Remove-Malware.com Forums

by **jan777** » Thu Jul 22, 2010 2:43 pm

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

--------------
Malware bytes -> no malicious items found
--------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by aileen at 4:35:28.90 on Fri 07/23/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.125 [GMT 8:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\RAM Def\ramdef.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PSPdisp\bin\app\PSPdisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\aileen\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2bae58c2-79f9-45d1-a286-81f911301c3a} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {9005D5D6-4DD4-4D15-B550-2CCE057D6E86} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Google Update] "c:\documents and settings\aileen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [cdloader] "c:\documents and settings\aileen\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [RAMDef] c:\program files\ram def\ramdef.exe -tray
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\aileen\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\aileen\startm~1\programs\startup\pspdisp.lnk - c:\program files\pspdisp\bin\app\PSPdisp.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add Hyperlink iComment - c:\program files\icomment 2.0.2\iComment.dll/267
IE: Add Picture iComment - c:\program files\icomment 2.0.2\iComment.dll/267
IE: Add Text iComment - c:\program files\icomment 2.0.2\iComment.dll/267
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {9005D5D6-4DD4-4D15-B550-2CCE057D6E86} - {9005D5D6-4DD4-4D15-B550-2CCE057D6E86}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: kuaiche.com\software
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aileen\applic~1\mozilla\firefox\profiles\bx42ntav.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\aileen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 4.0 beta 1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 4.0 beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox 4.0 beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-2 20952]
R3 PPJoyBus;Parallel Port Joystick Bus Enumerator;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 16056]
R3 PPortJoystick;Parallel Port Joystick Device Driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 31928]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2010-7-21 3072]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 d2cs;d2cs service;c:\documents and settings\aileen\desktop\pvpgn-1.8.0\d2cs.exe --service --> c:\documents and settings\aileen\desktop\pvpgn-1.8.0\d2cs.exe --service [?]
S2 d2dbs;d2dbs service;c:\documents and settings\aileen\desktop\pvpgn-1.8.0\d2dbs.exe --service --> c:\documents and settings\aileen\desktop\pvpgn-1.8.0\d2dbs.exe --service [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-2 304464]
S2 pvpgn;PvPGN service;c:\documents and settings\aileen\desktop\pvpgn-1.8.0\pvpgn.exe --service --> c:\documents and settings\aileen\desktop\pvpgn-1.8.0\PvPGN.exe --service [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys --> c:\windows\system32\drivers\ewusbfake.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [2007-5-3 55296]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-12-8 36928]
S3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\wpro_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]
S3 ZSMC0305;Look 316;c:\windows\system32\drivers\usbVM305.sys [2008-4-9 1466624]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-07-21 21:49:14 0 d-----w- c:\program files\Microsoft Security Essentials
2010-07-21 09:46:19 0 d-----w- c:\docume~1\aileen\applic~1\PSPdisp
2010-07-21 09:42:50 7808 ----a-w- c:\windows\system32\pspdisp.dll
2010-07-21 09:42:50 3072 ----a-w- c:\windows\system32\drivers\pspdisp.sys
2010-07-21 02:31:42 0 d-sha-r- C:\cmdcons
2010-07-21 02:24:29 98816 ----a-w- c:\windows\sed.exe
2010-07-21 02:14:19 77312 ----a-w- c:\windows\MBR.exe
2010-07-21 02:14:18 256512 ----a-w- c:\windows\PEV.exe
2010-07-21 02:14:18 161792 ----a-w- c:\windows\SWREG.exe
2010-07-21 01:33:42 8576 ----a-w- c:\windows\system32\drivers\SETC6.tmp
2010-07-21 01:33:31 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-21 01:33:31 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-21 01:33:31 25952 -c--a-w- c:\windows\system32\dllcache\hpn.sys
2010-07-21 01:33:31 25952 ----a-w- c:\windows\system32\drivers\hpn.sys
2010-07-21 00:46:04 0 d-----w- c:\program files\AA Antimalware
2010-07-20 16:11:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-20 16:10:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-20 10:29:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-20 10:29:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-20 09:13:08 0 d-----w- C:\Hjt
2010-07-19 07:20:18 0 d-----w- c:\docume~1\aileen\applic~1\fofix
2010-07-17 06:14:44 0 d-----w- c:\program files\VideoLAN
2010-07-13 21:16:44 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 04:10:59 0 d-----w- c:\docume~1\aileen\applic~1\mjusbsp
2010-07-10 04:05:25 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-07-04 08:43:28 0 d-----w- c:\program files\Chikka Messenger
2010-07-03 06:44:41 324096 ----a-w- c:\windows\SDL.dll
2010-07-03 06:44:29 53248 ----a-w- c:\windows\DsPad.dll
2010-06-30 04:35:25 0 d-----w- c:\program files\Mozilla Firefox 4.0 Beta 1
2010-06-30 03:57:40 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-06-30 03:57:40 2688 ----a-w- c:\windows\system32\drivers\HIDSwvd.sys
2010-06-30 03:57:37 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-06-30 03:57:37 59136 ----a-w- c:\windows\system32\drivers\GcKernel.sys
2010-06-29 15:13:14 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-29 09:17:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 22:13:44 0 d-----w- c:\program files\PSPdisp
2010-06-27 21:56:22 0 d-----w- c:\program files\PPJoy Joystick Driver
2010-06-27 21:47:09 0 d-----w- c:\program files\Parallel Port Joystick
2010-06-27 21:37:04 0 d-----w- c:\docume~1\aileen\applic~1\TightVNC
2010-06-27 07:32:03 0 d-----w- c:\windows\Ubisoft
2010-06-27 07:30:09 0 d-----w- c:\program files\directx
2010-06-27 07:24:24 0 d-----w- c:\program files\Ubi Soft
2010-06-26 02:08:51 0 d-----w- c:\docume~1\aileen\applic~1\GameTuts

