Inactive Infected virus

johnkill · 2010/09/26

[Inactive] Infected virus

i've got virus.....

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/24/2010 12:26:32 PM
System Uptime: 9/26/2010 10:08:19 AM (9 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Mobile Intel(R) Pentium(R) 4 - M CPU 2.40GHz | uFC-PGA Socket | 2394/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 10.363 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS6202\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS6202\2&DABA3FF&0
Service:

==== System Restore Points ===================

RP1: 7/24/2010 12:30:28 PM - Installed Microsoft Office Professional Edition 2003
RP2: 7/24/2010 12:39:47 PM - Installed Ralink Wireless LAN
RP3: 7/25/2010 1:10:47 PM - Installed PC Inspector File Recovery
RP4: 7/26/2010 11:43:28 AM - Restore Operation
RP5: 7/29/2010 12:21:50 PM - System Checkpoint
RP6: 7/29/2010 7:23:29 PM - Installed Java(TM) 6 Update 21
RP7: 8/2/2010 11:44:55 AM - System Checkpoint
RP8: 8/4/2010 11:49:42 AM - System Checkpoint
RP9: 8/7/2010 6:53:27 PM - System Checkpoint
RP10: 8/17/2010 6:30:31 AM - System Checkpoint
RP11: 8/20/2010 3:22:00 PM - System Checkpoint
RP12: 8/22/2010 5:23:52 AM - System Checkpoint
RP13: 8/27/2010 12:12:26 PM - Installed iTunes
RP14: 9/4/2010 9:26:21 PM - System Checkpoint
RP15: 9/7/2010 12:54:48 PM - System Checkpoint
RP16: 9/8/2010 2:54:26 PM - System Checkpoint
RP17: 9/9/2010 11:27:42 PM - System Checkpoint
RP18: 9/11/2010 10:01:50 AM - System Checkpoint
RP19: 9/12/2010 10:20:11 AM - System Checkpoint
RP20: 9/13/2010 1:36:45 AM - Installed DirectX
RP21: 9/14/2010 2:43:54 AM - Installed Nokia Connectivity Cable Driver
RP22: 9/14/2010 2:49:40 AM - Unsigned driver install
RP23: 9/14/2010 3:54:00 AM - Unsigned driver install
RP24: 9/14/2010 4:05:19 AM - Unsigned driver install
RP25: 9/14/2010 2:16:31 PM - Removed Ask Toolbar.
RP26: 9/14/2010 4:27:15 PM - Removed Nokia Connectivity Cable Driver
RP27: 9/14/2010 4:29:24 PM - Installed Nokia Connectivity Cable Driver
RP28: 9/16/2010 3:38:44 AM - Unsigned driver install
RP29: 9/16/2010 5:50:02 AM - Installed UFS Suite
RP30: 9/16/2010 6:58:09 AM - Unsigned driver install
RP31: 9/16/2010 11:56:12 PM - Installed AVG Free 9.0
RP32: 9/17/2010 9:46:12 AM - Avg Update
RP33: 9/17/2010 9:57:24 AM - Removed AVG Free 9.0
RP34: 9/17/2010 9:59:45 AM - Installed AVG Free 9.0
RP35: 9/18/2010 2:18:04 PM - System Checkpoint
RP36: 9/19/2010 10:53:16 PM - System Checkpoint
RP37: 9/20/2010 12:02:01 AM - Unsigned driver install
RP38: 9/21/2010 6:34:23 AM - System Checkpoint
RP39: 9/22/2010 10:07:49 AM - System Checkpoint
RP40: 9/23/2010 11:56:25 PM - System Checkpoint
RP41: 9/25/2010 10:21:20 AM - System Checkpoint
RP42: 9/26/2010 1:41:24 PM - Installed AVG Free 9.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
365PowerOff
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Autorun Virus Remover 2.3
BitTorrent
Bonjour
BufferChm
Cafe Manila 8.6.6
Camfrog Video Chat 5.5
CCleaner
Chikka Messenger V4
Counter Strike Xtreme V4
Coupon Printer for Windows
CPROXY 1.0
D2600
Delta Force - Black Hawk Down
DeviceDiscovery
DJ_SF_05_D2600_Software_Min
Globe Broadband
Google Chrome
Google Earth
Google Update Helper
GPBaseService2
HP Customer Participation Program 14.0
HP Deskjet D2600 Printer Driver Software 14.0 Rel. 5
HP Imaging Device Functions 14.0
HP Photo Creations
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
iTunes
JAF INTERFACE Drivers
JAF Setup
Java Auto Updater
Java(TM) 6 Update 21
MarketResearch
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.10)
Nokia Connectivity Cable Driver
Nokia Firmware RM-174
NsPro v5.7.8
Proxifier version 2.8
proXPN 2.2.5
QuickTime
QuickTime Alternative 1.67
Ralink Wireless LAN
SAMSUNG Mobile Modem Driver Set
SAMSUNG Mobile USB Modem Software
Shop for HP Supplies
SmartMoto
SmartWebPrinting
Software Update for Web Folders
SolutionCenter
SoundMAX
Status
Super Mp3 Download
Toolbox
TOSHIBA Software Modem
TrayApp
UFS Suite
UFSx Device USB Drivers
WebReg
Winamp
WinRAR archiver
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

9/26/2010 10:25:53 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.100 with the system having network hardware address 00:19:21:49:07:60. Network operations on this system may be disrupted as a result.
9/26/2010 1:41:19 PM, error: Service Control Manager [7024] - The AVG Free WatchDog service terminated with service-specific error 3221684350 (0xC007007E).
9/26/2010 1:41:18 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 19 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:41:09 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 18 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:41:01 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 17 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:52 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 16 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:42 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 15 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:33 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 14 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:23 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 13 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:14 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 12 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:40:04 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 11 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:39:55 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 10 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:39:45 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 9 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:39:36 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:39:27 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/26/2010 1:39:19 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 6 time(s).
9/26/2010 1:39:10 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 5 time(s).
9/26/2010 1:39:02 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 4 time(s).
9/26/2010 1:38:21 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 3 time(s).
9/26/2010 1:38:13 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 2 time(s).
9/26/2010 1:38:05 PM, error: Service Control Manager [7034] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s).
9/25/2010 7:46:31 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
9/25/2010 11:28:29 AM, error: Dhcp [1002] - The IP address lease 173.0.0.232 for the Network Card with network address 00FFDBE040A9 has been denied by the DHCP server 173.0.9.254 (The DHCP Server sent a DHCPNACK message).
9/25/2010 10:03:16 AM, error: Dhcp [1002] - The IP address lease 192.168.2.106 for the Network Card with network address 00080D218DD9 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
9/25/2010 1:57:42 PM, error: Dhcp [1002] - The IP address lease 173.0.9.244 for the Network Card with network address 00FFDBE040A9 has been denied by the DHCP server 173.0.13.254 (The DHCP Server sent a DHCPNACK message).
9/24/2010 9:49:10 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
9/24/2010 8:08:42 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.100 with the system having network hardware address 00:11:2F:2A:5F:49. Network operations on this system may be disrupted as a result.
9/24/2010 6:20:44 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: The system cannot find the path specified. .
9/24/2010 6:20:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Plants vs Zombies\PlantsVsZombies.exe. Reference error message: The operation completed successfully. .
9/24/2010 11:40:43 PM, error: Dhcp [1002] - The IP address lease 173.0.9.222 for the Network Card with network address 00FFDBE040A9 has been denied by the DHCP server 173.0.0.254 (The DHCP Server sent a DHCPNACK message).
9/24/2010 10:52:17 PM, error: Dhcp [1002] - The IP address lease 173.0.5.224 for the Network Card with network address 00FFDBE040A9 has been denied by the DHCP server 173.0.9.254 (The DHCP Server sent a DHCPNACK message).
9/23/2010 10:18:36 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/21/2010 8:36:23 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 0013D370B08C has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
9/21/2010 8:22:26 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
9/20/2010 12:01:43 AM, error: SCardSvr [610] - Smart Card Reader 'Axalto e-gate 0' rejected IOCTL POWER: The media in the drive may have changed.
9/20/2010 12:01:43 AM, error: SCardSvr [610] - Smart Card Reader 'Axalto e-gate 0' rejected IOCTL POWER: The device does not recognize the command.
9/20/2010 12:01:43 AM, error: Egaterdr [0] -

