Beachtrader

Be as brutal as you need to. There is nothing on here I absolutely need ComboFix 11-05-15.04 - Compaq_Owner 05/16/2011 2:16.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1672 [GMT -5:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt AV: Trend Micro PC-cillin Internet Security 2007 *Disabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro PC-cillin Internet Security (Firewall) *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 ))))))))))))))))))))))))))))))) . . 2011-05-14 10:57 . 2011-05-14 10:57 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\_UVerseRealtime 2011-05-14 10:47 . 2011-05-14 10:47 -------- d-----w- c:\program files\WinPcap 2011-05-14 10:47 . 2011-05-14 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\U-Verse Realtime 2011-05-14 10:47 . 2011-05-14 10:47 -------- d-----w- c:\program files\U-Verse Realtime 2011-05-14 06:35 . 2011-05-14 06:35 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\MetaGeek,_LLC 2011-05-14 06:25 . 2011-05-14 06:25 -------- d-----w- c:\program files\MetaGeek 2011-05-11 04:17 . 2011-05-11 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit 2011-05-11 04:17 . 2011-05-11 04:17 -------- d-----w- c:\program files\IObit 2011-05-05 06:23 . 2011-05-05 06:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot 2011-05-05 06:04 . 2011-05-05 06:04 0 ----a-w- c:\windows\Isodihi.bin 2011-05-04 10:54 . 2011-05-04 10:54 -------- d-----w- c:\program files\ESET 2011-05-03 07:10 . 2011-05-04 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\bN31001MpJlM31001 2011-04-29 18:00 . 2011-04-29 18:00 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OnLive App 2011-04-29 17:59 . 2011-04-29 18:00 -------- d-----w- c:\program files\OnLive 2011-04-28 20:12 . 2011-04-28 20:12 252316 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-04-28 20:12 . 2011-04-28 20:12 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-04-27 07:15 . 2011-04-28 20:12 -------- d-----w- c:\program files\NVIDIA Corporation 2011-04-27 07:05 . 2011-04-27 07:05 -------- d-----w- c:\program files\Common Files\DirectX 2011-04-26 18:36 . 2002-07-24 19:00 87552 ----a-w- c:\windows\system32\CNMLM3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 5632 ----a-w- c:\windows\system32\CNMVS3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 46080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 13824 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD3g.DLL 2011-04-26 18:36 . 2002-07-30 07:59 73728 ----a-w- c:\windows\system32\CNMCP3g.exe 2011-04-26 18:35 . 2011-04-26 18:35 -------- d-----w- C:\BJPrinter . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-06 09:09 . 2007-08-24 21:21 221188 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe.tmp 2011-02-23 13:27 . 2011-02-23 13:27 9888384 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2011-02-23 13:27 . 2011-02-23 13:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll 2011-02-23 13:27 . 2011-02-23 13:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll 2011-02-23 13:27 . 2011-02-23 13:27 6398720 ----a-w- c:\windows\system32\nv4_disp.dll 2011-02-23 13:27 . 2011-02-23 13:27 61440 ----a-w- c:\windows\system32\OpenCL.dll 2011-02-23 13:27 . 2011-02-23 13:27 4980736 ----a-w- c:\windows\system32\nvcuda.dll 2011-02-23 13:27 . 2011-02-23 13:27 2916968 ----a-w- c:\windows\system32\nvcuvid.dll 2011-02-23 13:27 . 2011-02-23 13:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll 2011-02-23 13:27 . 2011-02-23 13:27 1958400 ----a-w- c:\windows\system32\nvapi.dll 2011-02-23 13:27 . 2011-02-23 13:27 14671872 ----a-w- c:\windows\system32\nvoglnt.dll 2011-02-23 13:27 . 2011-02-23 13:27 13004800 ----a-w- c:\windows\system32\nvcompiler.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-11-06 20:14 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 53760] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk * . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2010-08-20 11:03 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] 2004-09-07 18:47 57344 -c--a-w- c:\windows\ALCXMNTR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] 2002-09-11 02:26 368706 -c--a-w- c:\program files\BroadJump\Client Foundation\CFD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-05-20 07:36 136176 ----atw- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] 2005-02-25 22:34 245760 -c--a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe] 2009-10-27 17:18 1103216 ----a-w- c:\program files\Download Manager\DLM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] 2004-10-14 20:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] 2009-11-06 20:19 6515784 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2010-02-11 05:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2007-08-25 01:38 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "gupdate"=2 (0x2) "Bonjour Service"=2 (0x2) "wuauserv"=2 (0x2) "EPSON_PM_RPCV4_01"=2 (0x2) "Apple Mobile Device"=2 (0x2) "StarWindServiceAE"=2 (0x2) "gupdatem"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57548:TCP"= 57548:TCP:Pando Media Booster "57548:UDP"= 57548:UDP:Pando Media Booster . R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [6/19/2009 6:11 PM 66048] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/24/2008 7:50 PM 1201640] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 2:36 AM 136176] S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 2:36 AM 136176] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/28/2010 6:43 PM 436792] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 07:36] . 2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 07:36] . 2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3126290385-151678670-597227250-1009Core.job - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-23 07:36] . 