==================== Find3M ====================

2010-05-15 22:32:29 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 18:02:33 157529 ----a-w- c:\windows\hpoins28.dat
2008-06-25 14:17:20 4736 -c--a-w- c:\program files\log467700245.txt
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-05-10 18:13:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051120090512\index.dat

============= FINISH: 4:38:47.81 ===============

you dont need the attach.txt do you?

**Advertisement**

by **FieryDemon** » Thu Jul 22, 2010 4:29 pm

Download a fresh copy of Combofix

Open up Notepad and paste the following:

Code: Select all: KillAll:: File:: c:\windows\system32\drivers\SETC6.tmp DDS:: TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File BHO: {2bae58c2-79f9-45d1-a286-81f911301c3a} - No File TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File MBR::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

---

Did you reset TCP/IP?? How is everything running?

by **jan777** » Thu Jul 22, 2010 6:05 pm

ComboFix 10-07-22.01 - aileen 07/23/2010 7:01.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.77 [GMT 8:00]
Running from: c:\documents and settings\aileen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\aileen\Desktop\CFscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\SETC6.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SETC6.tmp

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-22 14:51 . 2010-07-22 14:51 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-22 14:36 . 2010-07-22 14:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-21 21:49 . 2010-07-21 21:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-21 09:46 . 2010-07-21 09:47 -------- d-----w- c:\documents and settings\aileen\Application Data\PSPdisp
2010-07-21 09:42 . 2009-08-04 16:04 7808 ----a-w- c:\windows\system32\pspdisp.dll
2010-07-21 09:42 . 2009-08-04 16:04 3072 ----a-w- c:\windows\system32\drivers\pspdisp.sys
2010-07-21 01:33 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-21 01:33 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-21 01:33 . 2001-08-17 06:07 25952 -c--a-w- c:\windows\system32\dllcache\hpn.sys
2010-07-21 01:33 . 2001-08-17 06:07 25952 ----a-w- c:\windows\system32\drivers\hpn.sys
2010-07-21 00:46 . 2010-07-21 03:46 -------- d-----w- c:\program files\AA Antimalware
2010-07-20 21:27 . 2010-07-20 21:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-20 20:54 . 2010-07-21 02:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-07-20 20:54 . 2010-07-20 20:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-20 16:11 . 2010-07-20 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-20 16:10 . 2010-07-21 00:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-20 10:29 . 2010-07-20 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-20 10:29 . 2010-07-20 10:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-20 09:13 . 2010-07-21 07:24 -------- d-----w- C:\Hjt
2010-07-19 07:20 . 2010-07-19 07:20 -------- d-----w- c:\documents and settings\aileen\Application Data\fofix
2010-07-17 06:18 . 2010-07-17 06:35 -------- d-----w- c:\documents and settings\aileen\Application Data\vlc
2010-07-17 06:14 . 2010-07-17 06:14 -------- d-----w- c:\program files\VideoLAN
2010-07-13 21:16 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 02:13 . 2010-07-11 02:13 -------- d-----w- c:\documents and settings\aileen\Local Settings\Application Data\tjnet
2010-07-10 04:10 . 2010-07-22 19:46 -------- d-----w- c:\documents and settings\aileen\Application Data\mjusbsp
2010-07-10 04:05 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-07-04 08:43 . 2010-07-04 08:43 -------- d-----w- c:\program files\Chikka Messenger
2010-07-03 06:44 . 2009-10-17 04:17 324096 ----a-w- c:\windows\SDL.dll
2010-07-03 06:44 . 2008-01-26 07:59 53248 ----a-w- c:\windows\DsPad.dll
2010-06-30 04:35 . 2010-07-21 01:12 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 1
2010-06-30 03:57 . 2001-08-17 06:02 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2010-06-30 03:57 . 2001-08-17 06:02 2688 ----a-w- c:\windows\system32\drivers\HIDSwvd.sys
2010-06-30 03:57 . 2008-04-13 18:45 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-06-30 03:57 . 2008-04-13 18:45 59136 ----a-w- c:\windows\system32\drivers\GcKernel.sys
2010-06-29 15:13 . 2010-07-22 09:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-29 09:17 . 2010-07-22 22:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 22:13 . 2010-07-21 09:46 -------- d-----w- c:\program files\PSPdisp
2010-06-27 21:56 . 2010-06-27 21:56 -------- d-----w- c:\program files\PPJoy Joystick Driver
2010-06-27 21:47 . 2010-06-27 21:47 -------- d-----w- c:\program files\Parallel Port Joystick
2010-06-27 21:37 . 2010-06-27 21:37 -------- d-----w- c:\documents and settings\aileen\Application Data\TightVNC