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by johnkill at 19:55:59.81 on Sun 09/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.422 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\johnkill\dauusi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
C:\DOCUME~1\johnkill\LOCALS~1\Temp\winiyvkdy.exe
C:\DOCUME~1\johnkill\LOCALS~1\Temp\wineanmhr.exe
C:\Documents and Settings\johnkill\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
c:\Program Files\Microsoft Silverlight\4.0.50826.0\agcp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\johnkill\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 10.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe "
uRun: [dauusi] c:\documents and settings\johnkill\dauusi.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [WinLiveUpdate]
mRun: [CafeManila]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [protect_autorun] c:\documents and settings\johnkill\my documents\downloads\autorunkiller172\autorunkiller172\CPE17AntiAutorun1330.exe /start
dRun: [msnsc] c:\windows\system32\msnsc.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: AutoUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
uPolicies-explorer: NoToolbarsCustomize = 0 (0x0)
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoPrinters = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: HideDesktop = 0 (0x0)
uPolicies-explorer: NoWorkgroupContents = 0 (0x0)
uPolicies-explorer: ClearDocsOnExit = 0 (0x0)
uPolicies-explorer: NoExpandedNewMenu = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-disallowrun: iexplore.exe = iexplore.exe Remove
uPolicies-disallowrun: setup.exe = setup.exe Remove
uPolicies-disallowrun: winword.exe = winword.exe Remove
uPolicies-disallowrun: notepad.exe = notepad.exe Remove
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoAdminPage = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoPwdPage = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: NoPrinters = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: HideDesktop = 0 (0x0)
mPolicies-explorer: NoWorkgroupContents = 0 (0x0)
mPolicies-explorer: ClearDocsOnExit = 0 (0x0)
mPolicies-explorer: NoExpandedNewMenu = 0 (0x0)
mPolicies-explorer: NoCommonGroups = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: NoSecCPL = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: NoAdminPage = 0 (0x0)
mPolicies-system: NoConfigPage = 0 (0x0)
mPolicies-system: NoDevMgrPage = 0 (0x0)
mPolicies-system: NoFileSysPage = 0 (0x0)
mPolicies-system: NoVirtMemPage = 0 (0x0)
mPolicies-system: NoPwdPage = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolba...3US&si=&a=Ydy0xUVEd0rFNzuO_rnmZg&n=2010090622
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Show all images in original quality - c:\program files\www.cproxy.com\originalAll.htm
IE: Show image in original quality - c:\program files\www.cproxy.com\original.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: %SystemRoot%\system32\PrxerDrv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnkill\applic~1\mozilla\firefox\profiles\1axj5ms0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.viploading.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg&psa=&ind=2010090622&ptnrS=ZCxdm80133US&si=&st=kwd&n=77cf8c7e&searchfor=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\gqonhr.sys --> c:\windows\system32\drivers\gqonhr.sys [?]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2009-11-2 15328]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2009-11-2 13440]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-7-28 100736]
R3 R5BaseSmc;USB Token Holder Service;c:\windows\system32\drivers\smccard.sys [2010-9-14 12800]
R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S3 Egatecard;Egatecard;c:\windows\system32\drivers\egate.sys [2009-11-2 18880]
S3 MemWdm;MemWdm;c:\windows\system32\drivers\memwdm.sys [2010-9-14 27648]
S3 MMVSC;Virtual Smart Card Reader;c:\windows\system32\drivers\vpscr.sys [2010-9-14 15360]
S3 UFS2XX;UFS2XX.SYS UFS2 device driver;c:\windows\system32\drivers\UFS2XX.sys [2010-9-16 34639]

=============== Created Last 30 ================

2010-09-26 14:52:40 103140 --sh--r- C:\qblnw.pif
2010-09-26 14:52:21 289 --sh--r- C:\autorun.inf
2010-09-26 13:33:49 0 d-----w- c:\program files\CCleaner
2010-09-26 12:48:35 200704 --sh--r- c:\documents and settings\johnkill\dauusi.scr
2010-09-26 12:41:02 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2010-09-26 12:37:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-09-26 11:27:52 0 d-----w- c:\program files\AutorunRemover
2010-09-26 09:25:50 0 d-----w- c:\windows\system32\IOSUBSYS
2010-09-25 17:48:39 322560 ----a-w- c:\windows\system32\MSDBRPTR.DLL
2010-09-25 16:39:12 200704 --sh--r- c:\documents and settings\johnkill\dauusi.exe
2010-09-25 16:39:09 200704 --sh--r- c:\documents and settings\johnkill\alg.exe
2010-09-21 09:31:50 0 d-----w- c:\windows\XSxS
2010-09-21 09:31:50 0 d-----w- c:\program files\Xenocode
2010-09-21 00:28:18 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-09-21 00:22:34 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-09-21 00:22:31 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-09-21 00:22:14 126976 ----a-w- c:\windows\system32\hpfll6en.dll
2010-09-21 00:22:13 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-21 00:21:49 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-21 00:21:49 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-21 00:21:49 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-09-21 00:19:30 0 d-----w- c:\program files\HP Photo Creations
2010-09-21 00:19:30 0 d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2010-09-21 00:18:07 0 d-----w- c:\docume~1\johnkill\applic~1\HpUpdate
2010-09-21 00:13:16 0 d-----w- c:\windows\Cache
2010-09-21 00:13:14 0 d-----w- c:\program files\Coupons
2010-09-21 00:11:12 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-09-21 00:09:04 0 d-----w- c:\program files\HP
2010-09-21 00:08:56 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-21 00:05:55 558 ------w- c:\windows\hphmdl32.dat
2010-09-21 00:05:55 171586 ----a-w- c:\windows\hphins32.dat
2010-09-19 23:03:18 0 d-----w- c:\program files\GsmServer
2010-09-19 22:58:45 0 d-----w- c:\program files\SAMSUNG
2010-09-19 22:57:43 0 d-----w- c:\program files\NsPro
2010-09-19 18:11:33 0 d-----w- c:\program files\Counter-Strike Xtreme V4
2010-09-18 10:52:04 0 d-----w- c:\docume~1\johnkill\applic~1\TeamViewer
2010-09-17 07:27:59 834128 ----a-w- c:\windows\system32\actbar2.ocx
2010-09-17 07:27:59 29184 ----a-w- c:\windows\system32\CoolXPFrame.oca
2010-09-17 07:27:59 2556 ----a-w- c:\windows\system32\astc.lib
2010-09-17 07:27:59 230912 ----a-w- c:\windows\system32\UNWISE.EXE
2010-09-17 07:27:59 178 ----a-w- c:\windows\system32\actbar2.inf
2010-09-17 07:27:59 13312 ----a-w- c:\windows\system32\astc.oca
2010-09-17 07:27:59 1089536 ----a-w- c:\windows\system32\astc.ocx
2010-09-17 07:27:59 0 d-----w- c:\program files\CafeManila
2010-09-16 22:56:13 0 d-----w- c:\program files\AVG
2010-09-16 22:51:58 0 d-----w- c:\temp\relevantknowledge
2010-09-16 22:51:41 0 d-----w- c:\program files\365PowerOff
2010-09-16 07:20:58 3298816 ----a-w- C:\shell32.exe
2010-09-16 06:34:01 4608 ----a-w- c:\windows\system32\ufsloader.dll
2010-09-16 06:04:13 14336 ----a-w- c:\windows\system32\hwkkiller.dll
2010-09-16 04:50:17 81920 ----a-w- c:\windows\system32\UFS2XX.dll
2010-09-16 04:50:17 77824 ----a-w- c:\windows\system32\UFS2XXUN.exe
2010-09-16 04:50:17 71 ----a-w- c:\windows\system32\UFS2XXUN.ini
2010-09-16 04:50:17 34639 ----a-w- c:\windows\system32\drivers\UFS2XX.sys
2010-09-16 04:50:06 0 d-----w- C:\WinTesla
2010-09-16 04:50:02 0 d-----w- c:\program files\SarasSoft
2010-09-14 15:29:37 8320 ----a-w- c:\windows\system32\drivers\nmwcdc.sys
2010-09-14 15:29:36 65536 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-09-14 15:29:36 137216 ----a-w- c:\windows\system32\drivers\nmwcd.sys
2010-09-14 15:29:26 0 d-----w- c:\program files\Nokia
2010-09-14 13:16:50 0 d-----w- c:\windows\system32\appmgmt
2010-09-14 04:53:15 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.SYS
2010-09-14 04:53:15 34816 ----a-w- c:\windows\system32\DLPORTIO.DLL
2010-09-14 03:02:38 4608 ----a-w- c:\windows\system32\R5CoInst.dll
2010-09-14 03:02:38 23312 ----a-w- c:\windows\system32\_shfoldr.dll
2010-09-14 03:02:38 21888 ----a-w- c:\windows\system32\drivers\eps2kt1.sys
2010-09-14 03:02:38 12800 ----a-w- c:\windows\system32\drivers\smccard.sys
2010-09-14 03:02:38 0 d-----w- c:\program files\backupdrivers
2010-09-14 03:02:36 0 d-----w- c:\program files\Software Installation Information
2010-09-14 01:57:13 27648 ----a-w- c:\windows\system32\drivers\memwdm.sys
2010-09-14 01:57:13 15360 ----a-w- c:\windows\system32\drivers\vpscr.sys
2010-09-14 01:57:04 4 ----a-w- c:\documents and settings\johnkill\JAFCC_Crt_SN.bin
2010-09-14 01:44:01 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-09-14 01:43:48 0 d-----w- c:\program files\ODEON
2010-09-13 01:24:37 2547712 ----a-w- c:\temp\DFBHD.EXE
2010-09-13 00:36:50 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-13 00:36:47 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-09-13 00:36:40 0 d-----w- c:\windows\Logs
2010-09-11 22:16:08 0 d-----w- c:\program files\NovaLogic
2010-09-11 22:10:30 121 ----a-w- c:\windows\SIERRA.INI
2010-09-11 22:10:27 0 d-sh--w- c:\documents and settings\johnkill\WINDOWS
2010-09-09 21:49:22 0 d-----w- C:\USB
2010-09-08 18:19:33 0 d-----w- c:\program files\common files\Symantec Shared
2010-09-08 17:29:55 0 d-----w- c:\program files\Red Alert 2 Yuri's Revenge
2010-09-08 10:49:42 0 d-----w- C:\dota2
2010-09-08 10:40:02 0 d-----w- C:\dota
2010-09-08 06:23:38 0 d-----w- c:\docume~1\johnkill\applic~1\SuperMP3Download
2010-09-08 06:23:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SuperMP3Download
2010-09-08 06:23:30 0 d-----w- c:\program files\SuperMp3Download
2010-09-07 12:51:17 0 d-----w- c:\program files\BitTorrent
2010-09-07 12:51:11 0 d-----w- c:\docume~1\johnkill\applic~1\BitTorrent
2010-09-07 08:35:05 0 d---a-w- c:\program files\FunWebProducts
2010-09-05 03:54:06 0 d-----w- c:\program files\FBLayouts
2010-09-02 05:27:20 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2010-09-01 09:39:44 0 d-----w- c:\docume~1\johnkill\applic~1\GPass-4
2010-08-28 12:25:29 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-28 12:25:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-08-28 12:25:28 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2010-09-25 23:30:40 10240 --sh--r- c:\documents and settings\johnkill\ert.dll
2010-09-25 16:39:12 200704 ----a-w- c:\documents and settings\johnkill\x.exe
2010-09-10 18:12:44 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-07-29 18:23:37 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 11:25:59 2293 ----a-w- c:\windows\mozver.dat
2010-07-24 11:21:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 19:58:00.31 ===============

please help...