2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3126290385-151678670-597227250-1009UA.job - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-23 07:36] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L4AFAFCC97AF342B6B74B8A4AE0EE3AAC.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L4AFAFCC97AF342B6B74B8A4AE0EE3AAC.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LC2C770A95D3D4602B7ABFF8B20BE4169.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LC2C770A95D3D4602B7ABFF8B20BE4169.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\mj9f8cit.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe MSConfigStartUp-ClickPotatoLiteSA - c:\program files\ClickPotatoLite\bin\10.0.630.0\ClickPotatoLiteSA.exe MSConfigStartUp-EPSON Stylus CX5000 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE MSConfigStartUp-Nyusuka - c:\windows\mpidmtl.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-16 02:23 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,1a,6b,32,57,90,f6,46,ac,50,59,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,1a,6b,32,57,90,f6,46,ac,50,59,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(732) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2860) c:\windows\system32\WININET.dll c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\windows\system32\wscntfy.exe c:\program files\Webroot\Spy Sweeper\SSU.EXE . ************************************************************************** . Completion time: 2011-05-16 02:27:33 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-16 07:27 ComboFix2.txt 2011-05-13 07:17 . Pre-Run: 112,671,821,824 bytes free Post-Run: 112,727,060,480 bytes free . - - End Of File - - A42EF4B04BB21338DF3EEC16F2A5DCFA DDS (Ver_11-03-05.01) - NTFSx86 Run by Compaq_Owner at 2:32:48.25 on Mon 05/16/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1606 [GMT -5:00] . AV: Trend Micro PC-cillin Internet Security 2007 *Disabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro PC-cillin Internet Security (Firewall) *Disabled* . ============== Running Processes =============== . C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [spySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray dRunOnce: [RunNarrator] Narrator.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273556260484 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\mj9f8cit.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ============= SERVICES / DRIVERS =============== . R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-10-2 29808] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-6-19 66048] R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240] R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-10-24 1201640] R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-7-16 816672] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?] S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?] S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176] S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176] S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688] . =============== Created Last 30 ================ . 2011-05-14 10:57:24 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\_UVerseRealtime 2011-05-14 10:47:14 -------- d-----w- c:\program files\U-Verse Realtime 2011-05-14 06:35:32 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\MetaGeek,_LLC 2011-05-13 07:08:00 89088 ----a-w- c:\windows\MBR.exe 2011-05-13 07:07:59 98816 ----a-w- c:\windows\sed.exe 2011-05-13 07:07:59 256512 ----a-w- c:\windows\PEV.exe 2011-05-13 07:07:59 161792 ----a-w- c:\windows\SWREG.exe 2011-05-11 04:17:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit 2011-05-11 04:17:40 -------- d-----w- c:\program files\IObit 2011-05-07 08:28:16 -------- d-----w- c:\docume~1\compaq~1\applic~1\7F55E3C950783B2656A4A0A8CF522A3C 2011-05-05 06:04:02 0 ----a-w- c:\windows\Isodihi.bin 2011-05-04 10:54:16 -------- d-----w- c:\program files\ESET 2011-05-03 07:10:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\bN31001MpJlM31001 2011-04-29 18:00:07 -------- d-----w- c:\docume~1\compaq~1\applic~1\OnLive App 2011-04-29 17:59:48 -------- d-----w- c:\program files\OnLive 2011-04-28 20:12:23 252316 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-04-28 20:12:23 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-04-27 07:15:22 -------- d-----w- c:\program files\NVIDIA Corporation 2011-04-27 07:05:42 -------- d-----w- c:\program files\common files\DirectX 2011-04-26 18:36:44 87552 ----a-w- c:\windows\system32\CNMLM3g.DLL 2011-04-26 18:36:44 5632 ----a-w- c:\windows\system32\CNMVS3g.DLL 2011-04-26 18:36:44 46080 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP3g.DLL 2011-04-26 18:36:44 13824 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD3g.DLL 2011-04-26 18:36:41 73728 ----a-w- c:\windows\system32\CNMCP3g.exe 2011-04-26 18:35:51 -------- d-----w- C:\BJPrinter . ==================== Find3M ==================== . 2011-05-06 09:09:11 221188 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe.tmp 2011-03-02 23:08:31 0 ----a-w- c:\windows\ativpsrm.bin 2011-02-23 13:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll 2011-02-23 13:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll 2011-02-23 13:27:00 6398720 ----a-w- c:\windows\system32\nv4_disp.dll 2011-02-23 13:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll 2011-02-23 13:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll 2011-02-23 13:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll 2011-02-23 13:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin 2011-02-23 13:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll 2011-02-23 13:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll 2011-02-23 13:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll 2011-02-23 13:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll . ============= FINISH: 2:33:02.07 ===============