2010-06-27 21:09 . 2010-06-27 21:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2010-06-27 07:32 . 2010-06-27 07:32 -------- d-----w- c:\windows\Ubisoft
2010-06-27 07:30 . 2010-06-27 07:30 -------- d-----w- c:\program files\directx
2010-06-27 07:24 . 2010-06-27 07:24 -------- d-----w- c:\program files\Ubi Soft
2010-06-26 02:08 . 2010-06-26 02:08 -------- d-----w- c:\documents and settings\aileen\Local Settings\Application Data\GameTuts
2010-06-26 02:08 . 2010-06-26 02:08 -------- d-----w- c:\documents and settings\aileen\Application Data\GameTuts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 22:38 . 2009-12-08 09:16 -------- d-----w- c:\program files\Garena
2010-07-22 11:22 . 2010-06-12 05:54 -------- d-----w- c:\program files\Defraggler
2010-07-22 08:42 . 2008-05-04 09:51 -------- d-----w- c:\program files\uTorrent
2010-07-22 08:42 . 2008-08-28 14:03 -------- d-----w- c:\documents and settings\aileen\Application Data\uTorrent
2010-07-22 07:27 . 2008-12-27 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-20 15:55 . 2008-04-02 07:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 15:21 . 2009-03-17 15:00 -------- d-----w- c:\documents and settings\aileen\Application Data\LimeWire
2010-07-20 15:19 . 2008-08-28 14:03 -------- d-----w- c:\documents and settings\aileen\Application Data\Media Player Classic
2010-07-20 15:14 . 2010-06-12 04:39 -------- d-----w- c:\program files\CCleaner
2010-07-20 05:00 . 2009-01-27 09:51 -------- d-----w- c:\documents and settings\aileen\Application Data\HPAppData
2010-07-18 06:55 . 2010-06-04 20:27 -------- d-----w- c:\program files\JDownloader
2010-07-12 20:18 . 2010-04-07 16:21 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-12 20:18 . 2010-04-01 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-12 20:17 . 2010-07-12 20:17 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-12 20:17 . 2010-04-07 16:12 -------- d-----w- c:\program files\DivX
2010-07-12 20:17 . 2010-07-12 20:17 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-12 20:17 . 2010-07-12 20:17 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-12 20:16 . 2008-04-10 03:53 -------- d-----w- c:\program files\FlashGet
2010-07-12 20:15 . 2010-07-12 20:15 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-12 20:15 . 2010-04-07 16:21 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-12 20:15 . 2010-04-07 16:21 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-02 06:02 . 2010-05-16 22:33 -------- d-----w- c:\program files\RocketDock
2010-07-02 06:01 . 2010-04-08 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-02 06:01 . 2009-01-23 09:59 -------- d-----w- c:\program files\Norton Security Scan
2010-07-02 06:01 . 2010-06-06 08:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-01 19:30 . 2010-06-15 04:30 -------- d-----w- c:\documents and settings\aileen\Application Data\Image Zone Express
2010-06-23 02:40 . 2010-06-05 19:44 -------- d-----w- c:\documents and settings\aileen\Application Data\DivX
2010-06-14 14:31 . 2008-04-02 07:08 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 05:58 . 2010-06-12 05:58 -------- d-----w- c:\program files\RAM Def
2010-06-12 04:41 . 2010-06-12 04:41 -------- d-----w- c:\program files\Speccy
2010-06-05 19:44 . 2010-06-05 19:44 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-05 19:44 . 2010-06-05 19:44 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-05 19:43 . 2010-06-05 19:43 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-06-05 02:18 . 2010-06-01 02:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 03:26 . 2010-05-28 08:13 -------- d-----w- c:\program files\AeroSnap
2010-05-29 02:21 . 2010-05-21 17:26 -------- d-----w- c:\program files\FileZilla Server
2010-05-28 08:22 . 2010-05-28 08:22 -------- d-----w- c:\documents and settings\aileen\Application Data\AeroSnapApp
2010-05-28 04:48 . 2010-05-28 04:48 -------- d-----w- c:\documents and settings\aileen\Application Data\VitySoft
2010-05-15 22:32 . 2010-05-15 22:32 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 07:39 . 2010-05-01 23:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2010-05-01 23:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 00:15 . 2009-12-08 11:58 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2010-04-24 18:02 . 2010-04-24 17:34 157529 ----a-w- c:\windows\hpoins28.dat
2008-06-25 14:17 . 2008-06-25 14:17 4736 -c--a-w- c:\program files\log467700245.txt
2006-05-03 10:06 . 2008-12-23 07:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2008-12-23 07:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2008-12-23 07:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-31 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"cdloader"="c:\documents and settings\aileen\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"RAMDef"="c:\program files\RAM Def\ramdef.exe" [2002-10-28 122040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