Admin. · 2010/09/26

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

johnkill · 2010/09/26

i just install bittorrent when i download games for my internet cafe, i am going to uninstall it now..thanks for the help.

every time i install anti virus, the installer terminates, not finishing installation..its done by the virus maybe.

wildfire · 2010/09/26

"johnkill said: ↑

every time i install anti virus, the installer terminates, not finishing installation..its done by the virus maybe.
Click to expand...

Almost certainly, I'm no expert but there are suspicious items in your log.

Broni will be along whenever he has the time, until then be patient.

broni · 2010/09/26

I hope, you won't abandon this topic, like you did here: http://www.windowsbbs.com/malware-virus-removal/86483-active-computer-software-problem.html
If you do, you won't be able to receive any more help in malware forum.
Just a warning.

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

johnkill · 2010/09/26

here the log for number 1...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4698

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

9/27/2010 1:09:43 AM
mbam-log-2010-09-27 (01-09-43).txt

Scan type: Quick scan
Objects scanned: 141511
Time elapsed: 11 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnsc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\johnkill\My Documents\downloads\Retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully.
C:\autorun.inf (Malware.Packer.Gen) -> Delete on reboot.
C:\weik.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwkkiller.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks in Advance..

broni · 2010/09/26

You're welcome

johnkill · 2010/09/26

3am last night i sleep, i left my laptop scanning with GMER, when i woke up today, i found my laptop HANG, i restart now and i will continue step 2...

broni · 2010/09/26

Ok

johnkill · 2010/09/26

almost all of my PC's are infected with this kind of problem...

broni · 2010/09/26

If GMER keeps stalling, proceed with next step.

johnkill · 2010/09/27

haaay! after almost 8 hours of scanning in gmer, here's the log..

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-27 17:05:42
Windows 5.1.2600 Service Pack 2
Running: 7i9ue1uw.exe; Driver: C:\DOCUME~1\johnkill\LOCALS~1\Temp\uftdypob.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\egatebus.sys entry point in "init" section [0xF7C83320]
init C:\WINDOWS\system32\DRIVERS\smccard.sys entry point in "init" section [0xF7CA4D58]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xEDADFF00, 0x24000, 0x48000000]
? C:\WINDOWS\system32\drivers\gqonhr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[288] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3916] USER32.dll!TrackPopupMenu 77D94EDE 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61118C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61118BEF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2516] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Files - GMER 1.0.15 ----

File C:\USB\Firefox Setup 3.5.1.exe (size mismatch) 8190936/8117208 bytes executable
File C:\USB\fox-player-setup.exe (size mismatch) 3536441/3466809 bytes executable
File C:\USB\JAFSetup_1.98.62.exe (size mismatch) 10821632/10752000 bytes executable
File C:\USB\ccsetup220.exe (size mismatch) 3325560/3247736 bytes executable

---- EOF - GMER 1.0.15 ----

and here for mbr

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7CB3000 \WINDOWS\system32\KDCOM.DLL
0xF7BC3000 \WINDOWS\system32\BOOTVID.dll
0xF7764000 ACPI.sys
0xF7CB5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7753000 pci.sys
0xF77B3000 isapnp.sys
0xF7BC7000 compbatt.sys
0xF7BCB000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7D7B000 pciide.sys
0xF7A33000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7735000 pcmcia.sys
0xF77C3000 MountMgr.sys
0xF7716000 ftdisk.sys
0xF7CB7000 dmload.sys
0xF76F0000 dmio.sys
0xF7A3B000 PartMgr.sys
0xF77D3000 VolSnap.sys
0xF76D8000 atapi.sys
0xF77E3000 disk.sys
0xF77F3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF76B9000 fltMgr.sys
0xF76A7000 sr.sys
0xF7803000 PxHelp20.sys
0xF7690000 KSecDD.sys
0xF7603000 Ntfs.sys
0xF75D6000 NDIS.sys
0xF7A43000 sfhlp02.sys
0xF75C2000 sfdrv01a.sys
0xF75A8000 Mup.sys
0xF79D3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF745F000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF744B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7AFB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7428000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B03000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7400000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7389000 \SystemRoot\system32\DRIVERS\RT61.sys
0xF79E3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B0B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B13000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7375000 \SystemRoot\system32\DRIVERS\parport.sys
0xF79F3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7A13000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7352000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B1B000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF72CD000 \SystemRoot\system32\drivers\smwdm.sys
0xF72A9000 \SystemRoot\system32\drivers\portcls.sys
0xF7A23000 \SystemRoot\system32\drivers\drmk.sys
0xF7291000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7C7F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7C83000 \SystemRoot\system32\drivers\egatebus.sys
0xF7E0A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7833000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7C87000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF65BA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7843000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7853000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7B23000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF65A9000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7863000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B2B000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B33000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7B3B000 \SystemRoot\system32\DRIVERS\tap0901.sys
0xF6578000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7883000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7CA3000 \SystemRoot\system32\DRIVERS\smccard.sys
0xF7CA7000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xF7CF3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF651C000 \SystemRoot\system32\DRIVERS\update.sys
0xF7CAB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7CAF000 \SystemRoot\system32\DRIVERS\vsb.sys
0xF7580000 \SystemRoot\system32\drivers\egaterdr.sys
0xF7893000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF78B3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7CF7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7CF9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E55000 \SystemRoot\System32\Drivers\Null.SYS
0xF7CFB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B63000 \SystemRoot\System32\drivers\vga.sys
0xF7CFD000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CFF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B6B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B73000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7C47000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE3A1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE349000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE321000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7C4B000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEE2FF000 \SystemRoot\System32\drivers\afd.sys
0xF78C3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEE2D4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEE265000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF78D3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF78E3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7C67000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF78F3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7B7B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7C6B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7953000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE225000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D11000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6518000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B93000 \SystemRoot\System32\watchdog.sys
0xBF9C2000 \SystemRoot\System32\drivers\dxg.sys
0xF7E2E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E2000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D4000 \SystemRoot\System32\ialmrnt5.dll
0xBFA03000 \SystemRoot\System32\ialmdev5.DLL
0xBFA37000 \SystemRoot\System32\ialmdd5.DLL
0xF7A63000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xEDD98000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7D6F000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEDC2E000 \SystemRoot\system32\DRIVERS\srv.sys
0xEDBF1000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7973000 \SystemRoot\system32\drivers\sysaudio.sys
0xEDADC000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xED723000 \SystemRoot\System32\Drivers\HTTP.sys
0xED8BC000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF7D09000 \??\C:\WINDOWS\system32\drivers\gqonhr.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7AC3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xED0E5000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xECF3E000 \??\C:\DOCUME~1\johnkill\LOCALS~1\Temp\uftdypob.sys
0xECF14000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
772 C:\WINDOWS\system32\smss.exe
844 csrss.exe
868 C:\WINDOWS\system32\winlogon.exe
912 C:\WINDOWS\system32\services.exe
924 C:\WINDOWS\system32\lsass.exe
1072 C:\WINDOWS\system32\svchost.exe
1116 svchost.exe
1152 C:\WINDOWS\system32\svchost.exe
1200 svchost.exe
1312 svchost.exe
1440 C:\WINDOWS\system32\spoolsv.exe
1484 scardsvr.exe
1788 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1804 C:\Program Files\Bonjour\mDNSResponder.exe
1940 C:\WINDOWS\system32\svchost.exe
1960 C:\Program Files\Java\jre6\bin\jqs.exe
2000 C:\WINDOWS\system32\svchost.exe
128 C:\WINDOWS\system32\svchost.exe
296 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
368 C:\WINDOWS\system32\svchost.exe
472 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
596 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
620 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
628 C:\Program Files\RALINK\Common\RaUI.exe
2424 wmiprvse.exe
3076 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
3156 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
1284 C:\WINDOWS\explorer.exe
3748 C:\DOCUME~1\johnkill\LOCALS~1\temp\wneo.exe
2688 C:\DOCUME~1\johnkill\LOCALS~1\temp\winspihjj.exe
2516 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
188 C:\Documents and Settings\johnkill\Desktop\windowsBBS\7i9ue1uw.exe
444 C:\Program Files\Mozilla Firefox\firefox.exe
3152 C:\Documents and Settings\johnkill\Desktop\windowsBBS\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK4026GAX, Rev: PA102D

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

waiting...

broni · 2010/09/27

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

johnkill · 2010/09/27

here combofix log...hope tomorrow my laptop will be ok...