ComboFix 11-05-12.02 - Compaq_Owner 05/13/2011 2:09.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1653 [GMT -5:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf C:\data c:\documents and settings\Administrator\WINDOWS c:\documents and settings\All Users\invokesi.exe c:\documents and settings\Compaq_Owner\Application Data\Adobe\plugs c:\documents and settings\Compaq_Owner\Application Data\Adobe\shed c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{6A0E728B-BE60-4345-8934-960D9034B8AB} c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{6A0E728B-BE60-4345-8934-960D9034B8AB}\chrome.manifest c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{6A0E728B-BE60-4345-8934-960D9034B8AB}\chrome\content\_cfg.js c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{6A0E728B-BE60-4345-8934-960D9034B8AB}\chrome\content\overlay.xul c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{6A0E728B-BE60-4345-8934-960D9034B8AB}\install.rdf c:\documents and settings\Compaq_Owner\WINDOWS c:\documents and settings\Default User\WINDOWS C:\install.exe C:\test.txt c:\windows\jestertb.dll c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\eeeeddcd5_z.dll c:\windows\system32\usp10(2).dll . . ((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 ))))))))))))))))))))))))))))))) . . 2011-05-11 04:17 . 2011-05-11 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit 2011-05-11 04:17 . 2011-05-11 04:17 -------- d-----w- c:\program files\IObit 2011-05-05 06:23 . 2011-05-05 06:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot 2011-05-05 06:04 . 2011-05-05 06:04 0 ----a-w- c:\windows\Isodihi.bin 2011-05-04 10:54 . 2011-05-04 10:54 -------- d-----w- c:\program files\ESET 2011-05-03 07:10 . 2011-05-04 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\bN31001MpJlM31001 2011-04-29 18:00 . 2011-04-29 18:00 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OnLive App 2011-04-29 17:59 . 2011-04-29 18:00 -------- d-----w- c:\program files\OnLive 2011-04-28 20:12 . 2011-04-28 20:12 252316 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-04-28 20:12 . 2011-04-28 20:12 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-04-27 07:15 . 2011-04-28 20:12 -------- d-----w- c:\program files\NVIDIA Corporation 2011-04-27 07:05 . 2011-04-27 07:05 -------- d-----w- c:\program files\Common Files\DirectX 2011-04-26 18:36 . 2002-07-24 19:00 87552 ----a-w- c:\windows\system32\CNMLM3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 5632 ----a-w- c:\windows\system32\CNMVS3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 46080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP3g.DLL 2011-04-26 18:36 . 2002-07-24 19:00 13824 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD3g.DLL 2011-04-26 18:36 . 2002-07-30 07:59 73728 ----a-w- c:\windows\system32\CNMCP3g.exe 2011-04-26 18:35 . 2011-04-26 18:35 -------- d-----w- C:\BJPrinter 2011-04-15 05:55 . 2011-04-15 05:55 -------- d-----w- c:\program files\Network Stumbler . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-06 09:09 . 2007-08-24 21:21 221188 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe.tmp 2011-02-23 13:27 . 2011-02-23 13:27 9888384 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2011-02-23 13:27 . 2011-02-23 13:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll 2011-02-23 13:27 . 2011-02-23 13:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll 2011-02-23 13:27 . 2011-02-23 13:27 6398720 ----a-w- c:\windows\system32\nv4_disp.dll 2011-02-23 13:27 . 2011-02-23 13:27 61440 ----a-w- c:\windows\system32\OpenCL.dll 2011-02-23 13:27 . 2011-02-23 13:27 4980736 ----a-w- c:\windows\system32\nvcuda.dll 2011-02-23 13:27 . 2011-02-23 13:27 2916968 ----a-w- c:\windows\system32\nvcuvid.dll 2011-02-23 13:27 . 2011-02-23 13:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll 2011-02-23 13:27 . 2011-02-23 13:27 1958400 ----a-w- c:\windows\system32\nvapi.dll 2011-02-23 13:27 . 2011-02-23 13:27 14671872 ----a-w- c:\windows\system32\nvoglnt.dll 2011-02-23 13:27 . 2011-02-23 13:27 13004800 ----a-w- c:\windows\system32\nvcompiler.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . <pre> c:\windows\pchealth\helpctr\binaries\MSConfig .exe </pre> . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-11-06 20:14 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 53760] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk * . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2010-08-20 11:03 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] 2004-09-07 18:47 57344 -c--a-w- c:\windows\ALCXMNTR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] 2002-09-11 02:26 368706 -c--a-w- c:\program files\BroadJump\Client Foundation\CFD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClickPotatoLiteSA] c:\program files\ClickPotatoLite\bin\10.0.630.0\ClickPotatoLiteSA.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5000 Series] c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-05-20 07:36 136176 ----atw- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] 2005-02-25 22:34 245760 -c--a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe] 2009-10-27 17:18 1103216 ----a-w- c:\program files\Download Manager\DLM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] 2004-10-14 20:54 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nyusuka] c:\windows\mpidmtl.dll [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] 2009-11-06 20:19 6515784 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2010-02-11 05:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2007-08-25 01:38 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "gupdate"=2 (0x2) "Bonjour Service"=2 (0x2) "wuauserv"=2 (0x2) "EPSON_PM_RPCV4_01"=2 (0x2) "Apple Mobile Device"=2 (0x2) "StarWindServiceAE"=2 (0x2) "gupdatem"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57548:TCP"= 57548:TCP:Pando Media Booster "57548:UDP"= 57548:UDP:Pando Media Booster . R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [6/19/2009 6:11 PM 66048] S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/24/2008 7:50 PM 1201640] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 2:36 AM 136176] S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 2:36 AM 136176] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/28/2010 6:43 PM 436792] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 07:36] . 2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 07:36] . 2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3126290385-151678670-597227250-1009Core.job - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-23 07:36] . 2011-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3126290385-151678670-597227250-1009UA.job - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-23 07:36] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L337D6132053D4EAC8D7AD6D23D04E5D1.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L337D6132053D4EAC8D7AD6D23D04E5D1.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L4AFAFCC97AF342B6B74B8A4AE0EE3AAC.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_L4AFAFCC97AF342B6B74B8A4AE0EE3AAC.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LC2C770A95D3D4602B7ABFF8B20BE4169.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LC2C770A95D3D4602B7ABFF8B20BE4169.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LCDFDF60A509D4BD0B3D09F3D2769A1C8.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . 2011-05-02 c:\windows\Tasks\wrSpySweeper_LCDFDF60A509D4BD0B3D09F3D2769A1C8.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-08-27 20:19] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\mj9f8cit.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) SafeBoot-AVG Anti-Spyware Driver SafeBoot-AVG Anti-Spyware Guard . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-13 02:15 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,1a,6b,32,57,90,f6,46,ac,50,59,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,1a,6b,32,57,90,f6,46,ac,50,59,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(712) c:\windows\system32\Ati2evxx.dll . Completion time: 2011-05-13 02:17:27 ComboFix-quarantined-files.txt 2011-05-13 07:17 . Pre-Run: 113,262,927,872 bytes free Post-Run: 113,510,576,128 bytes free . - - End Of File - - 5E4785BCA017043B1D9170391AA612CA DDS (Ver_11-03-05.01) - NTFSx86 Run by Compaq_Owner at 2:20:47.50 on Fri 05/13/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1472 [GMT -5:00] . AV: Trend Micro PC-cillin Internet Security 2007 *Disabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro PC-cillin Internet Security (Firewall) *Disabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [spySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray dRunOnce: [RunNarrator] Narrator.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273556260484 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\mj9f8cit.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ============= SERVICES / DRIVERS =============== . R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-10-2 29808] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-6-19 66048] R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240] R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-7-16 816672] S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-10-24 1201640] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?] S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?] S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176] S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176] S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688] . =============== Created Last 30 ================ . 2011-05-13 07:08:00 89088 ----a-w- c:\windows\MBR.exe 2011-05-13 07:07:59 98816 ----a-w- c:\windows\sed.exe 2011-05-13 07:07:59 256512 ----a-w- c:\windows\PEV.exe 2011-05-13 07:07:59 161792 ----a-w- c:\windows\SWREG.exe 2011-05-11 04:17:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit 2011-05-11 04:17:40 -------- d-----w- c:\program files\IObit 2011-05-07 08:28:16 -------- d-----w- c:\docume~1\compaq~1\applic~1\7F55E3C950783B2656A4A0A8CF522A3C 2011-05-05 06:04:02 0 ----a-w- c:\windows\Isodihi.bin 2011-05-04 10:54:16 -------- d-----w- c:\program files\ESET 2011-05-03 07:10:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\bN31001MpJlM31001 2011-04-29 18:00:07 -------- d-----w- c:\docume~1\compaq~1\applic~1\OnLive App 2011-04-29 17:59:48 -------- d-----w- c:\program files\OnLive 2011-04-28 20:12:23 252316 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-04-28 20:12:23 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-04-27 07:15:22 -------- d-----w- c:\program files\NVIDIA Corporation 2011-04-27 07:05:42 -------- d-----w- c:\program files\common files\DirectX 2011-04-26 18:36:44 87552 ----a-w- c:\windows\system32\CNMLM3g.DLL 2011-04-26 18:36:44 5632 ----a-w- c:\windows\system32\CNMVS3g.DLL 2011-04-26 18:36:44 46080 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP3g.DLL 2011-04-26 18:36:44 13824 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD3g.DLL 2011-04-26 18:36:41 73728 ----a-w- c:\windows\system32\CNMCP3g.exe 2011-04-26 18:35:51 -------- d-----w- C:\BJPrinter 2011-04-15 05:55:25 -------- d-----w- c:\program files\Network Stumbler . ==================== Find3M ==================== . 2011-05-06 09:09:11 221188 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe.tmp 2011-03-02 23:08:31 0 ----a-w- c:\windows\ativpsrm.bin 2011-02-23 13:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll 2011-02-23 13:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll 2011-02-23 13:27:00 6398720 ----a-w- c:\windows\system32\nv4_disp.dll 2011-02-23 13:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll 2011-02-23 13:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll 2011-02-23 13:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll 2011-02-23 13:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin 2011-02-23 13:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll 2011-02-23 13:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll 2011-02-23 13:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll 2011-02-23 13:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll . ============= FINISH: 2:21:00.10 ===============