c:\documents and settings\aileen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
PSPdisp.lnk - c:\program files\PSPdisp\bin\app\PSPdisp.exe [2010-6-1 608256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^Multiply AutoUploader.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\Multiply AutoUploader.lnk
backup=c:\windows\pss\Multiply AutoUploader.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^aileen^Start Menu^Programs^Startup^WinShake Control.lnk]
path=c:\documents and settings\aileen\Start Menu\Programs\Startup\WinShake Control.lnk
backup=c:\windows\pss\WinShake Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 17:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AeroSnap]
2008-12-06 11:32 886784 ----a-w- c:\program files\AeroSnap\AeroSnap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-07-31 22:58 133104 ----atw- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 13:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 08:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 08:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-19 09:11 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueTransparency]
2010-03-28 03:54 374272 ----a-w- c:\documents and settings\aileen\My Documents\Downloads\truetransparency-crystalxp.net-en-5139\TrueTransparency\TrueTransparency.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\ZincPlay\\Zion\\mirc.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\Warcraft III 1.21 DotA 6.44b pack\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\aileen\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Warcraft III 1.21 DotA 6.44b pack\\Warcraft III\\war3.exe"=
"c:\\Program Files\\PSPdisp\\bin\\app\\PSPdisp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Documents and Settings\\aileen\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27985:TCP"= 27985:TCP:limewire
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"6926:TCP"= 6926:TCP:League of Legends Launcher
"6926:UDP"= 6926:UDP:League of Legends Launcher
"6908:TCP"= 6908:TCP:League of Legends Launcher
"6908:UDP"= 6908:UDP:League of Legends Launcher
"6893:TCP"= 6893:TCP:League of Legends Launcher
"6893:UDP"= 6893:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"2145:TCP"= 2145:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/2/2010 7:22 AM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/2/2010 7:22 AM 20952]
R3 PPJoyBus;Parallel Port Joystick Bus Enumerator;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 4:33 PM 16056]
R3 PPortJoystick;Parallel Port Joystick Device Driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 4:32 PM 31928]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [7/21/2010 5:42 PM 3072]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 d2cs;d2cs service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2cs.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2cs.exe --service [?]
S2 d2dbs;d2dbs service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2dbs.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\d2dbs.exe --service [?]
S2 pvpgn;PvPGN service;c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\PvPGN.exe --service --> c:\documents and settings\aileen\Desktop\pvpgn-1.8.0\PvPGN.exe --service [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\aileen\LOCALS~1\Temp\JIL15.tmp --> c:\docume~1\aileen\LOCALS~1\Temp\JIL15.tmp [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/3/2007 7:48 AM 55296]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/8/2009 7:58 PM 36928]
S3 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]
S3 ZSMC0305;Look 316;c:\windows\system32\drivers\usbVM305.sys [4/9/2008 9:45 PM 1466624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 03:20]