ComboFix 10-09-26.04 - johnkill 09/28/2010 1:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.665 [GMT 1:00]
Running from: c:\documents and settings\johnkill\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\WorldEdit.lnk
c:\documents and settings\Administrator\Templates\Addendum.html.lnk
c:\documents and settings\All Users\Templates\Drivers.lnk
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\Nav_10.jpg.lnk
c:\documents and settings\Default User\Templates\ObjectManager.html.lnk
c:\documents and settings\johnkill\Local Settings\Temporary Internet Files\Nav_31.jpg.lnk
c:\documents and settings\johnkill\Templates\install.exe.lnk
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\HumanEd.mpq.lnk
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Nav_24.jpg.lnk
C:\xhqn.exe
C:\xktran.pif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMSINT32
-------\Service_amsint32

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-27 16:11 . 2010-09-27 16:11 -------- d-----w- c:\windows\system32\IOSUBSYS
2010-09-26 23:52 . 2010-09-28 00:13 -------- d-----w- c:\documents and settings\johnkill\Application Data\Malwarebytes
2010-09-26 23:52 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 23:52 . 2010-09-27 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 13:33 . 2010-09-28 00:23 -------- d-----w- c:\program files\CCleaner
2010-09-26 12:37 . 2010-09-28 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-26 11:27 . 2010-09-28 00:23 -------- d-----w- c:\program files\AutorunRemover
2010-09-25 17:48 . 2004-02-23 14:00 322560 ----a-w- c:\windows\system32\MSDBRPTR.DLL
2010-09-25 17:48 . 2004-02-23 14:00 78848 ----a-w- c:\windows\system32\MSBIND.DLL
2010-09-25 17:48 . 2006-01-19 16:10 1836128 ----a-w- c:\windows\system32\arpro2.dll
2010-09-25 17:48 . 2005-01-04 01:40 336976 ----a-w- c:\windows\system32\exclexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 259680 ----a-w- c:\windows\system32\tiffexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 132704 ----a-w- c:\windows\system32\textexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 210528 ----a-w- c:\windows\system32\rtfexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 374368 ----a-w- c:\windows\system32\pdfexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 554592 ----a-w- c:\windows\system32\htmlexpt.dll
2010-09-22 19:38 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-09-22 19:38 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-22 14:42 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Temp
2010-09-22 14:37 . 2010-09-28 00:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-22 14:43 -------- d-----w- c:\program files\Google
2010-09-21 11:47 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HPAppData
2010-09-21 09:31 . 2010-09-21 09:31 -------- d-----w- c:\windows\XSxS
2010-09-21 09:31 . 2010-09-21 09:31 -------- d-----w- c:\program files\Xenocode
2010-09-21 00:28 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-09-21 00:23 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HP
2010-09-21 00:22 . 2008-10-28 09:31 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-09-21 00:22 . 2008-10-28 09:31 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-09-21 00:22 . 2008-12-16 17:17 126976 ----a-w- c:\windows\system32\hpfll6en.dll
2010-09-21 00:22 . 2008-12-16 17:17 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp6en.dll
2010-09-21 00:22 . 2008-10-29 17:46 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-21 00:21 . 2008-10-28 09:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-21 00:21 . 2008-10-28 09:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-21 00:21 . 2008-10-28 09:31 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-09-21 00:19 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-09-21 00:19 . 2010-09-21 00:19 -------- d-----w- c:\program files\HP Photo Creations
2010-09-21 00:18 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HpUpdate
2010-09-21 00:17 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-09-21 00:13 . 2010-09-21 00:13 -------- d-----w- c:\windows\Cache
2010-09-21 00:11 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-09-21 00:11 . 2010-09-28 00:26 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-09-21 00:09 . 2010-09-21 00:18 -------- d-----w- c:\program files\HP
2010-09-21 00:08 . 2006-01-06 14:53 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-21 00:05 . 2010-09-21 00:23 171586 ----a-w- c:\windows\hphins32.dat
2010-09-21 00:05 . 2010-02-12 10:59 558 ------w- c:\windows\hphmdl32.dat
2010-09-19 23:03 . 2010-09-19 23:03 -------- d-----w- c:\program files\GsmServer
2010-09-19 22:58 . 2010-09-19 23:01 -------- d-----w- c:\program files\SAMSUNG
2010-09-19 22:57 . 2010-09-21 08:03 -------- d-----w- c:\program files\NsPro
2010-09-19 18:11 . 2010-09-28 00:33 -------- d-----w- c:\program files\Counter-Strike Xtreme V4
2010-09-18 10:52 . 2010-09-28 00:15 -------- d-----w- c:\documents and settings\johnkill\Application Data\TeamViewer
2010-09-17 07:28 . 2000-07-15 14:00 101888 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-09-17 07:28 . 2000-03-14 14:00 49152 ----a-w- c:\windows\system32\Mscdrun.dll
2010-09-17 07:28 . 2004-03-24 03:34 28672 ----a-w- c:\windows\system32\HDSNLib.dll
2010-09-17 07:27 . 2010-09-28 00:23 -------- d-----w- c:\program files\CafeManila
2010-09-17 07:27 . 2002-07-19 09:50 230912 ----a-w- c:\windows\system32\UNWISE.EXE
2010-09-16 22:56 . 2010-09-28 00:23 -------- d-----w- c:\program files\AVG
2010-09-16 22:51 . 2010-09-17 06:08 -------- d-----w- c:\temp\relevantknowledge
2010-09-16 22:51 . 2010-09-28 00:21 -------- d-----w- c:\program files\365PowerOff
2010-09-16 07:20 . 2010-09-16 07:20 3298816 ----a-w- C:\shell32.exe
2010-09-16 06:34 . 2010-09-16 06:34 4608 ----a-w- c:\windows\system32\ufsloader.dll
2010-09-16 04:50 . 2005-12-24 19:10 77824 ----a-w- c:\windows\system32\UFS2XXUN.exe
2010-09-16 04:50 . 2005-12-24 14:41 81920 ----a-w- c:\windows\system32\UFS2XX.dll
2010-09-16 04:50 . 2005-12-15 15:27 34639 ----a-w- c:\windows\system32\drivers\UFS2XX.sys
2010-09-16 04:50 . 2010-09-16 04:50 -------- d-----w- C:\WinTesla
2010-09-16 04:50 . 2010-09-16 04:50 -------- d-----w- c:\program files\SarasSoft
2010-09-14 15:29 . 2007-02-22 09:15 8320 ----a-w- c:\windows\system32\drivers\nmwcdc.sys
2010-09-14 15:29 . 2007-02-22 09:15 137216 ----a-w- c:\windows\system32\drivers\nmwcd.sys
2010-09-14 15:29 . 2007-02-22 09:15 65536 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-09-14 15:29 . 2010-09-14 16:18 -------- d-----w- c:\program files\Nokia
2010-09-14 04:53 . 2000-06-29 16:24 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.SYS
2010-09-14 04:53 . 2000-06-29 16:24 34816 ----a-w- c:\windows\system32\DLPORTIO.DLL
2010-09-14 03:02 . 2010-09-28 00:23 -------- d-----w- c:\program files\backupdrivers
2010-09-14 03:02 . 2010-09-14 03:02 4608 ----a-w- c:\windows\system32\R5CoInst.dll
2010-09-14 03:02 . 2010-09-14 03:02 21888 ----a-w- c:\windows\system32\drivers\eps2kt1.sys
2010-09-14 03:02 . 2010-09-14 03:02 12800 ----a-w- c:\windows\system32\drivers\smccard.sys
2010-09-14 03:02 . 2010-09-14 03:02 23312 ----a-w- c:\windows\system32\_shfoldr.dll
2010-09-14 03:02 . 2010-09-14 03:02 -------- d-----w- c:\program files\Software Installation Information
2010-09-14 01:57 . 2010-09-14 02:49 27648 ----a-w- c:\windows\system32\drivers\memwdm.sys
2010-09-14 01:57 . 2010-09-14 02:49 15360 ----a-w- c:\windows\system32\drivers\vpscr.sys
2010-09-14 01:57 . 2010-09-14 01:57 4 ----a-w- c:\documents and settings\johnkill\JAFCC_Crt_SN.bin
2010-09-14 01:44 . 2007-02-22 09:15 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-09-14 01:43 . 2010-09-14 01:43 -------- d-----w- c:\program files\ODEON
2010-09-13 14:25 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\Leadertech
2010-09-13 01:24 . 2004-01-22 09:03 2629632 ----a-w- c:\temp\DFBHD.EXE
2010-09-13 00:36 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-13 00:36 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-09-13 00:36 . 2010-09-13 00:36 -------- d-----w- c:\windows\Logs
2010-09-11 22:16 . 2010-09-13 01:21 -------- d-----w- c:\program files\NovaLogic
2010-09-11 22:10 . 2010-09-28 00:20 -------- d-sh--w- c:\documents and settings\johnkill\WINDOWS
2010-09-09 21:49 . 2010-09-14 01:24 -------- d-----w- C:\USB
2010-09-08 18:19 . 2010-09-28 00:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-08 17:29 . 2010-09-24 18:02 -------- d-----w- c:\program files\Red Alert 2 Yuri's Revenge
2010-09-08 10:49 . 2010-09-28 00:21 -------- d-----w- C:\dota2
2010-09-08 10:47 . 2010-09-22 12:36 -------- d-----w- c:\program files\Warcraft III
2010-09-08 10:40 . 2010-09-28 00:21 -------- d-----w- C:\dota
2010-09-08 06:23 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Conduit
2010-09-08 06:23 . 2010-09-28 00:15 -------- d-----w- c:\documents and settings\johnkill\Application Data\SuperMP3Download
2010-09-08 06:23 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SuperMP3Download
2010-09-08 06:23 . 2010-09-08 06:24 -------- d-----w- c:\program files\SuperMp3Download
2010-09-07 12:51 . 2010-09-28 00:23 -------- d-----w- c:\program files\BitTorrent
2010-09-07 12:51 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\BitTorrent
2010-09-07 06:31 . 2010-09-07 06:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-05 03:54 . 2010-09-28 00:33 -------- d-----w- c:\program files\FBLayouts
2010-09-01 09:39 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\GPass-4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 00:49 . 2010-09-28 00:49 103140 --sh--r- C:\tbsh.pif
2010-09-28 00:27 . 2010-09-28 00:27 188 ----a-w- c:\program files\Common Files\MSVBVM60.DLL.lnk
2010-09-28 00:27 . 2010-07-29 18:24 -------- d-----w- c:\program files\Common Files\Java
2010-09-28 00:27 . 2010-07-24 11:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-28 00:26 . 2010-08-27 11:09 -------- d-----w- c:\program files\Common Files\Apple
2010-09-28 00:23 . 2010-07-24 11:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-28 00:23 . 2010-07-29 09:36 -------- d-----w- c:\program files\Chikka Messenger
2010-09-28 00:23 . 2010-07-26 12:53 -------- d-----w- c:\program files\Camfrog
2010-09-28 00:23 . 2010-07-25 12:24 -------- d-----w- c:\program files\CardRecovery
2010-09-28 00:23 . 2010-08-27 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-28 00:23 . 2010-08-27 11:10 -------- d-----w- c:\program files\Apple Software Update
2010-09-28 00:22 . 2010-07-24 11:36 -------- d-----w- c:\program files\Analog Devices
2010-09-28 00:21 . 2010-07-26 12:14 -------- d-----w- c:\program files\A8GSdsApp
2010-09-28 00:16 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\johnkill\Application Data\Yahoo!
2010-09-28 00:15 . 2010-09-13 00:34 -------- d-----w- c:\documents and settings\johnkill\Application Data\Winamp
2010-09-28 00:15 . 2010-08-08 16:33 -------- d-----w- c:\documents and settings\johnkill\Application Data\tor
2010-09-28 00:13 . 2010-08-06 18:17 -------- d-----w- c:\documents and settings\johnkill\Application Data\ManyCam
2010-09-28 00:12 . 2010-07-24 11:39 -------- d-----w- c:\documents and settings\johnkill\Application Data\InstallShield
2010-09-28 00:12 . 2010-08-08 16:33 -------- d-----w- c:\documents and settings\johnkill\Application Data\GPass
2010-09-28 00:12 . 2010-07-26 12:55 -------- d-----w- c:\documents and settings\johnkill\Application Data\Camfrog
2010-09-28 00:12 . 2010-08-27 14:58 -------- d-----w- c:\documents and settings\johnkill\Application Data\Apple Computer
2010-09-28 00:11 . 2010-08-27 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-28 00:11 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-09-28 00:10 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-09-28 00:10 . 2010-07-26 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-28 00:10 . 2010-07-26 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-28 00:10 . 2010-07-26 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-28 00:09 . 2010-07-24 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-28 00:09 . 2010-08-27 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-28 00:03 . 2010-09-28 00:03 77824 ---ha-w- C:\za63200.tmp
2010-09-27 20:07 . 2010-07-24 11:47 15928 ----a-w- c:\documents and settings\johnkill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-19 23:03 . 2010-09-19 23:03 180224 ----a-r- c:\documents and settings\johnkill\Application Data\Microsoft\Installer\{935C0E2B-CCC7-4424-ADB3-5A27D527F1D6}\NewShortcut1_935C0E2BCCC74424ADB35A27D527F1D6.exe
2010-09-19 23:03 . 2010-09-19 23:03 176128 ----a-r- c:\documents and settings\johnkill\Application Data\Microsoft\Installer\{935C0E2B-CCC7-4424-ADB3-5A27D527F1D6}\ARPPRODUCTICON.exe
2010-09-16 10:20 . 2010-08-27 11:30 -------- d-----w- c:\program files\Z3X
2010-09-16 10:16 . 2010-08-21 16:37 -------- d-----w- c:\program files\HiProxy
2010-09-16 04:50 . 2010-07-24 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-13 00:37 . 2010-09-13 00:34 -------- d-----w- c:\program files\Winamp
2010-09-10 18:12 . 2006-01-13 02:01 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-09-08 07:28 . 2010-07-24 12:01 -------- d-----w- c:\program files\Yahoo!
2010-09-08 06:24 . 2010-08-27 11:12 -------- d-----w- c:\program files\iTunes
2010-09-07 08:39 . 2010-07-24 11:16 -------- d-----w- c:\program files\MSN Messenger
2010-08-27 11:12 . 2010-08-27 11:12 -------- d-----w- c:\program files\iPod
2010-08-27 11:11 . 2010-07-24 11:25 -------- d-----w- c:\program files\QuickTime Alternative
2010-08-22 18:13 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\MFC14.tmp
2010-08-05 06:53 . 2010-08-05 06:53 503808 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5375b725-n\msvcp71.dll
2010-08-05 06:53 . 2010-08-05 06:53 499712 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5375b725-n\jmc.dll
2010-08-05 06:53 . 2010-08-05 06:53 348160 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5375b725-n\msvcr71.dll
2010-08-05 06:51 . 2010-08-05 06:51 61440 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-763e142a-n\decora-sse.dll
2010-08-05 06:51 . 2010-08-05 06:51 12800 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-763e142a-n\decora-d3d.dll
2010-08-02 10:46 . 2010-07-24 11:24 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-29 18:25 . 2010-07-29 18:25 503808 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-687d245b-n\msvcp71.dll
2010-07-29 18:25 . 2010-07-29 18:25 499712 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-687d245b-n\jmc.dll
2010-07-29 18:25 . 2010-07-29 18:25 348160 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-687d245b-n\msvcr71.dll
2010-07-29 18:25 . 2010-07-29 18:25 61440 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ee8795e-n\decora-sse.dll
2010-07-29 18:25 . 2010-07-29 18:25 12800 ----a-w- c:\documents and settings\johnkill\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ee8795e-n\decora-d3d.dll
2010-07-29 18:23 . 2010-07-29 18:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 10:43 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\MFC1.tmp
2010-07-26 10:34 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\Current.prx~RF7b6a2.TMP
2010-07-24 11:55 . 2010-07-24 11:55 0 ----a-w- c:\windows\nsreg.dat
2010-07-24 11:40 . 2010-07-24 11:40 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-07-24 11:25 . 2010-07-24 11:25 2293 ----a-w- c:\windows\mozver.dat
2010-07-24 11:21 . 2010-07-24 11:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-21 15:30 . 2010-07-21 15:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-13 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2008-04-14 02:33 . 3BA21BD333A1B8B222006E5464D44F49 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