Thanks for responding. My computer seems to have calmed down. I can post here fine and the popups have subsided. Below you will see the new mbam and dds. Maybe it's clear, or hiding to jump out at me again. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6559 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 5/12/2011 12:37:41 AM mbam-log-2011-05-12 (00-37-41).txt Scan type: Quick scan Objects scanned: 163257 Time elapsed: 7 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------------------- DS (Ver_11-03-05.01) . . ==== Disk Partitions ========================= . . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . 32 Bit HP CIO Components Installer Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.2.6 Adobe Shockwave Player 11 Adobe

all logs below. This bug won't let me post here. Trying attached versions now ark.zip Attach.zip mbam-log-2011-05-06 (22-41-51).txt

No luck. I changed to wdmaud.drv. I successfully ran fix polices. No luck with the Varestorespolicies. I click that inf file and there is no install choice. It opens up some text in notepad. In my control panel audio settings alot of that stuff is totally greyed out. No way to check the boxes. Weird one eh?

We are on the homestretch. I can't thank you enough for all of your help. A little sound and we are done! Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "midimapper"="midimap.dll" "msacm.imaadpcm"="imaadp32.acm" "msacm.msadpcm"="msadp32.acm" "msacm.msg711"="msg711.acm" "msacm.msgsm610"="msgsm32.acm" "msacm.trspch"="tssoft32.acm" "vidc.cvid"="iccvid.dll" "vidc.I420"="msh263.drv" "vidc.iv31"="ir32_32.dll" "vidc.iv32"="ir32_32.dll" "vidc.iv41"="ir41_32.ax" "vidc.iyuv"="iyuv_32.dll" "vidc.mrle"="msrle32.dll" "vidc.msvc"="msvidc32.dll" "vidc.uyvy"="msyuv.dll" "vidc.yuy2"="msyuv.dll" "vidc.yvu9"="tsbyuv.dll" "vidc.yvyu"="msyuv.dll" "wavemapper"="msacm32.drv" "msacm.msg723"="msg723.acm" "vidc.M263"="msh263.drv" "vidc.M261"="msh261.drv" "msacm.msaudio1"="msaud32.acm" "msacm.sl_anet"="sl_anet.acm" "msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax" "vidc.iv50"="ir50_32.dll" "msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm" "msacm.lhacm"="lhacm.acm" "vidc.DIVX"="DivX.dll" "vidc.yv12"="DivX.dll" "wave"="serwvdrv.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP] "wave"="rdpsnd.dll" "mixer"="rdpsnd.dll" "MaxBandwidth"=dword:000056b9 "wavemapper"="msacm32.drv" "EnableMP3Codec"=dword:00000001 "midimapper"="midimap.dll"

I think you have to start your own thread. They go by threadcounts in here and if they see your reply they think they have replied to me. Hopefully this post will put the count back in place so they know it's their turn to respond. This one is a tough one though. Good luck!

That all worked fine. Attached you will find all of the files requested. beachtrader_rootrepeal.txt ntbtlog.txt lopR.txt

Thanks for your patience. I did a manual update and was finally able to run a full Antivir system scan. It helped alot. I had been getting the white desktop saying buy wincodec pro and the popup in the taskbar urging me to purchase. It is all gone now. My notepad wasn't able to open at all. It would flash on the page and go away. It works now. I wasn't able to run any videos, movies, or games because wincodec would pop up and close them immediately. That has gone away as well. The only issue now is no sound. I'll run your latest combofix and send the mbam, combofix, antivir and hijack this logs. hijackthis.txt mbam_log_2009_11_03__22_15_48_.txt combofix.txt antivirscan.txt

Hey Ron, I believe I completed all the steps successfully. Every time I reboot the wincodecpro thing comes back. It has kept notepad unusable. Here are the logs you requested as attachments. I am still infected with no sound, no notepad, and limited application usage. This thing is insidious. Mark ComboFix.txt mbam_log_2009_11_03__04_03_47_.txt javaralog.txt