2010-07-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-27 13:13]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-152049171-725345543-1007Core.job
- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 22:58]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-152049171-725345543-1007UA.job
- c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-31 22:58]

2010-07-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add Hyperlink iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add Picture iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add Text iComment - c:\program files\iComment 2.0.2\iComment.dll/267
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\documents and settings\aileen\Application Data\Mozilla\Firefox\Profiles\bx42ntav.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\aileen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox 4.0 Beta 1\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 07:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8326CB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85f7f28
\Driver\ACPI -> ACPI.sys @ 0xf848acb8
\Driver\atapi -> atapi.sys @ 0xf841c852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf8329bd4
PacketIndicateHandler -> NDIS.sys @ 0xf8335a21
SendHandler -> NDIS.sys @ 0xf8329d44
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\aileen\LOCALS~1\Temp\JIL15.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(448)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-23 07:27:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 23:27
ComboFix2.txt 2010-07-22 08:07
ComboFix3.txt 2010-07-22 07:04
ComboFix4.txt 2010-07-21 03:09
ComboFix5.txt 2010-07-22 22:48

Pre-Run: 9,848,045,568 bytes free
Post-Run: 9,841,156,096 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - A9B7D0A5FACCA82FE20A6D295A1B0663

------------------
i already reset the tcp/ip
and MBAM is still blocking some sites.

by **FieryDemon** » Thu Jul 22, 2010 6:15 pm

It may have some new rootkit here...

Dr.Web CureIt

Download to the desktop: Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the Scan-tab, remove the mark at Heuristic analysis.
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

-----
Next, please perform a rootkit scan with GMER
NOTE: There is a small chance this application may crash your computer so save any work you have open.
* Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
* Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
* It may take a minute to load and become available.
* If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
* In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED

* IAT/EAT
* Drives/Partition other than Systemdrive (typically only C:\ should be checked)
* Show All (don't miss this one)
* Then click the Scan button & wait for it to finish.
* Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
* Save it where you can easily find it, such as your desktop
* **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
* Click OK and quit the GMER program.
* Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
* Post that log in your next reply.
* Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