.
((((((((((((((((((((((((((((( SnapShot@2010-09-26_20.54.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 00:48 . 2010-09-28 00:48 16384 c:\windows\Temp\Perflib_Perfdata_14c.dat
+ 2010-07-24 11:22 . 2006-01-13 01:50 94208 c:\windows\system32\mstinit.exe
+ 2006-01-13 02:05 . 2006-01-13 02:05 76800 c:\windows\system32\fixmapi.exe
+ 2006-01-13 01:33 . 2006-01-13 01:33 166400 c:\windows\system32\logagent.exe
- 2010-09-26 09:25 . 2006-12-15 17:26 396351 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-09-27 16:10 . 2006-12-15 17:26 396351 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-07-24 12:08 . 2005-08-24 10:50 172032 c:\windows\system32\igfxtray.exe
+ 2010-07-24 11:22 . 2006-01-13 01:17 224256 c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
+ 2010-07-24 11:22 . 2006-01-13 01:42 247808 c:\windows\pchealth\helpctr\binaries\msconfig.exe
+ 2006-01-13 01:54 . 2006-01-13 01:54 270336 c:\windows\inf\unregmp2.exe
+ 2006-01-13 01:17 . 2006-01-13 01:17 1261568 c:\windows\system32\odbcconf.exe
+ 2006-01-13 01:55 . 2006-01-13 01:55 3383808 c:\windows\system32\mshta.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-08-24 172032]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"CafeManila "=" " [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf "= "move" [X]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 344704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoAdminPage "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"NoPwdPage "= 0 (0x0)
"EnableLUA "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"NoPwdPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPrinters "= 0 (0x0)
"HideDesktop "= 0 (0x0)
"NoWorkgroupContents "= 0 (0x0)
"ClearDocsOnExit "= 0 (0x0)
"NoExpandedNewMenu "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AutoUpdate "= 0 (0x0)
"NoAutoUpdate "= 0 (0x0)
"NoSMConfigurePrograms "= 0 (0x0)
"NoToolbarsCustomize "= 0 (0x0)
"NoPrinters "= 0 (0x0)
"HideDesktop "= 0 (0x0)
"NoWorkgroupContents "= 0 (0x0)
"ClearDocsOnExit "= 0 (0x0)
"NoExpandedNewMenu "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-04-18 19:20 88363 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2010-09-07 12:51 3003248 ----a-w- c:\program files\BitTorrent\BitTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 10:47 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 10:51 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2003-01-03 01:16 245760 ------w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-19 16:34 4416752 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
2003-03-01 03:54 122880 ------w- c:\program files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
2010-09-26 11:49 208896 ----a-w- c:\documents and settings\johnkill\My Documents\Downloads\AutoRunKiller172\AutoRunKiller172\CPE17AntiAutorun1330.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Proxifier]
2009-01-21 12:19 692224 ----a-w- c:\program files\Proxifier\Proxifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 330472 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 144384 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\www.cproxy.com]
2007-04-22 10:02 1896448 ----a-w- c:\program files\www.cproxy.com\CPROXY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"FirewallDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001
"UacDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"FirewallDisableNotify "=dword:00000001
"FirewallOverride "=dword:00000001
"UpdatesDisableNotify "=dword:00000001
"UacDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\www.cproxy.com\\CPROXY.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe "=
"c:\\Program Files\\ODEON\\JAF\\JCOP.EXE "=
"c:\\Program Files\\CafeManila\\CafeManila.exe "=
"c:\\Program Files\\Counter-Strike Xtreme V4\\hl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe "=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe "=
"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhdlc.exe "=
"c:\\PROGRA~1\\CAFEMA~1\\CafeManila.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe "=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\jqsnotify.exe "=
"c:\\DOCUME~1\\johnkill\\LOCALS~1\\Temp\\winvsgfmb.exe "=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [7/5/2006 1:46 PM 63352]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [11/2/2009 9:17 PM 15328]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [11/2/2009 9:17 PM 13440]
R3 R5BaseSmc;USB Token Holder Service;c:\windows\system32\drivers\smccard.sys [9/14/2010 4:02 AM 12800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2010 3:37 PM 205808]
S2 RPCER;Remote Procedure Call (HNM);c:\program files\Common Files\ODBC\comp.exe --> c:\program files\Common Files\ODBC\comp.exe [?]
S3 Egatecard;Egatecard;c:\windows\system32\drivers\egate.sys [11/2/2009 9:17 PM 18880]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [7/28/2010 9:12 PM 100736]
S3 MemWdm;MemWdm;c:\windows\system32\drivers\memwdm.sys [9/14/2010 2:57 AM 27648]
S3 MMVSC;Virtual Smart Card Reader;c:\windows\system32\drivers\vpscr.sys [9/14/2010 2:57 AM 15360]
S3 UFS2XX;UFS2XX.SYS UFS2 device driver;c:\windows\system32\drivers\UFS2XX.sys [9/16/2010 5:50 AM 34639]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 14:37]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 14:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 10.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Show all images in original quality - c:\program files\www.cproxy.com\originalAll.htm
IE: Show image in original quality - c:\program files\www.cproxy.com\original.htm
LSP: %SystemRoot%\system32\PrxerDrv.dll
FF - ProfilePath - c:\documents and settings\johnkill\Application Data\Mozilla\Firefox\Profiles\1axj5ms0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.viploading.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg&psa=&ind=2010090622&ptnrS=ZCxdm80133US&si=&st=kwd&n=77cf8c7e&searchfor=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 01:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\docume~1\johnkill\LOCALS~1\Temp\winvsgfmb.exe
.
**************************************************************************
.
Completion time: 2010-09-28 01:55:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-28 00:55