I ran the msconfig in services tab and general tab. I can't run the other two utilities. Wincodecpro still has control of notepad and stops most programs from running at all. I think we need to start all over. It seems when I run combofix it lasts a few hours and wincodecpro is back as strong as ever. Am I toast? Reinstall windows and format harddrive time? Here is the Eset scan. Copied it in because notepad doesn't work. I have added the last combofix and mbam logs as uploaded files. C:\Documents and Settings\Lee\Application Data\Sun\Java\Deployment\cache\6.0\61\59ef027d-7053989f a variant of Win32/Kryptik.AZA trojan C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe a variant of Win32/Kryptik.AZA trojan C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106957.exe Win32/Shutdown.NAA application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP102\A0106960.exe Win32/PrcView application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107336.exe Win32/Shutdown.NAA application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP103\A0107339.exe Win32/PrcView application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108204.exe multiple threats C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108218.exe Win32/PrcView application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP105\A0108221.exe Win32/Shutdown.NAA application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0057145.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058276.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058277.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0058278.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP36\A0059351.exe probably unknown NewHeur_PE virus C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060535.exe probably unknown NewHeur_PE virus C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060543.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060544.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060545.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060546.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP40\A0060547.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP94\A0102421.exe probably unknown NewHeur_PE virus C:\System Volume Information\_restore{06FFFB52-6BBE-4472-A483-E11C7290D635}\RP97\A0106011.exe Win32/PrcView application Operating memory a variant of Win32/Kryptik.AZA trojan ComboFix.txt mbam_log_2009_11_02__04_20_50_.txt

I think my second post messed up your post count. That probably got me lost in the shuffle. Nothing to add here just checking in and hopefully this fixes my post count and gets me back in the queue.

Using your directions here is the last MBAM log as well. Uploaded since I can't get into notepad. mbam_log_2009_10_31__05_43_26_.txt

Well. The first combofix seemed to have fixed the issue except for having no sound. This latest combo fix brought it all back. I cannot open notepad anymore. I was able to get the combofix log but cant open notepad to send it so I am trying to send it as an attachment. Any ideas? Mark ComboFix.txt

Ron, Thanks for the reply. After the combo-fix I was able to save the malware log and the hijackthis log you will find below. Hopefully the info will help stop this malware returning. I have followed these steps from prior advice on this page and the malware returned within hours. Here is the info you requested. I uploaded the malware but it seems to not accept the highjack this. I will copy the text below and the malware.txt below that incase the upload version did not come across. Mark Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:36:15, on 10/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [trtrCLIStart] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://onecare.live.com O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187959235221 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218429358078 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://www.wizard101.com/static/themes/wiz...ameLauncher.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) -- End of file - 5549 bytes -------------------------------------------------------------------------------------------------------- ComboFix 09-10-30.01 - Lee 10/30/2009 22:28.6.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -4:00] Running from: c:\documents and settings\Lee\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\tmp.reg . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 ))))))))))))))))))))))))))))))) . 2009-10-30 07:51 . 2009-10-30 07:09 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-30 07:14 . 2009-10-30 07:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-30 07:09 . 2009-10-30 07:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-10-30 07:04 . 2009-10-30 07:04 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Temp 2009-10-30 07:04 . 2009-10-30 07:04 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-10-30 06:50 . 2009-10-30 06:50 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Threat Expert 2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX 2009-10-29 08:44 . 2009-10-29 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-10-29 08:34 . 2009-10-30 06:51 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-10-29 08:02 . 2009-10-29 08:02 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache 2009-10-29 03:48 . 2009-10-29 03:48 -------- d-----w- c:\program files\Trend Micro 2009-10-29 02:39 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2009-10-28 09:25 . 2009-10-28 09:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-10-28 08:26 . 2009-10-28 08:26 -------- d-----w- c:\documents and settings\Lee\Application Data\Uniblue 2009-10-28 06:43 . 2009-10-28 06:44 -------- d-----w- C:\DECCHECK 2009-10-27 11:19 . 2009-10-27 11:19 -------- d-----w- c:\program files\Interbank FX Trader 4 2009-10-21 00:45 . 2009-10-21 00:45 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache 2009-10-21 00:45 . 2009-10-21 00:45 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Turbine,_Inc 2009-10-21 00:42 . 2009-10-21 00:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Turbine 2009-10-17 03:39 . 2008-10-15 04:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-10-16 07:20 . 2009-10-16 07:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files 2009-10-16 06:04 . 2009-10-29 02:22 -------- d-----w- c:\program files\Turbine 2009-10-16 00:54 . 2009-10-31 02:19 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\PMB Files 2009-10-16 00:54 . 2009-10-16 04:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PMB Files 2009-10-16 00:54 . 2009-10-16 00:54 -------- d-----w- c:\program files\Pando Networks 2009-10-13 06:11 . 2009-10-13 06:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-10-13 06:11 . 2009-10-13 06:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-03 05:52 . 2009-10-03 05:52 -------- d-----w- c:\program files\ESET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-30 07:05 . 2005-04-17 07:40 -------- d-----w- c:\program files\Google 2009-10-30 06:21 . 2005-02-11 13:26 -------- d-----w- c:\program files\City of Heroes 2009-10-29 23:28 . 2008-05-10 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-29 02:28 . 2008-06-07 04:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-10-05 02:35 . 2005-02-04 08:12 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-04 10:13 . 2009-08-20 07:16 -------- d-----w- c:\program files\GStudio7 2009-10-04 09:58 . 2008-03-03 17:47 -------- d-----w- c:\program files\Konami 2009-09-27 05:45 . 2007-03-25 11:12 -------- d--h--w- c:\documents and settings\Lee\Application Data\Move Networks 2009-09-25 06:13 . 2009-08-18 09:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-13 05:46 . 2009-09-13 05:46 18185 ----a-w- c:\program files\Common Files\bahibuliga.lib 2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 18:54 . 2009-08-18 09:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2009-08-18 09:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-09 06:25 . 2008-08-15 05:56 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-08 23:59 . 2009-09-08 23:59 -------- d-----w- c:\program files\Common Files\INCA Shared 2009-09-08 19:07 . 2007-03-19 16:17 -------- d-----w- c:\documents and settings\Lee\Application Data\IGN_DLM 2009-09-08 15:48 . 2008-05-11 04:02 -------- d-----w- c:\program files\Download Manager 2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 03:15 . 2006-07-15 14:13 24736 -c--a-w- c:\documents and settings\Lee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-04 03:14 . 2009-09-04 03:14 -------- d-----w- c:\program files\MSECache 2009-08-29 08:08 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-23 16:25 . 2009-08-23 16:25 18546 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\umufakite.dat 2009-08-23 16:25 . 2009-08-23 16:25 17044 ----a-w- c:\windows\system32\uryp.sys 2009-08-23 16:25 . 2009-08-23 16:25 15828 ----a-w- c:\program files\Common Files\iwakopa.lib 2009-08-23 16:25 . 2009-08-23 16:25 10766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\digav.sys 2009-08-23 06:33 . 2009-08-23 06:33 3026 ----a-w- c:\windows\system32\drivers\hwinterface.sys 2009-08-20 07:15 . 2009-08-20 07:15 17408 ----a-w- C:\psapi.dll 2009-08-18 09:07 . 2009-08-18 09:07 19932 ----a-w- c:\program files\Common Files\zytym.lib 2009-08-18 09:07 . 2009-08-18 09:07 15781 ----a-w- c:\windows\tafezup.bin 2009-08-18 09:07 . 2009-08-18 09:07 14729 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uxileqe.sys 2009-08-18 09:07 . 2009-08-18 09:07 13742 ----a-w- c:\program files\Common Files\fojynulo.bin 2009-08-18 09:07 . 2009-08-18 09:07 12699 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\lojo.bin 2009-08-18 09:07 . 2009-08-18 09:07 10863 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\qacihuho.exe 2009-08-18 07:59 . 2009-08-18 07:59 18163 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\inaro.scr 2009-08-18 07:59 . 2009-08-18 07:59 15145 ----a-w- c:\windows\system32\cyfyto.exe 2009-08-18 07:59 . 2009-08-18 07:59 14810 ----a-w- c:\program files\Common Files\wyvufowo.lib 2009-08-18 07:59 . 