-----
Also,
Upload a File to Virustotal
Please visit Virustotal

Click the Browse... button
Navigate to the file c:\windows\system32\drivers\i2omgmt.sys and c:\windows\system32\drivers\hpn.sys
Click the Open button
Click the Send button
Copy and paste the results back here please.

by **jan777** » Fri Jul 23, 2010 12:03 am

DRWEB

Process in memory: C:\WINDOWS\System32\svchost.exe:752;;BackDoor.Tdss.565;Eradicated.;
Preview-T-5987129-summertime beyonce hot new track.mp3;C:\Documents and Settings\aileen\Desktop\Razor\My Music;Trojan.WMALoader;Cured.;
RegUBP2b-aileen.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
mirc.exe;C:\Program Files\ZincPlay\Zion;Program.mIRC.623;Incurable.Moved.;
A0336434.exe\mirc.exe;C:\System Volume Information\_restore{A8239E9B-227A-418C-BB58-CF55913293DA}\RP371\A0336434.exe;Program.mIRC.623;;
A0336434.exe;C:\System Volume Information\_restore{A8239E9B-227A-418C-BB58-CF55913293DA}\RP371;Container contains infected objects;Moved.;
A0336500.reg;C:\System Volume Information\_restore{A8239E9B-227A-418C-BB58-CF55913293DA}\RP371;Trojan.StartPage.1505;Deleted.;
A0339570.dll;C:\System Volume Information\_restore{A8239E9B-227A-418C-BB58-CF55913293DA}\RP374;Trojan.PWS.IpDiscover.17;Deleted.;
A0340568.reg;C:\System Volume Information\_restore{A8239E9B-227A-418C-BB58-CF55913293DA}\RP374;Trojan.StartPage.1505;Deleted.;

new hijackthis.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:00:24 PM, on 7/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\RAM Def\ramdef.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PSPdisp\bin\app\PSPdisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: iComment - {9005D5D6-4DD4-4D15-B550-2CCE057D6E86} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\aileen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\aileen\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PSPdisp.lnk = C:\Program Files\PSPdisp\bin\app\PSPdisp.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add Hyperlink iComment - res://C:\Program Files\iComment 2.0.2\iComment.dll/267
O8 - Extra context menu item: Add Picture iComment - res://C:\Program Files\iComment 2.0.2\iComment.dll/267
O8 - Extra context menu item: Add Text iComment - res://C:\Program Files\iComment 2.0.2\iComment.dll/267
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: iComment - {9005D5D6-4DD4-4D15-B550-2CCE057D6E86} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgrsstarter - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: d2cs service (d2cs) - Unknown owner - C:\Documents and Settings\aileen\Desktop\pvpgn-1.8.0\d2cs.exe (file missing)
O23 - Service: d2dbs service (d2dbs) - Unknown owner - C:\Documents and Settings\aileen\Desktop\pvpgn-1.8.0\d2dbs.exe (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PvPGN service (pvpgn) - Unknown owner - C:\Documents and Settings\aileen\Desktop\pvpgn-1.8.0\PvPGN.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 1: (no name) - http://www.google.com/

--
End of file - 11495 bytes

-Censored-. drweb was the longest scan i ever did. 6hours? wow. lol.

hmm. im gonna run gmer now.

Mod edited. Please refrain from using foul language.

by **jan777** » Fri Jul 23, 2010 12:44 am

mmm. when i press scan on gmer, is it supposed to be blank? like, the text on the white part is gone and there is no progress bar?
is this normal? and should i just wait?

I uploaded the files.
i2omgmt.sys
http://www.virustotal.com/analisis/0ed865f8fb79f0b6309521925280e8640db5ca6f75377434830536899734b6ee-1279713514
hpn.sys
http://www.virustotal.com/analisis/fd7b34a6036ad443014b16394a5f051a298cee4276d50525fb9f15a0d2684c8b-1276301232

nvrmind got it to work
ARK.LOG

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-23 16:31:13
Windows 5.1.2600 Service Pack 3
Running: xz5h05qo.exe; Driver: C:\DOCUME~1\aileen\LOCALS~1\Temp\uwlyypow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[752] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[752] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[1364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[2476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[2476] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2476] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[2924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x94 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xF2 0xEA 0xF4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x89 0x4B 0x9A 0xDB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5C 0x53 0x9E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x94 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xF2 0xEA 0xF4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x89 0x4B 0x9A 0xDB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5C 0x53 0x9E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x94 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xF2 0xEA 0xF4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x89 0x4B 0x9A 0xDB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5C 0x53 0x9E ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x94 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xF2 0xEA 0xF4 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x12 0xE5 0x8F 0x9C ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x89 0x4B 0x9A 0xDB ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5C 0x53 0x9E ...

---- EOF - GMER 1.0.15 ----

by **FieryDemon** » Fri Jul 23, 2010 8:42 am

how is everything now? does MBAM still block sites?

you can open up Hijackthis and do a system scan only. Then check the following:

O2 - BHO: (no name) - {2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

and click 'fix checked' at the bottom.

by **jan777** » Fri Jul 23, 2010 10:18 am

Yep still blocking sites.

i also scanned and fixed as you said too.

by **FieryDemon** » Fri Jul 23, 2010 10:50 am

There is a rootkit..but none of the scanner show which file is infected... :evil:

but i think i have a clue now..

Download RootkitUnhooker and save the setup to your Desktop.

* Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
* Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
* Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
* It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
* Once inside the interface, do not fix anything. Click on the Report tab.
* Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
* It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
* When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

by **jan777** » Fri Jul 23, 2010 12:41 pm

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805CB3FA-->9FAC7F46 [C:\DOCUME~1\aileen\LOCALS~1\Temp\LSH34.tmp]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x805B4378-->9FAC7F1E [C:\DOCUME~1\aileen\LOCALS~1\Temp\LSH34.tmp]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x833C8A00 [4] System
0x82F81B28 [132] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82F2DDA0 [216] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper Module)
0x82F645B0 [272] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83152DA0 [288] C:\Program Files\DivX\DivX Update\DivXUpdate.exe (-, DivX Update)
0x82F19250 [312] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x82FDFDA0 [360] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8311DBC0 [364] C:\Program Files\RAM Def\ramdef.exe
0x8329C928 [384] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8302F9F8 [432] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x82F87460 [452] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x82FFFA70 [632] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82FF9600 [684] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83131988 [728] C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation, AntiMalware Service Executable)
0x8325F628 [768] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83044778 [872] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x832972F0 [928] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82FAE508 [1064] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x8318E6B8 [1088] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8316F868 [1176] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation, Microsoft Security Essentials User Interface)
0x8319A7C0 [1328] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation, Windows Media Player Network Sharing Service Configuration Application)
0x832234E8 [1384] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x82B03AD0 [1404] C:\Documents and Settings\aileen\Application Data\mjusbsp\magicJack.exe (magicJack L.P., magicJack USB Softphone)
0x83284710 [1456] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8317E2B0 [1508] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0x83257020 [1544] C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc., AutoUpater Service Module)
0x8319FBD8 [1552] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x831AD458 [1596] C:\Program Files\FileZilla Server\FileZilla server.exe (FileZilla Project, FileZilla Server)
0x832932F0 [1688] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8319BCB8 [1744] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x831A6720 [1772] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x82BE0BC0 [1864] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x82C264D8 [1940] C:\Program Files\Garena\Garena.exe (Garena Online PTE LTD, Garena)
0x82FDF318 [1960] C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0x826F4BC0 [2016] C:\Documents and Settings\aileen\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\wjglCIKSHra6wqtU6E.exe (UG North, RKULE, SR2 Normandy)
0x8323C020 [2088] C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation, igfxsrvc Module)
0x82F3C588 [2252] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x82F7D9E0 [2312] C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation, Windows Media Player Network Sharing Service)
0x82F86770 [2460] C:\Program Files\PSPdisp\bin\app\PSPdisp.exe (JJS, PSPdisp tray application)
0x82C6D9F0 [3468] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x83346930 [3644] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
==============================================
>Drivers
==============================================
0xF74EF000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5857280 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF1E7000 C:\WINDOWS\System32\igxpdx32.DLL 2699264 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 1671168 bytes (Intel Corporation, Component GHAL Driver)
0xF8340000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA33F8000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6DFD000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA3503000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9E12E000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9E24D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF73C4000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8484000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9E306000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8313000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0x9CAAB000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA3468000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA34DB000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF842E000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA34B5000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9D377000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF747B000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF74B7000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7458000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA358F000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xA3493000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF83F6000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8454000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF82F9000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749F000 C:\WINDOWS\system32\drivers\ac97intc.sys 98304 bytes (Intel Corporation, Intel(r) Integrated Controller Hub Audio Driver)
0xF8416000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9E4AE000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF83CD000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF742D000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E3A9000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7444000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF74DB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA355C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF83E4000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8473000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF73F4000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9EFFB000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7A85000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7AA5000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7AB5000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8663000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x9E5AF000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0x9E56F000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF87C3000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF85F3000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8673000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF85D3000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8693000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA44DB000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7A95000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF85C3000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8683000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF85B3000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF87B3000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF86B3000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF85E3000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF87A3000 C:\WINDOWS\system32\drivers\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7AC5000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0x9DD16000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF86A3000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA6257000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF8703000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xA6267000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA6837000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF884B000 C:\WINDOWS\system32\drivers\PPortJoy.sys 32768 bytes (Deon van der Westhuysen, Parallel Port Joystick Device Driver)
0x9FAAF000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF892B000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF893B000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF887B000 C:\WINDOWS\system32\drivers\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF8833000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF897B000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8943000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF8963000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF896B000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8933000 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)
0xF8923000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA6847000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA6867000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0x9FAC7000 C:\DOCUME~1\aileen\LOCALS~1\Temp\LSH34.tmp 20480 bytes
0xA683F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF883B000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8953000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF895B000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF894B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x9FA87000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA00B1000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A77000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF82C9000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA0A2B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8A8F000 C:\WINDOWS\system32\drivers\PPJoyBus.sys 16384 bytes (Deon van der Westhuysen, Parallel Port Joystick Bus Enumerator)
0xF8A87000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF89C7000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0x9FA57000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA06B0000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA9F1A000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA00BD000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A93000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA5B2F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA5B23000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF8B79000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8AB5000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8B59000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B77000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8AB7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B43000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBF47A000 C:\WINDOWS\System32\pspdisp.dll 8192 bytes (JJS, PSPdisp Display Driver)
0xF8AB9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8AFB000 C:\WINDOWS\system32\drivers\splitter.sys 8192 bytes (Microsoft Corporation, Microsoft Kernel Audio Splitter)
0xF8ADB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8AE7000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8AB3000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x831A2000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8B98000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0x9EC5E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8C3A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8B7B000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF8BA6000 C:\WINDOWS\system32\DRIVERS\pspdisp.sys 4096 bytes (JJS, PSPdisp Display Miniport Driver)
!!!!!!!!!!!Hidden driver: 0x83263A17 ?_empty_? 1513 bytes
==============================================
>Stealth
==============================================
0xF8416000 WARNING: suspicious driver modification [atapi.sys::0x83263A17]
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{648CA16C-6151-471E-B7FE-C2BFF7456199}
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\Real\setup\config.ini::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D654, Type: Inline - RelativeJump 0x80504654-->80504607 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D8C0, Type: Inline - RelativeJump 0x805048C0-->80504873 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[1384]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1384]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1384]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1384]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1384]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1384]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1384]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1384]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1384]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1384]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1384]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3644]wuauclt.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3644]wuauclt.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3644]wuauclt.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3644]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3644]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3644]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[768]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[768]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[768]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[768]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[768]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[768]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[768]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

There.
man, this rootkit's so hard to find. we've been at it for days now. lol. thanks for the help.

)

Remove-Malware.com Forums

Hi guys. please take a look.

If this topic has helped you then please...

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Re: Hi guys. please take a look.

Who is online