Pre-Run: 10,381,127,680 bytes free
Post-Run: 10,413,948,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - AA3A6E7CCEAB69780FBBDF74BD5D6900

broni · 2010/09/27

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\program files\AVG
c:\program files\Common Files\Symantec Shared
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\Norton


DDS::
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 10.0.0.1:5555

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "CafeManila "=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "nlsf "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-
 "FirewallOverride "=-
 "AntiVirusDisableNotify "=-
 "FirewallDisableNotify "=-
 "UpdatesDisableNotify "=-
 "UacDisableNotify "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
 "AntiVirusOverride "=-
 "AntiVirusDisableNotify "=-
 "FirewallDisableNotify "=-
 "FirewallOverride "=-
 "UpdatesDisableNotify "=-
 "UacDisableNotify "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001
 "DisableNotifications "=-

Firefox::
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg&psa=&ind=2010090622 &ptnrS=ZCxdm80133US&si=&st=kwd&n=77cf8c7e&searchfor=

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

johnkill · 2010/09/27

ok i will try it later..
anyway cafemanila is my internet cafe timer.

broni · 2010/09/27

That registry entry was a dead entry.

johnkill · 2010/09/28

ComboFix 10-09-27.04 - johnkill 09/28/2010 14:52:29.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.470 [GMT 1:00]
Running from: c:\documents and settings\johnkill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnkill\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\All Users\Application Data\avg9\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\WorldEditMenu.html.lnk
c:\documents and settings\All Users\Application Data\avg9\Jammie.lnk
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgns.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\kleopatra.avi.lnk
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\DOTA INSTALLER.lnk
c:\documents and settings\All Users\Application Data\Norton\symdata.xml
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\NortonInstaller\h_right.jpg.lnk
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\07-26-2010-14h29m12s\dxnt.cab.lnk
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\07-26-2010-14h29m12s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\07-26-2010-14h29m12s\NortonInstall-07-26-2010-14h29m12s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-16-2010-11h16m49s\h_left_fixed.jpg.lnk
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-16-2010-11h16m49s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-16-2010-11h16m49s\NortonInstall-09-16-2010-11h16m49s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-16-2010-11h17m28s\Initiate.jpg.lnk
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-16-2010-11h17m28s\NortonInstall-09-16-2010-11h17m28s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\m_mr.html.lnk
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\Kick_Ass.avi.lnk
c:\documents and settings\All Users\Application Data\Symantec\symdata.xml
c:\documents and settings\johnkill\alg.exe
c:\documents and settings\johnkill\koiraa.exe
c:\program files\AVG
c:\program files\AVG\(PC)Foreword.html.lnk
c:\program files\AVG\AVG9\beautiful.lnk
c:\program files\AVG\AVG9\cfg\Mary.lnk
c:\program files\AVG\AVG9\cfg\sched.cfg
c:\program files\AVG\AVG9\commonpub.log
c:\program files\AVG\AVG9\commonpub.log.lock
c:\program files\AVG\AVG9\log\history.xml
c:\program files\AVG\AVG9\log\m_mr.jpg.lnk
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\(PC)BNetMenu.html.lnk
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\stacy.lnk
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\umcat_01.db
c:\program files\Common Files\Symantec Shared\SymcData\XXX.lnk
C:\tbsh.pif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMSINT32
-------\Service_amsint32

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-27 16:11 . 2010-09-27 16:11 -------- d-----w- c:\windows\system32\IOSUBSYS
2010-09-26 23:52 . 2010-09-28 00:13 -------- d-----w- c:\documents and settings\johnkill\Application Data\Malwarebytes
2010-09-26 23:52 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 23:52 . 2010-09-27 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 13:33 . 2010-09-28 00:23 -------- d-----w- c:\program files\CCleaner
2010-09-26 11:27 . 2010-09-28 00:23 -------- d-----w- c:\program files\AutorunRemover
2010-09-25 17:48 . 2004-02-23 14:00 322560 ----a-w- c:\windows\system32\MSDBRPTR.DLL
2010-09-25 17:48 . 2004-02-23 14:00 78848 ----a-w- c:\windows\system32\MSBIND.DLL
2010-09-25 17:48 . 2006-01-19 16:10 1836128 ----a-w- c:\windows\system32\arpro2.dll
2010-09-25 17:48 . 2005-01-04 01:40 336976 ----a-w- c:\windows\system32\exclexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 259680 ----a-w- c:\windows\system32\tiffexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 132704 ----a-w- c:\windows\system32\textexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 210528 ----a-w- c:\windows\system32\rtfexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 374368 ----a-w- c:\windows\system32\pdfexpt.dll
2010-09-25 17:48 . 2006-01-19 16:10 554592 ----a-w- c:\windows\system32\htmlexpt.dll
2010-09-22 19:38 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-09-22 19:38 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-22 14:42 . 2010-09-28 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Temp
2010-09-22 14:37 . 2010-09-28 00:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Google
2010-09-22 14:37 . 2010-09-22 14:43 -------- d-----w- c:\program files\Google
2010-09-21 11:47 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HPAppData
2010-09-21 09:31 . 2010-09-21 09:31 -------- d-----w- c:\windows\XSxS
2010-09-21 09:31 . 2010-09-21 09:31 -------- d-----w- c:\program files\Xenocode
2010-09-21 00:28 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-09-21 00:23 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HP
2010-09-21 00:22 . 2008-10-28 09:31 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-09-21 00:22 . 2008-10-28 09:31 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-09-21 00:22 . 2008-12-16 17:17 126976 ----a-w- c:\windows\system32\hpfll6en.dll
2010-09-21 00:22 . 2008-12-16 17:17 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp6en.dll
2010-09-21 00:22 . 2008-10-29 17:46 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-21 00:21 . 2008-10-28 09:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-21 00:21 . 2008-10-28 09:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-21 00:21 . 2008-10-28 09:31 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-09-21 00:19 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-09-21 00:19 . 2010-09-21 00:19 -------- d-----w- c:\program files\HP Photo Creations
2010-09-21 00:18 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\HpUpdate
2010-09-21 00:17 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-09-21 00:13 . 2010-09-21 00:13 -------- d-----w- c:\windows\Cache
2010-09-21 00:11 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-09-21 00:11 . 2010-09-28 00:26 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-09-21 00:09 . 2010-09-21 00:18 -------- d-----w- c:\program files\HP
2010-09-21 00:08 . 2006-01-06 14:53 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-21 00:05 . 2010-09-21 00:23 171586 ----a-w- c:\windows\hphins32.dat
2010-09-21 00:05 . 2010-02-12 10:59 558 ------w- c:\windows\hphmdl32.dat
2010-09-19 23:03 . 2010-09-19 23:03 -------- d-----w- c:\program files\GsmServer
2010-09-19 22:58 . 2010-09-19 23:01 -------- d-----w- c:\program files\SAMSUNG
2010-09-19 22:57 . 2010-09-21 08:03 -------- d-----w- c:\program files\NsPro
2010-09-19 18:11 . 2010-09-28 00:33 -------- d-----w- c:\program files\Counter-Strike Xtreme V4
2010-09-18 10:52 . 2010-09-28 00:15 -------- d-----w- c:\documents and settings\johnkill\Application Data\TeamViewer
2010-09-17 07:28 . 2000-07-15 14:00 101888 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-09-17 07:28 . 2000-03-14 14:00 49152 ----a-w- c:\windows\system32\Mscdrun.dll
2010-09-17 07:28 . 2004-03-24 03:34 28672 ----a-w- c:\windows\system32\HDSNLib.dll
2010-09-17 07:27 . 2010-09-28 00:23 -------- d-----w- c:\program files\CafeManila
2010-09-17 07:27 . 2002-07-19 09:50 230912 ----a-w- c:\windows\system32\UNWISE.EXE
2010-09-16 22:51 . 2010-09-28 11:18 -------- d-----w- c:\temp\relevantknowledge
2010-09-16 22:51 . 2010-09-28 00:21 -------- d-----w- c:\program files\365PowerOff
2010-09-16 07:20 . 2010-09-16 07:20 3298816 ----a-w- C:\shell32.exe
2010-09-16 06:34 . 2010-09-16 06:34 4608 ----a-w- c:\windows\system32\ufsloader.dll
2010-09-16 04:50 . 2005-12-24 19:10 77824 ----a-w- c:\windows\system32\UFS2XXUN.exe
2010-09-16 04:50 . 2005-12-24 14:41 81920 ----a-w- c:\windows\system32\UFS2XX.dll
2010-09-16 04:50 . 2005-12-15 15:27 34639 ----a-w- c:\windows\system32\drivers\UFS2XX.sys
2010-09-16 04:50 . 2010-09-28 11:40 -------- d-----w- C:\WinTesla
2010-09-16 04:50 . 2010-09-16 04:50 -------- d-----w- c:\program files\SarasSoft
2010-09-14 15:29 . 2007-02-22 09:15 8320 ----a-w- c:\windows\system32\drivers\nmwcdc.sys
2010-09-14 15:29 . 2007-02-22 09:15 137216 ----a-w- c:\windows\system32\drivers\nmwcd.sys
2010-09-14 15:29 . 2007-02-22 09:15 65536 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-09-14 15:29 . 2010-09-14 16:18 -------- d-----w- c:\program files\Nokia
2010-09-14 04:53 . 2000-06-29 16:24 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.SYS
2010-09-14 04:53 . 2000-06-29 16:24 34816 ----a-w- c:\windows\system32\DLPORTIO.DLL
2010-09-14 03:02 . 2010-09-28 00:23 -------- d-----w- c:\program files\backupdrivers
2010-09-14 03:02 . 2010-09-14 03:02 4608 ----a-w- c:\windows\system32\R5CoInst.dll
2010-09-14 03:02 . 2010-09-14 03:02 21888 ----a-w- c:\windows\system32\drivers\eps2kt1.sys
2010-09-14 03:02 . 2010-09-14 03:02 12800 ----a-w- c:\windows\system32\drivers\smccard.sys
2010-09-14 03:02 . 2010-09-14 03:02 23312 ----a-w- c:\windows\system32\_shfoldr.dll
2010-09-14 03:02 . 2010-09-14 03:02 -------- d-----w- c:\program files\Software Installation Information
2010-09-14 01:57 . 2010-09-14 02:49 27648 ----a-w- c:\windows\system32\drivers\memwdm.sys
2010-09-14 01:57 . 2010-09-14 02:49 15360 ----a-w- c:\windows\system32\drivers\vpscr.sys
2010-09-14 01:57 . 2010-09-14 01:57 4 ----a-w- c:\documents and settings\johnkill\JAFCC_Crt_SN.bin
2010-09-14 01:44 . 2007-02-22 09:15 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-09-14 01:43 . 2010-09-14 01:43 -------- d-----w- c:\program files\ODEON
2010-09-13 14:25 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\Leadertech
2010-09-13 01:24 . 2004-01-22 09:03 2629632 ----a-w- c:\temp\DFBHD.EXE
2010-09-13 00:36 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-13 00:36 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-09-13 00:36 . 2010-09-13 00:36 -------- d-----w- c:\windows\Logs
2010-09-11 22:16 . 2010-09-13 01:21 -------- d-----w- c:\program files\NovaLogic
2010-09-11 22:10 . 2010-09-28 00:20 -------- d-sh--w- c:\documents and settings\johnkill\WINDOWS
2010-09-09 21:49 . 2010-09-28 13:40 -------- d-----w- C:\USB
2010-09-08 17:29 . 2010-09-24 18:02 -------- d-----w- c:\program files\Red Alert 2 Yuri's Revenge
2010-09-08 10:49 . 2010-09-28 00:21 -------- d-----w- C:\dota2
2010-09-08 10:47 . 2010-09-22 12:36 -------- d-----w- c:\program files\Warcraft III
2010-09-08 10:40 . 2010-09-28 00:21 -------- d-----w- C:\dota
2010-09-08 06:23 . 2010-09-28 00:17 -------- d-----w- c:\documents and settings\johnkill\Local Settings\Application Data\Conduit
2010-09-08 06:23 . 2010-09-28 00:15 -------- d-----w- c:\documents and settings\johnkill\Application Data\SuperMP3Download
2010-09-08 06:23 . 2010-09-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SuperMP3Download
2010-09-08 06:23 . 2010-09-08 06:24 -------- d-----w- c:\program files\SuperMp3Download
2010-09-07 12:51 . 2010-09-28 00:23 -------- d-----w- c:\program files\BitTorrent
2010-09-07 12:51 . 2010-09-28 14:02 -------- d-----w- c:\documents and settings\johnkill\Application Data\BitTorrent
2010-09-07 06:31 . 2010-09-07 06:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-05 03:54 . 2010-09-28 00:33 -------- d-----w- c:\program files\FBLayouts
2010-09-01 09:39 . 2010-09-28 00:12 -------- d-----w- c:\documents and settings\johnkill\Application Data\GPass-4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 12:45 . 2010-09-28 12:45 77824 ---ha-w- C:\z293596.tmp
2010-09-28 11:00 . 2010-09-28 11:00 77824 ---ha-w- C:\z5827b.tmp
2010-09-28 07:03 . 2010-09-28 07:03 103140 --sh--r- C:\qfsrl.exe
2010-09-28 00:27 . 2010-09-28 00:27 188 ----a-w- c:\program files\Common Files\MSVBVM60.DLL.lnk
2010-09-28 00:27 . 2010-07-29 18:24 -------- d-----w- c:\program files\Common Files\Java
2010-09-28 00:27 . 2010-07-24 11:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-28 00:26 . 2010-08-27 11:09 -------- d-----w- c:\program files\Common Files\Apple
2010-09-28 00:23 . 2010-07-24 11:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-28 00:23 . 2010-07-29 09:36 -------- d-----w- c:\program files\Chikka Messenger
2010-09-28 00:23 . 2010-07-26 12:53 -------- d-----w- c:\program files\Camfrog
2010-09-28 00:23 . 2010-07-25 12:24 -------- d-----w- c:\program files\CardRecovery
2010-09-28 00:23 . 2010-08-27 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-28 00:23 . 2010-08-27 11:10 -------- d-----w- c:\program files\Apple Software Update
2010-09-28 00:22 . 2010-07-24 11:36 -------- d-----w- c:\program files\Analog Devices
2010-09-28 00:21 . 2010-07-26 12:14 -------- d-----w- c:\program files\A8GSdsApp
2010-09-28 00:16 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\johnkill\Application Data\Yahoo!
2010-09-28 00:15 . 2010-09-13 00:34 -------- d-----w- c:\documents and settings\johnkill\Application Data\Winamp
2010-09-28 00:15 . 2010-08-08 16:33 -------- d-----w- c:\documents and settings\johnkill\Application Data\tor
2010-09-28 00:13 . 2010-08-06 18:17 -------- d-----w- c:\documents and settings\johnkill\Application Data\ManyCam
2010-09-28 00:12 . 2010-07-24 11:39 -------- d-----w- c:\documents and settings\johnkill\Application Data\InstallShield
2010-09-28 00:12 . 2010-08-08 16:33 -------- d-----w- c:\documents and settings\johnkill\Application Data\GPass
2010-09-28 00:12 . 2010-07-26 12:55 -------- d-----w- c:\documents and settings\johnkill\Application Data\Camfrog
2010-09-28 00:12 . 2010-08-27 14:58 -------- d-----w- c:\documents and settings\johnkill\Application Data\Apple Computer
2010-09-28 00:11 . 2010-08-27 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-28 00:11 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-09-28 00:10 . 2010-07-24 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-09-28 00:09 . 2010-07-24 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-28 00:09 . 2010-08-27 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-28 00:03 . 2010-09-28 00:03 77824 ---ha-w- C:\za63200.tmp
2010-09-27 20:07 . 2010-07-24 11:47 15928 ----a-w- c:\documents and settings\johnkill\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-16 10:20 . 2010-08-27 11:30 -------- d-----w- c:\program files\Z3X
2010-09-16 10:16 . 2010-08-21 16:37 -------- d-----w- c:\program files\HiProxy
2010-09-16 04:50 . 2010-07-24 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-13 00:37 . 2010-09-13 00:34 -------- d-----w- c:\program files\Winamp
2010-09-10 18:12 . 2006-01-13 02:01 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-09-08 07:28 . 2010-07-24 12:01 -------- d-----w- c:\program files\Yahoo!
2010-09-08 06:24 . 2010-08-27 11:12 -------- d-----w- c:\program files\iTunes
2010-09-07 08:39 . 2010-07-24 11:16 -------- d-----w- c:\program files\MSN Messenger
2010-08-27 11:12 . 2010-08-27 11:12 -------- d-----w- c:\program files\iPod
2010-08-27 11:11 . 2010-07-24 11:25 -------- d-----w- c:\program files\QuickTime Alternative
2010-08-22 18:13 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\MFC14.tmp
2010-08-02 10:46 . 2010-07-24 11:24 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-29 18:23 . 2010-07-29 18:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 10:43 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\MFC1.tmp
2010-07-26 10:34 . 2010-07-24 15:33 207 ----a-w- c:\documents and settings\johnkill\Application Data\Current.prx~RF7b6a2.TMP
2010-07-24 11:55 . 2010-07-24 11:55 0 ----a-w- c:\windows\nsreg.dat
2010-07-24 11:40 . 2010-07-24 11:40 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-07-24 11:25 . 2010-07-24 11:25 2293 ----a-w- c:\windows\mozver.dat
2010-07-24 11:21 . 2010-07-24 11:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-13 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-13 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2008-04-14 02:33 . 3BA21BD333A1B8B222006E5464D44F49 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

.
((((((((((((((((((((((((((((( SnapShot@2010-09-26_20.54.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 14:02 . 2010-09-28 14:02 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
+ 2010-07-24 11:22 . 2006-01-13 01:50 94208 c:\windows\system32\mstinit.exe
+ 2006-01-13 02:05 . 2006-01-13 02:05 76800 c:\windows\system32\fixmapi.exe
+ 2006-01-13 01:33 . 2006-01-13 01:33 166400 c:\windows\system32\logagent.exe
- 2010-09-26 09:25 . 2006-12-15 17:26 396351 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-09-27 16:10 . 2006-12-15 17:26 396351 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-07-24 12:08 . 2005-08-24 10:50 172032 c:\windows\system32\igfxtray.exe
+ 2010-07-24 11:22 . 2006-01-13 01:17 224256 c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
+ 2010-07-24 11:22 . 2006-01-13 01:42 247808 c:\windows\pchealth\helpctr\binaries\msconfig.exe
+ 2006-01-13 01:54 . 2006-01-13 01:54 270336 c:\windows\inf\unregmp2.exe
+ 2010-09-28 07:03 . 2006-01-13 02:04 2187904 c:\windows\Temp\winnsblt.exe
+ 2006-01-13 01:17 . 2006-01-13 01:17 1261568 c:\windows\system32\odbcconf.exe
+ 2006-01-13 01:55 . 2006-01-13 01:55 3383808 c:\windows\system32\mshta.exe
+ 2006-01-13 01:56 . 2006-01-13 01:56 1235456 c:\windows\system32\grpconv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent "= "c:\program files\BitTorrent\BitTorrent.exe" [2010-09-07 3003248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-08-24 172032]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 344704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoAdminPage "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"NoPwdPage "= 0 (0x0)
"EnableLUA "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"NoPwdPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPrinters "= 0 (0x0)
"HideDesktop "= 0 (0x0)
"NoWorkgroupContents "= 0 (0x0)
"ClearDocsOnExit "= 0 (0x0)
"NoExpandedNewMenu "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AutoUpdate "= 0 (0x0)
"NoAutoUpdate "= 0 (0x0)
"NoSMConfigurePrograms "= 0 (0x0)
"NoToolbarsCustomize "= 0 (0x0)
"NoPrinters "= 0 (0x0)
"HideDesktop "= 0 (0x0)
"NoWorkgroupContents "= 0 (0x0)
"ClearDocsOnExit "= 0 (0x0)
"NoExpandedNewMenu "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-04-18 19:20 88363 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2010-09-07 12:51 3003248 ----a-w- c:\program files\BitTorrent\BitTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-08-24 10:47 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-08-24 10:51 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2003-01-03 01:16 245760 ------w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-19 16:34 4416752 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
2003-03-01 03:54 122880 ------w- c:\program files\Analog Devices\SoundMAX\PmProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
2010-09-26 11:49 208896 ----a-w- c:\documents and settings\johnkill\My Documents\Downloads\AutoRunKiller172\AutoRunKiller172\CPE17AntiAutorun1330.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Proxifier]
2009-01-21 12:19 692224 ----a-w- c:\program files\Proxifier\Proxifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 330472 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 144384 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\www.cproxy.com]
2007-04-22 10:02 1896448 ----a-w- c:\program files\www.cproxy.com\CPROXY.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\www.cproxy.com\\CPROXY.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe "=
"c:\\Program Files\\ODEON\\JAF\\JCOP.EXE "=
"c:\\Program Files\\CafeManila\\CafeManila.exe "=
"c:\\Program Files\\Counter-Strike Xtreme V4\\hl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "= c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe "=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe "=
"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhdlc.exe "=
"c:\\PROGRA~1\\CAFEMA~1\\CafeManila.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe "=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\jqsnotify.exe "=
"c:\\WINDOWS\\system32\\cmd.exe "=
"c:\\DOCUME~1\\johnkill\\LOCALS~1\\Temp\\winlolg.exe "=
"c:\\DOCUME~1\\johnkill\\LOCALS~1\\Temp\\winalboni.exe "=
"c:\\DOCUME~1\\johnkill\\LOCALS~1\\Temp\\winjfthkm.exe "=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [7/5/2006 1:46 PM 63352]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [11/2/2009 9:17 PM 15328]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [11/2/2009 9:17 PM 13440]
R3 R5BaseSmc;USB Token Holder Service;c:\windows\system32\drivers\smccard.sys [9/14/2010 4:02 AM 12800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2010 3:37 PM 205808]
S2 RPCER;Remote Procedure Call (HNM);c:\program files\Common Files\ODBC\comp.exe --> c:\program files\Common Files\ODBC\comp.exe [?]
S3 Egatecard;Egatecard;c:\windows\system32\drivers\egate.sys [11/2/2009 9:17 PM 18880]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [7/28/2010 9:12 PM 100736]
S3 MemWdm;MemWdm;c:\windows\system32\drivers\memwdm.sys [9/14/2010 2:57 AM 27648]
S3 MMVSC;Virtual Smart Card Reader;c:\windows\system32\drivers\vpscr.sys [9/14/2010 2:57 AM 15360]
S3 UFS2XX;UFS2XX.SYS UFS2 device driver;c:\windows\system32\drivers\UFS2XX.sys [9/16/2010 5:50 AM 34639]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 14:37]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-22 14:37]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Show all images in original quality - c:\program files\www.cproxy.com\originalAll.htm
IE: Show image in original quality - c:\program files\www.cproxy.com\original.htm
LSP: %SystemRoot%\system32\PrxerDrv.dll
FF - ProfilePath - c:\documents and settings\johnkill\Application Data\Mozilla\Firefox\Profiles\1axj5ms0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.viploading.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZCxdm80133US&ptb=Ydy0xUVEd0rFNzuO_rnmZg&psa=&ind=2010090622&ptnrS=ZCxdm80133US&si=&st=kwd&n=77cf8c7e&searchfor=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-koiraa - c:\documents and settings\johnkill\koiraa.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 08:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\docume~1\johnkill\LOCALS~1\Temp\winlolg.exe
c:\docume~1\johnkill\LOCALS~1\Temp\winjfthkm.exe
.
**************************************************************************
.
Completion time: 2010-09-28 08:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-28 07:10

Pre-Run: 9,312,595,968 bytes free
Post-Run: 9,194,258,432 bytes free

- - End Of File - - 4EFE628C638CBE2B5A425636EAAA6A18

johnkill · 2010/09/28

i just went to the market and when i get back my wife inserted a USB flash drive into my Laptop, and now i found out my task manager was disabled and so many problems again...

broni · 2010/09/28

Grrrrr.....not good, we have to start over.

I'll need new logs from MBAM, GMER and MBRCheck for now.

Log in or Sign up

Inactive Infected virus

johnkill Inactive Thread Starter

Admin. Administrator Administrator Staff

johnkill Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Infected virus

johnkill Inactive Thread Starter

Admin. Administrator Administrator Staff

johnkill Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

johnkill Inactive Thread Starter

johnkill Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches