combofix log in two parts (double checked to ensure no missing lines :) )

ComboFix 10-10-01.07 - User1 03/10/2010 11:07:21.9.2 - x86 MINIMAL
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User1\Application Data\inst.exe
c:\documents and settings\User1\Application Data\PriceGong
c:\documents and settings\User1\Application Data\PriceGong\Data\1.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\a.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\b.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\c.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\d.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\e.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\f.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\g.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\h.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\i.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\J.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\k.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\l.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\m.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\n.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\o.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\p.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\q.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\r.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\s.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\t.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\u.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\v.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\w.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\x.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\y.xml
c:\documents and settings\User1\Application Data\PriceGong\Data\z.xml
c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}
c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome.manifest
c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome\content\_cfg.js
c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\chrome\content\overlay.xul
c:\documents and settings\User1\Local Settings\Application Data\{6C7C154F-F673-4242-BC66-D4AEEAD78C60}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB
2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 09:58 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
2010-10-03 09:50 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
2010-10-03 09:49 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
2010-10-03 09:47 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
2010-10-02 08:22 . 2009-01-10 17:59 -------- d-----w- c:\program files\Microsoft
2010-10-02 08:08 . 2009-10-05 01:31 -------- d-----w- c:\documents and settings\User1\Application Data\Goryyk
2010-10-02 08:06 . 2009-08-07 07:02 -------- d-----w- c:\documents and settings\User1\Application Data\Agzuco
2010-10-02 08:02 . 2008-12-27 11:11 -------- d-----w- c:\documents and settings\User1\Application Data\Fiase
2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-30 19:27 . 2010-08-14 13:20 120 ----a-w- c:\windows\Iriqa.dat
2010-09-30 19:27 . 2010-08-14 13:20 0 ----a-w- c:\windows\Ewavitixezoyipo.bin
2010-09-30 19:25 . 2010-01-12 14:17 -------- d-----w- c:\documents and settings\User1\Application Data\Ciuviq
2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
2010-09-19 09:12 . 2009-05-09 21:37 -------- d-----w- c:\documents and settings\User1\Application Data\Akraec
2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
.
 
Combofix log part 2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
"Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
"iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
"DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iDownload\\iDownload.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Nexon\\Combat Arms EU\\Engine.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Itunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"58989:TCP"= 58989:TCP:pando Media Booster
"58989:UDP"= 58989:UDP:pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S0 cerc6;cerc6; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-10-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Omagiko - c:\windows\dsclok.dll
HKLM-Run-Dtito - c:\windows\abiwiges.dll
AddRemove-AVS4YOU Video Converter 6_is1 - c:\bens work\Downloads\Converter\Avs\AVSVideoConverter6\unins000.exe
AddRemove-BKChem_is1 - c:\bens work\Chemistry\BKchem\BKChem\unins000.exe
AddRemove-Media Converter SA Edition - c:\sim\Media Converter SA Edition\uninst.exe
AddRemove-MediaCoder - c:\mediacoder\uninst.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 11:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-03 11:24:55
ComboFix-quarantined-files.txt 2010-10-03 10:24

Pre-Run: 39,568,732,160 bytes free
Post-Run: 39,541,571,584 bytes free

- - End Of File - - 94F9FFDF4B10A30E25992A34E3DC3EE8
 
Managed to pull the Avira events 2 Oct 2010 relating to latest virus outbreak .... this may or may not help


Exported events:

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\WINDOWS\dsclok.dll.
Action performed: Move file to quarantine

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
Action performed: Move file to quarantine

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\WINDOWS\abiwiges.dll.
Action performed: Move file to quarantine

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\WINDOWS\dsclok.dll.
Action performed: Deny access

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
Action performed: Move file to quarantine

02/10/2010 09:22 [Guard] Malware found
Virus or unwanted program 'BDS/IRCNite.ase [backdoor]'
detected in file 'C:\Program Files\Microsoft\desktoplayer.exe.
Action performed: Move file to quarantine

02/10/2010 09:10 [Guard] Malware found
Virus or unwanted program 'W32/Ramnit.A [virus]'
detected in file 'C:\Documents and Settings\User1\My
Documents\Downloads\Winflip\WFHook.dll.
Action performed: Deny access

02/10/2010 09:10 [Guard] Malware found
Virus or unwanted program 'W32/Ramnit.A [virus]'
detected in file 'C:\Documents and Settings\User1\My
Documents\Downloads\Winflip\WFHook.dll.
Action performed: Deny access

02/10/2010 09:10 [Guard] Malware found
Virus or unwanted program 'W32/Ramnit.A [virus]'
detected in file 'C:\Documents and Settings\User1\My
Documents\Downloads\Winflip\WinFlip.exe.
Action performed: Move file to quarantine

02/10/2010 09:09 [Guard] Malware found
Virus or unwanted program 'HTML/Rce.Gen [virus]'
detected in file 'C:\Documents and Settings\User1\Local Settings\Temporary
Internet Files\Content.IE5\UI2T36BE\notifier_avira_com[1].htm.
Action performed: Move file to quarantine

02/10/2010 09:08 [Guard] Malware found
Virus or unwanted program 'W32/Ramnit.A [virus]'
detected in file 'C:\Documents and Settings\User1\Application
Data\Goryyk\qoiz.exe.
Action performed: Move file to quarantine

02/10/2010 09:02 [Guard] Malware found
Virus or unwanted program 'TR/Spy.ZBot.apun [trojan]'
detected in file 'C:\Documents and Settings\User1\Application
Data\Fiase\ihnuq.exe.
Action performed: Move file to quarantine

02/10/2010 09:01 [Guard] Malware found
Virus or unwanted program 'TR/Spy.ZBot.apun [trojan]'
detected in file 'C:\Documents and Settings\User1\Application
Data\Fiase\ihnuq.exe.
Action performed: Deny access

02/10/2010 09:01 [Guard] Malware found
Virus or unwanted program 'HTML/Rce.Gen [virus]'
detected in file 'C:\Documents and Settings\All Users\Application
Data\Avira\AntiVir Desktop\addr_file.html.
Action performed: Deny access

thanks Simon
 
You might have been extremely lucky, regarding Ramnit infection.
I can see it from Avira scan in some downloaded files, but hopefully, you didn't use those files yet, because I can't see any impact on your computer, except for this folder being present:
- c:\program files\Microsoft
The above folder is usually a sign of Ramnit infection.
We'll keep checking....


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\Iriqa.dat
c:\windows\Ewavitixezoyipo.bin


Folder::
c:\program files\Microsoft
c:\documents and settings\User1\Application Data\Goryyk
c:\documents and settings\User1\Application Data\Agzuco
c:\documents and settings\User1\Application Data\Fiase
c:\documents and settings\User1\Application Data\Ciuviq
c:\documents and settings\User1\Application Data\Akraec
C:\Documents and Settings\User1\My Documents\Downloads\Winflip

DDS::
uInternet Settings,ProxyOverride = <local>;*.local


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Broni did this and Combofix ran through all 50 phases ..... however when it started the deleting files phase it blue screened.

Do we need to retry in Safe Mode?

Is the BSOD a malware self defence mechanism? ... I have been assuming so

thanks Simon
 
Safe Mode Combofix log part 1

ComboFix 10-10-02.02 - User1 03/10/2010 18:48:29.11.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.727 [GMT 1:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User1\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\Ewavitixezoyipo.bin"
"c:\windows\Iriqa.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ewavitixezoyipo.bin
c:\windows\Iriqa.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 17:37 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
2010-10-03 17:36 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
2010-10-03 17:36 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
2010-10-03 17:35 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
2010-10-02 08:22 . 2009-01-10 17:59 -------- d-----w- c:\program files\Microsoft
2010-10-02 08:08 . 2009-10-05 01:31 -------- d-----w- c:\documents and settings\User1\Application Data\Goryyk
2010-10-02 08:06 . 2009-08-07 07:02 -------- d-----w- c:\documents and settings\User1\Application Data\Agzuco
2010-10-02 08:02 . 2008-12-27 11:11 -------- d-----w- c:\documents and settings\User1\Application Data\Fiase
2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-30 19:25 . 2010-01-12 14:17 -------- d-----w- c:\documents and settings\User1\Application Data\Ciuviq
2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 47360 ----a-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
2010-09-19 09:12 . 2009-05-09 21:37 -------- d-----w- c:\documents and settings\User1\Application Data\Akraec
2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel
2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
.
 