2009-08-18 07:59 13681 ----a-w- c:\program files\Common Files\towegyh.dll 2009-08-18 07:59 . 2009-08-18 07:59 11468 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\yqexu.bin 2009-08-18 07:59 . 2009-08-18 07:59 11126 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\dukuzeqo.scr 2009-08-18 07:59 . 2009-08-18 07:59 19517 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\xeqav.pif 2009-08-18 07:48 . 2009-08-18 07:48 19241 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\rabubix.com 2009-08-18 07:48 . 2009-08-18 07:48 17920 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\boworida.com 2009-08-18 07:48 . 2009-08-18 07:48 17320 ----a-w- c:\windows\ypip.bin 2009-08-18 07:48 . 2009-08-18 07:48 16823 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\ruqom.com 2009-08-18 07:48 . 2009-08-18 07:48 16454 ----a-w- c:\windows\system32\xyveluhy.sys 2009-08-18 07:48 . 2009-08-18 07:48 16067 ----a-w- c:\windows\system32\igyko.exe 2009-08-18 07:48 . 2009-08-18 07:48 12865 ----a-w- c:\windows\myqom.pif 2009-08-18 07:48 . 2009-08-18 07:48 11915 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\eqanenagup.bin 2009-08-18 07:48 . 2009-08-18 07:48 11006 ----a-w- c:\documents and settings\Lee\Application Data\uricogikyr.com 2009-08-18 07:48 . 2009-08-18 07:48 10392 ----a-w- c:\program files\Common Files\alyponatap._dl 2009-08-18 07:48 . 2009-08-18 07:48 10350 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\uwowufuty.scr 2009-08-18 07:45 . 2009-08-18 07:45 19415 ----a-w- c:\program files\Common Files\ykanifafo.dat 2009-08-18 07:45 . 2009-08-18 07:45 18998 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\igyde.sys 2009-08-18 07:45 . 2009-08-18 07:45 18953 ----a-w- c:\program files\Common Files\nacidufy.pif 2009-08-18 07:45 . 2009-08-18 07:45 18565 ----a-w- c:\documents and settings\Lee\Local Settings\Application Data\iwaduv.pif 2009-08-18 07:45 . 2009-08-18 07:45 17169 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\bavodudij.dll 2009-08-18 07:45 . 2009-08-18 07:45 17045 ----a-w- c:\documents and settings\Lee\Application Data\olec.dat 2009-08-18 07:45 . 2009-08-18 07:45 16257 ----a-w- c:\program files\Common Files\unusu.lib 2009-08-18 07:45 . 2009-08-18 07:45 14596 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\nuje.sys 2009-08-18 07:45 . 2009-08-18 07:45 14383 ----a-w- c:\documents and settings\Lee\Application Data\agadatysab.bin 2009-08-18 07:45 . 2009-08-18 07:45 10076 ----a-w- c:\windows\teso.pif 2009-08-16 15:08 . 2009-09-15 09:40 178176 ----a-w- c:\windows\system32\unrar.dll 2009-08-06 23:24 . 2006-07-15 13:50 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 23:24 . 2006-07-15 13:50 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 23:24 . 2006-07-15 13:50 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 23:24 . 2006-07-15 13:50 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 23:23 . 2006-07-15 13:50 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 23:23 . 2008-08-12 04:55 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 23:23 . 2006-07-15 13:50 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2004-08-12 14:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "trtrCLIStart"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe" [2009-10-28 38912] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-8-6 745472] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lee^Start Menu^Programs^Startup^GameSpot Download Manager.lnk] backup=c:\windows\pss\GameSpot Download Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "FastUserSwitchingCompatibility"=3 (0x3) "RasMan"=3 (0x3) "wuauserv"=2 (0x2) "WZCSVC"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "McNASvc"=2 (0x2) "mcmscsvc"=2 (0x2) "Lavasoft Ad-Aware Service"=2 (0x2) "gupdate1c9875074bdd0a0"=2 (0x2) "getPlus® Helper"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\City of Heroes\\CovUpdater.exe"= "c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\NAMCO BANDAI Games\\Warhammer Battle March\\Warhammer.exe"= "c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"= "c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 "58584:TCP"= 58584:TCP:Pando Media Booster "58584:UDP"= 58584:UDP:Pando Media Booster R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [8/23/2009 2:33 AM 3026] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\SYSTEM32\DRIVERS\EAPPkt.sys [8/6/2009 3:49 AM 66048] R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [8/6/2009 3:13 AM 167808] S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?] S3 bfastfao;bfastfao;\??\c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Lee\LOCALS~1\Temp\bfastfao.sys [?] S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [10/20/2009 8:42 PM 267760] S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [10/20/2009 8:42 PM 218608] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 SjyPkt;SjyPkt;c:\windows\SYSTEM32\DRIVERS\SjyPkt.sys [8/6/2009 3:49 AM 13532] S3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [10/1/2006 2:37 PM 26624] S4 gupdate1c9875074bdd0a0;Google Update Service (gupdate1c9875074bdd0a0);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 1:13 AM 133104] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232] --- Other Services/Drivers In Memory --- *Deregistered* - CLASSPNP_2 *Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:07] 2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca584a85e68342.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 05:13] 2008-03-15 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2004-08-12 00:12] . . ------- Supplementary Scan ------- . Trusted Zone: live.com\onecare DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://www.wizard101.com/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB FF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\2f0vdxnv.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service . - - - - ORPHANS REMOVED - - - - WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-30 22:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:2d,23,b2,e0,34,81,9f,d0,3d,81,0c,6f,bf,37,ac,8a,43,a5,70,12,a5,c2,65, f6,c6,e2,66,c2,e6,62,86,2b,7b,1b,61,8b,40,fa,2c,34,26,b6,c3,a5,10,0c,49,44,\ "??"=hex:27,95,0a,24,59,5d,d9,80,26,8f,b1,e7,65,bc,b3,84 [HKEY_USERS\S-1-5-21-1060284298-1606980848-682003330-1004\Software\SecuROM\License information*] "datasecu"=hex:cd,ce,46,e6,99,15,80,16,49,78,87,3a,f7,8e,4b,aa,f9,d9,0d,ae,b9, de,17,30,44,b6,23,0f,e8,6a,0c,10,ed,b8,90,d7,ed,09,30,20,f4,09,63,2f,94,0c,\ "rkeysecu"=hex:3c,3b,fd,e7,4b,a5,35,1d,4a,02,50,73,8f,9e,7c,31 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(724) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-10-31 22:35 ComboFix-quarantined-files.txt 2009-10-31 02:35 ComboFix2.txt 2009-10-29 08:01 ComboFix3.txt 2009-10-29 01:34 ComboFix4.txt 2009-10-28 08:02 ComboFix5.txt 2009-10-31 02:27 Pre-Run: 77,043,744,768 bytes free Post-Run: 77,136,052,224 bytes free - - End Of File - - 1355B0D757A2B917607DE2DA4B0A9DDF ComboFix.txt