Trouble with unknow malware

moks · November 5, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:26, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProxyWay\proxyway.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
I:\New Folder\u96\u96.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-21-343818398-115176313-839522115-1003 Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe (User '?')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\kloehk.dll,
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OOMMKAP - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe (file missing)
O23 - Service: RB - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\RB.exe (file missing)

--
End of file - 10957 bytes

my av detected that generic host for win32 services trying to access http://q

can any body help, i have tried to delete

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local

but it always coming back at me..

moks · November 8, 2009

Can any body help me ? thanks in advance..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:35:26, on 11/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\RegCure\RegCure.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\cFosSpeed\cFosSpeed.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\TweakMASTER\TMTray.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ProxyWay\proxyway.exe

C:\Program Files\Uniblue\LocalCooling\localcooling2.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\Program Files\cFosSpeed\spd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\MagicTune Premium\MagicTuneEngine.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

I:\New Folder\u96\u96.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [speedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User '?')

O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')

O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')

O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O4 - S-1-5-21-343818398-115176313-839522115-1003 Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe (User '?')

O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT

O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1

96.5,202.134.0.155,192.168.1.1

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\kloehk.dll,

O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OOMMKAP - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe (file missing)

O23 - Service: RB - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\RB.exe (file missing)

--

End of file - 10957 bytes

screen317 · November 8, 2009

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

moks · November 8, 2009

First of all, thanks screen317 for your attention, here i included both combo fix and hijackthis logs

Combofix Log

ComboFix 09-11-07.02 - User XP 11/08/2009 13:10.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1671 [GMT 7:00]

Running from: c:\documents and settings\User XP\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User XP\Favorites\Mp3 download.url

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))

.

2009-11-06 02:12 . 2009-11-06 02:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2009-11-06 01:35 . 2009-11-06 01:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe

2009-11-06 01:35 . 2009-11-06 01:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys

2009-11-06 01:35 . 2009-11-06 01:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2009-11-06 01:35 . 2009-11-07 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2009-11-06 01:35 . 2009-11-06 09:03 -------- d-----w- c:\documents and settings\User XP\Application Data\Spyware Terminator

2009-11-06 01:34 . 2009-11-06 09:14 -------- d-----w- c:\program files\Spyware Terminator

2009-11-06 01:27 . 2009-11-06 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-05 14:39 . 2009-11-05 14:39 -------- d-----w- c:\documents and settings\User XP\Application Data\Lavasoft

2009-11-05 14:18 . 2009-11-05 14:18 -------- d-----w- C:\!KillBox

2009-11-05 13:40 . 2009-11-05 13:40 -------- d-----w- c:\documents and settings\User XP\Application Data\Grisoft

2009-11-05 13:39 . 2007-05-30 12:10 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys

2009-11-05 13:39 . 2009-11-05 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft

2009-11-05 13:32 . 2009-11-05 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-05 13:26 . 2009-11-05 13:26 -------- d-----w- c:\program files\SpywareBlaster

2009-11-05 12:31 . 2009-11-05 12:31 -------- d-----w- c:\program files\Trend Micro

2009-11-04 01:50 . 2009-11-07 02:13 -------- d-----w- c:\program files\ProxyWay

2009-11-03 06:05 . 2004-08-03 17:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-11-03 06:05 . 2001-08-17 15:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-11-03 06:05 . 2004-08-03 15:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-11-03 06:05 . 2004-08-03 15:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-10-27 15:38 . 2009-10-27 16:18 -------- d-----w- c:\program files\GSA Auto Website Submitter

2009-10-27 11:53 . 2009-10-27 11:53 -------- d-----w- c:\program files\Microsoft Silverlight

2009-10-27 10:52 . 2009-11-02 03:51 -------- d-----w- c:\program files\The Ad Clicker 2

2009-10-26 16:10 . 2009-10-26 16:10 -------- d-----w- c:\documents and settings\User XP\Application Data\NotMyIp

2009-10-26 13:45 . 2009-10-26 13:45 -------- d-----w- c:\documents and settings\User XP\Application Data\Technology Lighthouse

2009-10-26 12:27 . 2009-05-12 10:20 173384 ----a-w- c:\windows\system32\AVLibrary.dll

2009-10-26 11:44 . 2009-10-26 11:44 -------- d-----w- c:\program files\Privoxy

2009-10-26 11:27 . 2009-10-27 15:05 769775 ----a-w- c:\documents and settings\User XP\Application Data\Hide IP NG\hideipng-update.exe

2009-10-26 11:18 . 2009-10-23 08:36 -------- d-----w- c:\temp\Automatic Mouse Schedule

2009-10-26 11:16 . 2009-11-05 02:34 -------- d-----w- c:\documents and settings\User XP\Local Settings\Application Data\Temp

2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\program files\DU Meter

2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\Hagel Technologies

2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies

2009-10-25 13:15 . 2009-10-25 13:29 -------- d-----w- c:\program files\TweakMASTER

2009-10-19 22:59 . 2009-11-01 10:52 -------- d-----w- c:\temp\u95

2009-10-19 22:37 . 2009-10-19 22:58 -------- d-----w- c:\temp\asm 103

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-08 06:19 . 2009-06-26 12:11 -------- d-----w- c:\documents and settings\User XP\Application Data\DMCache

2009-11-08 06:18 . 2008-06-23 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-11-08 06:18 . 2009-07-29 10:26 -------- d-----w- c:\program files\cFosSpeed

2009-11-08 06:16 . 2008-11-09 16:08 8003104 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-11-08 06:16 . 2008-11-09 16:08 7400 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-11-08 06:16 . 2008-11-09 16:08 69892 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-11-08 06:16 . 2008-11-09 16:08 622624 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-11-06 12:18 . 2008-05-07 02:33 -------- d-----w- c:\program files\Winamp