Safe Mode Combofix log part 2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
"Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
"iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
"DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iDownload\\iDownload.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Nexon\\Combat Arms EU\\Engine.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Itunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"58989:TCP"= 58989:TCP:pando Media Booster
"58989:UDP"= 58989:UDP:pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S0 cerc6;cerc6; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-10-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
.
------- Supplementary Scan -------
.
IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 19:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(260)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-03 19:06:04
ComboFix-quarantined-files.txt 2010-10-03 18:06
ComboFix2.txt 2010-10-03 10:24

Pre-Run: 39,483,887,616 bytes free
Post-Run: 39,456,845,824 bytes free

- - End Of File - - 100A67AFF194BBC61CB6F74ADDB2EEFC
 
Interesting that CF picks up Avira running in Safe Mode, this is only cleared by rebooting into normal windows running mode, disabling Avira and restaring in Safe Mode. This happened two or three times today. Each time cleared by the same action. ..

thought this might be useful info
 
Unfortunately, those offending folders are still there.

Let's try one more time....

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Folder::
c:\program files\Microsoft
c:\documents and settings\User1\Application Data\Goryyk
c:\documents and settings\User1\Application Data\Agzuco
c:\documents and settings\User1\Application Data\Fiase
c:\documents and settings\User1\Application Data\Ciuviq
c:\documents and settings\User1\Application Data\Akraec


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
latest Combofix log part 1


ComboFix 10-10-02.02 - User1 03/10/2010 20:38:03.12.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.716 [GMT 1:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User1\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User1\Application Data\Agzuco
c:\documents and settings\User1\Application Data\Akraec
c:\documents and settings\User1\Application Data\Ciuviq
c:\documents and settings\User1\Application Data\Fiase
c:\documents and settings\User1\Application Data\Goryyk
c:\program files\Microsoft
c:\program files\Microsoft\Office Live\muauth.cab
c:\program files\Microsoft\Office Live\npOLW.dll
c:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
c:\program files\Microsoft\Office Live\OLConnector.dll
c:\program files\Microsoft\Office Live\OLConnectorResources.dll
c:\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe
c:\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-09-30 19:25 . 2010-10-02 07:56 -------- d-----w- c:\program files\system
2010-09-30 19:25 . 2010-09-30 19:25 -------- d-----w- c:\program files\win
2010-09-27 18:14 . 2010-09-27 18:14 -------- d-----w- c:\program files\iPod
2010-09-27 18:08 . 2010-09-27 18:08 -------- d-----w- c:\program files\QuickTime
2010-09-27 18:04 . 2010-09-27 18:04 -------- d-----w- c:\program files\Bonjour
2010-09-27 17:59 . 2010-09-27 17:59 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-18 22:18 . 2010-09-18 22:18 -------- d-----w- c:\program files\ESET
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\DVDVideoSoftTB
2010-09-18 10:30 . 2010-09-18 10:30 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\Threat Expert
2010-09-17 11:23 . 2010-09-17 11:23 -------- d-----w- c:\documents and settings\Ben2\Application Data\Malwarebytes
2010-09-17 11:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 11:23 . 2010-10-02 08:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 11:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 10:49 . 2010-09-17 10:49 -------- d-----w- c:\documents and settings\Ben2\Local Settings\Application Data\AirMouse
2010-09-15 18:07 . 2010-09-15 18:07 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-09 18:36 . 2010-10-02 08:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\DVDVideoSoftTB
2010-09-09 18:36 . 2010-09-25 12:01 -------- d-----w- c:\program files\DVDVideoSoftTB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 19:25 . 2008-10-02 17:21 -------- d-----w- c:\documents and settings\User1\Application Data\DNA
2010-10-03 18:11 . 2009-05-31 15:03 -------- d-----w- c:\program files\Steam
2010-10-03 18:10 . 2008-10-02 17:21 -------- d-----w- c:\program files\DNA
2010-10-03 18:09 . 2008-11-05 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-03 09:10 . 2009-02-16 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-03 08:04 . 2010-08-21 14:19 119296 ----a-w- c:\windows\system32\zlib.dll
2010-10-02 21:55 . 2010-06-20 17:55 -------- d-----w- c:\documents and settings\User1\Application Data\TeraCopy
2010-10-02 07:54 . 2008-06-26 18:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-30 19:25 . 2010-02-20 16:39 -------- d-----w- c:\documents and settings\User1\Application Data\vlc
2010-09-28 17:59 . 2010-01-29 17:39 -------- d-----w- c:\program files\iDownload
2010-09-27 18:14 . 2008-08-29 17:52 -------- d-----w- c:\program files\Common Files\Apple
2010-09-26 13:56 . 2010-01-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-26 13:56 . 2009-01-13 19:59 47360 ---ha-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 47360 ---ha-w- c:\documents and settings\User1\Application Data\pcouffin.sys
2010-09-26 13:56 . 2009-01-13 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\Vso
2010-09-26 13:54 . 2008-08-26 09:02 -------- d-----w- c:\documents and settings\User1\Application Data\Gearbox Software
2010-09-26 13:54 . 2008-08-26 08:56 -------- d-----w- c:\program files\Ubisoft
2010-09-26 13:34 . 2008-08-26 08:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-26 13:32 . 2009-05-01 18:02 -------- d-----w- c:\program files\Astro Gemini Software
2010-09-26 11:58 . 2010-01-22 19:53 -------- d-----w- c:\documents and settings\User1\Application Data\Skype
2010-09-26 11:34 . 2008-06-26 17:05 103728 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-26 11:34 . 2010-01-22 19:59 -------- d-----w- c:\documents and settings\User1\Application Data\skypePM
2010-09-26 08:14 . 2008-08-26 08:49 -------- d-----w- c:\program files\Google
2010-09-18 09:46 . 2009-07-03 18:04 -------- d-----w- c:\documents and settings\Ben2\Application Data\Apple Computer
2010-09-15 18:10 . 2009-02-14 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-13 20:24 . 2010-04-27 19:22 -------- d-----w- c:\program files\Ahead DVD Ripper
2010-09-13 20:24 . 2009-03-16 08:46 -------- d-----w- c:\program files\ACDFREE11
2010-09-13 20:24 . 2010-07-09 18:06 -------- d-----w- c:\program files\AC3Filter
2010-09-09 18:36 . 2008-12-07 15:25 -------- d-----w- c:\program files\Conduit
2010-09-08 19:11 . 2008-10-11 09:34 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-03 14:35 . 2008-12-31 13:42 103728 ----a-w- c:\documents and settings\Ben2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 13:15 . 2010-01-10 09:50 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-03 13:15 . 2010-09-03 13:15 -------- d-----w- c:\documents and settings\Sara.BEN\Application Data\Corel
2010-09-03 12:48 . 2008-10-29 08:45 103728 ----a-w- c:\documents and settings\Sara.BEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 18:23 . 2010-09-02 08:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-02 10:16 . 2010-09-02 10:05 -------- d-----w- c:\documents and settings\User1\Application Data\ImgBurn
2010-09-02 09:36 . 2010-09-02 09:36 -------- d-----w- c:\program files\ImgBurn
2010-08-30 20:33 . 2010-06-19 07:45 -------- d-----w- c:\documents and settings\User1\Application Data\SystemRequirementsLab
2010-08-30 14:40 . 2010-08-28 21:28 -------- d-----w- c:\program files\temp
2010-08-27 22:16 . 2010-08-10 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-27 22:16 . 2010-08-27 22:16 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-08-23 17:41 . 2010-08-23 17:40 -------- d-----w- c:\program files\Muspub7
2010-08-23 16:27 . 2010-08-23 16:27 -------- d-----w- c:\documents and settings\User1\Application Data\PowerUp Software
2010-08-23 09:08 . 2010-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PowerUp Software
2010-08-21 14:19 . 2010-08-21 14:19 -------- d-----w- c:\program files\PowerUp Software
2010-08-21 12:32 . 2009-05-26 10:08 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-21 12:31 . 2010-08-21 12:31 92280 ----a-w- c:\documents and settings\User1\Application Data\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-19 15:59 . 2010-08-19 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 10:21 . 2010-02-21 18:46 -------- d-----w- c:\program files\XviD
2010-08-09 19:01 . 2010-08-09 18:26 -------- d-----w- c:\documents and settings\User1\Application Data\LEGO Company
2010-08-09 18:25 . 2010-08-09 18:25 -------- d-----w- c:\program files\LEGO Company
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 09:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-10 08:58 . 2010-07-10 08:56 4157440 ----a-w- c:\documents and settings\User1\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-06-07 18:48 . 2008-12-29 15:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2009-09-26 19:21 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-26 19:21 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-26 19:21 216064 --sha-r- c:\windows\system32\nbDX.dll
.
 
latest Combofix log part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-09-25 12:01 2735200 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD1.dll" [2010-09-25 2735200]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 68856]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"Google Update"="c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-07 30192]
"Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-27 176128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
"iDownloadTray"="c:\program files\iDownload\iDownloadTray.exe" [2009-10-16 61440]
"DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2009-12-29 924672]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\User1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\VALVe\\Star-Steam\\SteamApps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iDownload\\iDownload.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Nexon\\Combat Arms EU\\Engine.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\steamapps\\nazgul26422\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Itunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"58989:TCP"= 58989:TCP:pando Media Booster
"58989:UDP"= 58989:UDP:pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19/04/2010 17:58 217032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S0 cerc6;cerc6; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/05/2009 14:26 721904]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys [13/09/2008 17:42 112835]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [13/04/2009 10:50 108289]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [19/04/2010 18:34 112592]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [10/07/2010 09:42 233472]
S2 gupdate1c9906b5ab35f58;Google Update Service (gupdate1c9906b5ab35f58);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2009 20:18 133104]
S2 iDownloadService;iDownload Service;c:\program files\iDownload\iDownloadService.exe [16/10/2009 23:17 57344]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [13/09/2008 17:42 5325]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [11/10/2008 10:37 25244]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [29/01/2010 18:52 16640]
S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [25/06/2008 19:45 37120]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [29/07/2008 14:09 39424]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/07/2010 09:42 36608]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29/12/2008 16:14 30192]
S3 MHIKEY10;MHIKEY10;c:\windows\system32\drivers\MHIKEY10.sys [27/05/2008 03:52 51072]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [10/07/2010 09:42 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [10/07/2010 09:42 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [10/07/2010 09:42 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 15:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26 18:07]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 19:18]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003Core.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1965331169-839522115-1003UA.job
- c:\documents and settings\User1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-26 16:47]

2010-10-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-10-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{356408DB-8B97-436B-BE95-C075C1429A69}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
.
------- Supplementary Scan -------
.
IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\User1\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User1\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\6hxlj89y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(268)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-03 20:54:59
ComboFix-quarantined-files.txt 2010-10-03 19:54
ComboFix2.txt 2010-10-03 18:06
ComboFix3.txt 2010-10-03 10:24

Pre-Run: 39,479,689,216 bytes free
Post-Run: 39,449,731,072 bytes free

- - End Of File - - 7319545AFDF9A555D2B0E44967DB353B
 
OK. Bad folders are gone, but I can see we removed one legit folder, so we have to get it back.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
DEQUARANTINE::
C:\Qoobox\Quarantine\C\program files\Microsoft
QUIT::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Combofix dequarantine log


C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\muauth.cab -> C:\program files\Microsoft\Office Live\muauth.cab
C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\npOLW.dll -> C:\program files\Microsoft\Office Live\npOLW.dll
C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OfficeLiveSignIn.exe -> C:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OLConnector.dll -> C:\program files\Microsoft\Office Live\OLConnector.dll
C:\Qoobox\Quarantine\C\program files\Microsoft\Office Live\OLConnectorResources.dll -> C:\program files\Microsoft\Office Live\OLConnectorResources.dll
C:\Qoobox\Quarantine\C\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe -> C:\program files\Microsoft\Search Enhancement Pack\Choice Guard\CGuard.exe
C:\Qoobox\Quarantine\C\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll -> C:\program files\Microsoft\Search Enhancement Pack\Choice Guard\ChoiceGuard.dll
7 File(s) copied
 
Good :)

Any current issues?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 

Similar threads

D
Avira update is causing Windows PCs to freeze up, no fix in sight
Replies
0
Views
419
DragonSlayer101
D
S
Samsung's latest Odyssey gaming monitor features glasses-free 3D, now available for pre-order
Replies
8
Views
160
New Day
N
S
Samsung brings 3D back with AI-powered, glasses-free Odyssey 3D monitor
Replies
6
Views
293
Squid Surprise
Squid Surprise

Latest posts

Back