2009-11-05 13:53 . 2008-09-18 10:22 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-05 13:10 . 2008-08-06 10:38 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-11-04 12:28 . 2009-07-06 14:41 -------- d-----w- c:\documents and settings\User XP\Application Data\IDM

2009-11-03 14:19 . 2008-07-30 11:13 -------- d-----w- c:\program files\FlashGet

2009-11-03 06:09 . 2009-04-24 12:44 -------- d-----w- c:\program files\MODEM Mobile Connection

2009-10-27 15:06 . 2009-03-21 17:22 -------- d-----w- c:\documents and settings\User XP\Application Data\Hide IP NG

2009-10-15 04:26 . 2009-07-14 11:14 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-10-15 04:26 . 2009-07-14 11:14 108059 ----a-w- c:\windows\system32\drivers\klin.dat

2009-10-04 02:13 . 2009-10-03 03:56 -------- d-----w- c:\program files\ImageConverter Plus

2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\program files\Common Files\DirectX

2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\DragonicaSCB

2009-10-02 16:55 . 2009-10-02 16:55 -------- d-----w- c:\program files\IrfanView

2009-09-21 16:53 . 2009-09-21 16:53 -------- d-----w- c:\program files\Bridge software

2009-09-17 16:49 . 2009-05-13 11:51 982896 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-09-17 02:58 . 2009-09-17 02:58 25214 ----a-r- c:\documents and settings\User XP\Application Data\Microsoft\Installer\{1C40AC14-26B0-4D2F-A6C9-36CAE8643EE0}\VineClientIcon.exe

2009-09-14 18:25 . 2009-10-03 03:56 180224 ----a-w- c:\windows\system32\cnvshell.dll

2009-09-14 03:53 . 2009-04-30 23:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-11 04:12 . 2009-09-11 04:12 -------- d-----w- c:\program files\Link Generator

2009-09-10 10:16 . 2009-07-22 10:14 -------- d-----w- c:\program files\Raxco

2009-09-10 10:08 . 2008-05-06 10:51 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-24 12:04 . 2009-08-24 12:04 781435 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\Download.dll

2009-08-24 12:04 . 2009-08-24 12:04 22528 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll

2009-08-14 15:00 . 2009-08-14 15:00 52224 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll

2009-08-14 15:00 . 2009-08-14 15:00 114688 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\npmozax.dll

.

------- Sigcheck -------

[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-28 960944]

"SpeedConnectStartUp"="c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe" [2008-08-18 565760]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-06 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-12 208616]

"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2009-07-02 887512]

"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2006-11-27 284712]

"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-04-04 1822720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2007-09-20 53760]

c:\documents and settings\User XP\Start Menu\Programs\Startup\

LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=

"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=

"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\GPS Monitor\\SwiApiMux.exe"=

"c:\\Program Files\\FlashGet\\FlashGet.exe"=

"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 17:29 33808]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [11/6/2009 08:35 142592]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [5/6/2008 17:51 37376]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 18:02 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 17:06 24592]

R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 13:18 20352]

S3 ancsys;ancsys;c:\windows\system32\drivers\ancsys.sys [5/14/2008 17:32 9856]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 06:56 109080]

S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 06:01 3328]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 npkycryp;npkycryp;\??\i:\lineageii\system\npkycryp.sys --> i:\lineageii\system\npkycryp.sys [?]

S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\User XP\My Documents\Downloads\Programs\RohanBotEn1.0.36\RohanBotEn1.0.36\NTProcDrv.sys [8/25/2009 22:01 3584]

S3 OOMMKAP;OOMMKAP;c:\docume~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe --> c:\docume~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe [?]

S3 RB;RB;c:\docume~1\USERXP~1\LOCALS~1\Temp\RB.exe --> c:\docume~1\USERXP~1\LOCALS~1\Temp\RB.exe [?]

S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 177536]

S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 145280]

S3 Tcpz-x86;Tcpz-x86;\??\c:\docume~1\USERXP~1\LOCALS~1\Temp\Tcpz-x86.sys --> c:\docume~1\USERXP~1\LOCALS~1\Temp\Tcpz-x86.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-07 01:23]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = local

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Add to &LinkFox - c:\progra~1\TweakMASTER\TweakBHO.dll/IESCRIPT

IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: bmnet.dll

TCP: {FA0DDEC5-0674-4290-A613-E9314C98882E} = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1

96.5,202.134.0.155,192.168.1.1

FF - ProfilePath - c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2359848&SearchSource=13

FF - component: c:\documents and settings\User XP\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-ProxyWay - c:\program files\ProxyWay\proxyway.exe

SafeBoot-AVG Anti-Spyware Driver

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-08 13:19

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):D1,09,1e,07,2e,1f,52,72,d2,39,ad,38,41,31,5f,b6,86,73,5f,b1,a2,

bc,c5,ea,c2,9e,2f,e1,a0,d2,71,65,5c,f7,69,08,a6,2e,05,f2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9192687-ddc4-4227-b5b5-a07cf2f589ab}]

@Denied: (Full) (Everyone)

"Model"=dword:000000c6

"Therad"=dword:00000010

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(644)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\cFosSpeed\spd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Spyware Terminator\sp_rsser.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-11-08 13:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-08 06:23

Pre-Run: 264,065,024 bytes free

Post-Run: 172,785,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A34C616D5287B30D117DCCC26F24351

-----------------------------------------------------------------------------------------------------------------------------------------------

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:28:54, on 11/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\Program Files\cFosSpeed\spd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\cFosSpeed\cFosSpeed.exe

C:\Program Files\TweakMASTER\TMTray.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\Program Files\Uniblue\LocalCooling\localcooling2.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\CCleaner\CCleaner.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll