I might have a trojan.

April 17, 2009 at 19:34:13
Specs: Windows XP, 2g
My programs keep randomly crashing and I
think I have a trojan virus.

See More: I might have a trojan.

Report •


#1
April 17, 2009 at 19:39:20
Run the following scans and post their logs.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
April 17, 2009 at 19:43:05
This seems like a virus.... How could I be so sure?

Report •

#3
April 17, 2009 at 19:53:37
Response #1 should help determine if its a virus,spyware or malware.

Report •

Related Solutions

#4
April 17, 2009 at 20:00:29
oops sorry, didnt mean to post that.

Report •

#5
April 17, 2009 at 20:14:18
Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/17/2009 7:54:08 PM
mbam-log-2009-04-17 (19-54-08).txt

Scan type: Quick Scan
Objects scanned: 73111
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{060bb0ab-4b09-4c51-9ecb-
9580a6d08d7f} (Trojan.Vundo) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\CLSID\{d7bf4552-94f1-42bd-f434-
3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Ext\Stats\{d7bf4552-94f1-42bd-f434-
3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Explorer\Browser Helper Objects\{d7bf4552-
94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined
and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\explorer.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined
and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvi
der (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\win32ini
(Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\win32ini
(Backdoor.Bifrose) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run\ (Trojan.Ertfor) -> Quarantined and deleted
successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run\windows resurections (Trojan.Ertfor) ->
Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run\diagnostic manager (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Explorer\SharedTaskScheduler\{d7bf4552-94f1-
42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and
deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\Program Files\BitDownload (Trojan.Lop) -> Quarantined
and deleted successfully.
C:\Documents and Settings\Will's Dojo\Start
Menu\Programs\BitDownload (Trojan.Lop) -> Quarantined and
deleted successfully.

Files Infected:
C:\WINDOWS\Temp\h4ryd.exe (Trojan.Ertfor) -> Quarantined
and deleted successfully.
C:\WINDOWS\Temp\152401338.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3993023176-1894927675-
2772396615-500\Dc3.exe (Trojan.Agent) -> Quarantined and
deleted successfully.
C:\WINDOWS\Temp\sjgh4kdg4rg4.exe (Trojan.Ertfor) ->
Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\wuauclt.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will's Dojo\Start
Menu\Programs\BitDownload\BitDownload Downloads.lnk
(Trojan.Lop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) ->
Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico
(Malware.Trace) -> Quarantined and deleted successfully.


Report •

#6
April 17, 2009 at 20:22:01
Your java is out of date and may have been exploited and used as the entry point for the infection.
Download the latest version of java from this link Java
Click on the JRE 6 Update 13 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Norton antivirus, Ad-Aware and any other antispyware that you may have. Combofix will not remove the bad files with Norton and Ad-Aware running.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable your Norton antivirus and Ad-Aware again afterwards before connecting to the Internet.


Report •

#7
April 17, 2009 at 21:01:06
ComboFix 09-04-18.01 - Will's Dojo 04/17/2009 20:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1700 [GMT -7:00]
Running from: c:\documents and settings\Will's Dojo\Desktop\Combo3Fx.exe
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Will's Dojo\Application Data\ICROSO~1.NET
c:\windows\system32\drivers\ovfsthafsaafvquleoomibtqplouciyugqeese.sys
c:\windows\system32\gwvkukje.ini
c:\windows\system32\hhodyink.ini
c:\windows\system32\jqwyqjpa.ini
c:\windows\system32\lsuhcnqr.ini
c:\windows\system32\mssfc.dll
c:\windows\system32\ovfsthfumssmtsvnegahckfgwvwpaexoyqutsy.dll
c:\windows\system32\ovfsthilbuxlpdqspomuugoruaesuodxbhpmhi.dll
c:\windows\system32\ovfsthmwolgurvpyhjinkqbxhvfhflirlirujg.dll
c:\windows\system32\ovfsthovjrevdbxkkoxnrongfxnwshpksxvftl.dat
c:\windows\system32\ovfsthujybumpedxbksvxixcnojwgalihyjaap.dat
c:\windows\system32\pfonxbbh.ini
c:\windows\system32\qgrwagmw.ini
c:\windows\system32\qsvuttwa.ini
c:\windows\system32\qsvuttwa.ini2
c:\windows\system32\winpfz32.sys
c:\windows\system32\wnsintit.exe
c:\windows\system32\xhmoqgxn.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthlvdpwxciypxjtrixeddwehfqyhkukjgk


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\NCH Software
2010-07-10 06:21 . 2009-04-18 02:06 1173464 -c--a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w c:\windows\system32\XPSViewer
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\Sony Setup
2009-04-18 03:25 . 2009-04-18 03:29 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-04-18 03:11 . 2009-04-18 03:54 89448 -c--a-w c:\windows\system32\drivers\74832ed9.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\Malwarebytes
2009-04-18 02:48 . 2009-04-06 22:32 15504 -c--a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 02:48 . 2009-04-06 22:32 38496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 02:35 . 2009-04-18 02:35 8192 -csha-w c:\windows\system32\Thumbs.db
2009-04-18 02:35 . 2009-04-18 02:35 16896 -csha-w c:\windows\Thumbs.db
2009-04-17 21:12 . 2009-04-18 03:54 209615 -c--a-w c:\windows\system32\nvapps.xml
2009-04-17 10:44 . 2009-04-17 10:45 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\vlc
2009-04-17 05:09 . 2009-04-17 05:09 74240 -c--a-w c:\windows\system32\zlib.dll
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\eMule
2009-04-14 21:52 . 2009-04-14 22:04 13588 -c--a-w c:\windows\system32\wpa.dbl
2009-04-14 01:34 . 2009-04-14 21:18 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\uTorrent
2009-03-30 01:48 . 2009-04-15 03:05 -------- dc----w c:\documents and settings\Will's Dojo\Photof---et
2009-03-27 17:03 . 2009-03-27 17:03 401408 -c--a-w c:\windows\system32\nvcuvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w c:\program files\NCH Software
2010-07-10 06:50 . 2010-07-10 06:50 -------- dc----w c:\program files\Sony
2010-07-10 06:21 . 2010-07-10 06:21 -------- dc----w c:\program files\MSBuild
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w c:\program files\Reference Assemblies
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w c:\program files\Sony Setup
2009-04-18 03:54 . 2008-01-02 07:30 -------- dc----w c:\program files\DNA
2009-04-18 03:54 . 2008-01-02 07:30 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\DNA
2009-04-18 03:54 . 2007-10-29 02:55 -------- dc----w c:\program files\Steam
2009-04-18 03:29 . 2007-01-27 20:27 -------- dc----w c:\program files\Java
2009-04-18 02:56 . 2009-04-18 02:56 17846 -c--a-w C:\avenger.txt
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 01:38 . 2008-01-02 07:30 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\BitTorrent
2009-04-18 00:40 . 2007-05-23 05:20 -------- dc----w c:\program files\EA GAMES
2009-04-17 21:12 . 2007-11-16 00:56 -------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:41 . 2009-04-17 10:41 -------- dc----w c:\program files\VideoLAN
2009-04-17 07:14 . 2008-08-20 22:11 -------- dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-16 06:26 . 2009-03-26 17:09 -------- dc----w c:\program files\World of Warcraft
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w c:\program files\eMule
2009-04-15 02:58 . 2009-03-30 01:44 -------- dc----w c:\program files\Photof---et
2009-04-14 01:49 . 2009-04-14 01:49 -------- dc----w c:\program files\PFPortChecker
2009-04-14 01:34 . 2009-04-14 01:34 -------- dc----w c:\program files\uTorrent
2009-04-13 01:24 . 2008-06-13 05:26 -------- dc----w c:\program files\SpeedFan
2009-04-13 01:24 . 2007-09-16 08:03 -------- dc----w c:\program files\Common Files\AOL
2009-04-12 01:43 . 2008-07-17 08:44 -------- dc----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-11 19:16 . 2009-04-11 19:16 -------- dc----w c:\program files\Virtual Hottie 2
2009-04-06 23:42 . 2007-01-23 09:55 -------- dc-h--w c:\program files\InstallShield Installation Information
2009-04-03 03:50 . 2009-04-03 03:50 -------- dc----w c:\program files\Perfect World Entertainment
2009-04-03 00:46 . 2007-09-04 08:23 -------- dc----w c:\documents and settings\Will's Dojo\Application Data\GetRightToGo
2009-04-02 22:53 . 2009-04-02 22:52 -------- dc----w c:\program files\7-Zip
2009-03-28 21:11 . 2007-01-29 12:16 -------- dc----w c:\program files\Teamspeak
2009-03-27 15:14 . 2008-03-26 10:47 453152 -c--a-w c:\windows\system32\NVUNINST.EXE
2009-03-26 17:09 . 2007-01-27 20:18 -------- dc----w c:\program files\Common Files\Blizzard Entertainment
2009-03-26 03:15 . 2008-04-25 04:11 -------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-07 02:21 . 2008-07-10 11:46 -------- dc----w c:\program files\Google
2009-01-31 21:49 . 2007-01-23 09:00 76487 -c--a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 21:40 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-01-29 20:16 . 2008-02-16 02:28 107888 -c--a-w c:\windows\system32\CmdLineExt.dll
2009-01-27 21:22 . 2007-01-23 00:41 90112 ----a-w c:\windows\DUMP75cc.tmp
2008-11-04 07:44 . 2007-01-27 21:35 77984 -c--a-w c:\documents and settings\Will's Dojo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-04 22:32 . 2007-09-04 22:32 134 -c--a-w c:\documents and settings\Will's Dojo\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 517632]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-07 342848]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-09 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-1-23 49220]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 -c--a-w c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 05:09 172032 -c--a-w c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 05:09 659456 -c--a-w c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 05:09 49152 -c--a-w c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
2008-04-14 00:12 1695232 -c----w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2008-10-09 19:23 1410296 -c--a-w c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\garrysmod\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft auto iv\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 DBKDRVR54;DBKDRVR54; [x]
R3 LycoFltr;Lycosa Keyboard; [x]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 XDva092;XDva092; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]


--- Other Services/Drivers In Memory ---

*Deregistered* - sfc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3216e3e5-ae40-11db-a437-806d6172696f}]
\Shell\AutoRun\command - d:\bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-20 23:59]

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993023176-1894927675-2772396615-1005.job
- c:\documents and settings\Will's Dojo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Will's Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ffsearch.net/s/?ref=adr&q=
FF - component: c:\documents and settings\Will's Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Will's Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\documents and settings\Will's Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Will's Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\74832ed9]
"ImagePath"="\SystemRoot\System32\drivers\74832ed9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3993023176-1894927675-2772396615-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\s-1-5-21-3993023176-1894927675-2772396615-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,ff,eb,15,e2,c5,c9,1a,bf,8e,34,97,80,5c,fc,35,6d,ef,c5,a7,68,9c,b3,
af,75,51,c4,8a,7e,0c,a4,a7,c1,84,4c,46,59,2f,05,d6,12,fe,8a,75,23,8c,47,5b,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\s-1-5-21-3993023176-1894927675-2772396615-1005\Software\SecuROM\License information*]
"datasecu"=hex:00,5a,b0,31,b1,b3,4f,7f,01,2b,9b,16,d6,b9,47,d3,70,16,63,a3,62,
7c,ee,4f,9d,4b,e9,67,38,d7,2a,89,30,59,e6,7e,30,39,19,38,0b,fc,72,f8,3b,08,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(1144)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WudfHost.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
**************************************************************************
.
Completion time: 2009-04-18 21:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 04:03

Pre-Run: 18,102,697,984 bytes free
Post-Run: 18,367,725,568 bytes free

282 --- E O F --- 2008-03-12 14:01


Report •

#8
April 17, 2009 at 21:39:58
Please go to Virus Total and upload the following file for analysis:

c:\windows\system32\drivers\74832ed9.sys

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#9
April 17, 2009 at 22:04:28
Damn.

Apparently that file is not wanting to be sent, I think it might
be corrupt.

I went to the webpage and tried every possible way to send it
and it froze up.

I tried sending it over emaila nd the file wouldn't attach with the
error message "Attachment failed". No go.


Report •

#10
April 18, 2009 at 07:35:36
This may help.

Go to the Virus Total site click the browse button at the site. Then in the box that appears click the blue drop down arrow to the right of the "look in" slot.

Next double click "local disk(C:)",

double click "windows"

double click "system32"

double click "driver"

double click "74832ed9.sys".

The full file path should now be in the"Upload a file box". Now click send.


Report •

#11
April 18, 2009 at 14:09:56
Okay. I booted up in safe mode with networking and I was able to upload it. The log says:


File 74832ed9.sys received on 04.18.2009 23:23:58 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.18 Backdoor.Winnt!IK
AhnLab-V3 5.0.0.2 2009.04.18 -
AntiVir 7.9.0.148 2009.04.18 TR/Rootkit.Gen
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.18 -
Avast 4.8.1335.0 2009.04.18 Win32:Rootkit-gen
AVG 8.5.0.287 2009.04.18 -
BitDefender 7.2 2009.04.18 -
CAT-QuickHeal 10.00 2009.04.18 -
ClamAV 0.94.1 2009.04.18 -
Comodo 1120 2009.04.18 -
DrWeb 4.44.0.09170 2009.04.18 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.18 -
Fortinet 3.117.0.0 2009.04.18 -
GData 19 2009.04.18 Win32:Rootkit-gen
Ikarus T3.1.1.49.0 2009.04.18 Backdoor.Winnt
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.18 -
McAfee 5588 2009.04.18 -
McAfee+Artemis 5588 2009.04.18 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.04.18 Trojan.Rootkit.Gen
Microsoft 1.4502 2009.04.18 Backdoor:WinNT/Rustock.E
NOD32 4019 2009.04.18 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.18 -
Panda 10.0.0.14 2009.04.18 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.18 Medium Risk Malware
Rising 21.25.52.00 2009.04.18 -
Sophos 4.40.0 2009.04.18 -
Sunbelt 3.2.1858.2 2009.04.18 -
Symantec 1.4.4.12 2009.04.18 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.4.18.1685 2009.04.18 -
VirusBuster 4.6.5.0 2009.04.18 -

Additional information
File size: 89448 bytes
MD5...: 06655c608859b1a84cbd0a1f7ae6e45c
SHA1..: 94348e83c8bbae7c7deac952714c7c019c894477
SHA256: 08b292b80521b54c9637ac38445e9a59d985ffcc7bb12eeac46dac7786b146f3
SHA512: 667fb4ed1a717ce311b38f1eebe55181fd59b052aa89ea66aea3a05f7f30e066
8055c00b5c013b5bc5b469937c73da94f5f38ef2257c56c2528cd28e2bee890e
ssdeep: 1536:1VcbLn9WwXFeYDL83ARZu0LN+m5TGMGBiAlrYalU/:1VmD9tDvRU0LN+2Gf
rVm

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa48
timedatestamp.....: 0x49e731e7 (Thu Apr 16 13:25:59 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x862 0x880 7.87 05433b68fc58d261665d0e341d677987
.rdata 0xb00 0x3238 0x3280 7.97 fff58e797a331bf695db86cacf355064
.data 0x3d80 0x6b7b 0x6b80 0.00 e952bbf142b67f8ee84699b70a0db5fa
INIT 0xa900 0xe4 0x100 4.10 9ac5f7dbbfbc1886aa773a6f0b5b51e3
.reloc 0xaa00 0x9e 0x100 0.95 c1e1397f496f38ed5a95683c1acc0977

( 1 imports )
> ntoskrnl.exe: memcpy, ObfDereferenceObject, ZwClose, IoAllocateWorkItem, ExAllocatePoolWithTag, IoAllocateIrp, IofCompleteRequest, memset

( 0 exports )

RDS...: NSRL Reference Data Set
-
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=003E114268877C0C5DE50101CF952D006B3DBD00


Report •

#12
April 18, 2009 at 15:04:32
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\drivers\74832ed9.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#13
April 18, 2009 at 15:28:14
ComboFix 09-04-19.01 - Will's Dojo 04/18/2009 15:08.3 -
NTFSx86 NETWORK
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -7:00]
Running from: c:\documents and settings\Will's
Dojo\Desktop\Combo3Fx.exe
Command switches used :: c:\documents and settings\Will's
Dojo\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*

FILE ::
c:\windows\system32\drivers\74832ed9.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\74832ed9.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfc
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-
18 )))))))))))))))))))))))))))))))
.

2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\NCH
Software
2010-07-10 06:21 . 2009-04-18 21:19 1173464 -c--a-w
c:\documents and settings\LocalService\Local
Settings\Application Data\FontCache3.0.0.0.dat
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\windows\system32\XPSViewer
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\Sony
Setup
2009-04-18 22:17 . 2009-04-18 22:17 0 -c--a-w
c:\windows\system32\drivers\sfc.sys
2009-04-18 07:14 . 2009-04-18 07:14 189472 -c--a-w
c:\windows\system32\PnkBstrB.xtr
2009-04-18 07:13 . 2009-04-18 07:13 139152 -c--a-w
c:\documents and settings\Will's Dojo\Application
Data\PnkBstrK.sys
2009-04-18 07:12 . 2009-04-18 07:12 794408 -c--a-w
c:\windows\system32\pbsvc.exe
2009-04-18 06:46 . 2009-04-18 06:46 -------- dc----w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\PunkBuster
2009-04-18 03:25 . 2009-04-18 03:29 410984 -c--a-w
c:\windows\system32\deploytk.dll
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\Malwarebytes
2009-04-18 02:48 . 2009-04-06 22:32 15504 -c--a-w
c:\windows\system32\drivers\mbam.sys
2009-04-18 02:48 . 2009-04-06 22:32 38496 -c--a-w
c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-04-18 02:35 . 2009-04-18 02:35 8192 -csha-w
c:\windows\system32\Thumbs.db
2009-04-18 02:35 . 2009-04-18 02:35 16896 -csha-w
c:\windows\Thumbs.db
2009-04-17 21:12 . 2009-04-18 22:16 209615 -c--a-w
c:\windows\system32\nvapps.xml
2009-04-17 10:44 . 2009-04-17 10:45 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\vlc
2009-04-17 05:09 . 2009-04-17 05:09 74240 -c--a-w
c:\windows\system32\zlib.dll
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\eMule
2009-04-14 21:52 . 2009-04-14 22:04 13588 -c--a-w
c:\windows\system32\wpa.dbl
2009-04-14 01:34 . 2009-04-14 21:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\uTorrent
2009-03-30 01:48 . 2009-04-15 03:05 -------- dc----w
c:\documents and settings\Will's Dojo\Photof---et
2009-03-27 17:03 . 2009-03-27 17:03 401408 -c--a-w
c:\windows\system32\nvcuvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\program files\NCH Software
2010-07-10 06:50 . 2010-07-10 06:50 -------- dc----w
c:\program files\Sony
2010-07-10 06:21 . 2010-07-10 06:21 -------- dc----w
c:\program files\MSBuild
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\program files\Reference Assemblies
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\program files\Sony Setup
2009-04-18 22:17 . 2007-10-29 02:55 -------- dc----w
c:\program files\Steam
2009-04-18 22:16 . 2008-01-02 07:30 -------- dc----w
c:\program files\DNA
2009-04-18 22:16 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\DNA
2009-04-18 08:15 . 2008-08-20 22:11 -------- dc----w
c:\documents and settings\All Users\Application Data\Google
Updater
2009-04-18 07:17 . 2007-10-21 00:12 138168 -c--a-w
c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 07:14 . 2007-10-21 00:12 189472 -c--a-w
c:\windows\system32\PnkBstrB.exe
2009-04-18 07:12 . 2007-10-21 00:12 75064 -c--a-w
c:\windows\system32\PnkBstrA.exe
2009-04-18 04:54 . 2009-04-18 04:54 -------- dc----w
c:\program files\VirusTotalUploader
2009-04-18 04:34 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\BitTorrent
2009-04-18 03:29 . 2007-01-27 20:27 -------- dc----w
c:\program files\Java
2009-04-18 02:56 . 2009-04-18 02:56 17846 -c--a-w
C:\avenger.txt
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:40 . 2007-05-23 05:20 -------- dc----w
c:\program files\EA GAMES
2009-04-17 21:12 . 2007-11-16 00:56 -------- dc----w
c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:41 . 2009-04-17 10:41 -------- dc----w
c:\program files\VideoLAN
2009-04-16 06:26 . 2009-03-26 17:09 -------- dc----w
c:\program files\World of Warcraft
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\program files\eMule
2009-04-15 02:58 . 2009-03-30 01:44 -------- dc----w
c:\program files\Photof---et
2009-04-14 01:49 . 2009-04-14 01:49 -------- dc----w
c:\program files\PFPortChecker
2009-04-14 01:34 . 2009-04-14 01:34 -------- dc----w
c:\program files\uTorrent
2009-04-13 01:24 . 2008-06-13 05:26 -------- dc----w
c:\program files\SpeedFan
2009-04-13 01:24 . 2007-09-16 08:03 -------- dc----w
c:\program files\Common Files\AOL
2009-04-12 01:43 . 2008-07-17 08:44 -------- dc----w
c:\documents and settings\All Users\Application
Data\FLEXnet
2009-04-11 19:16 . 2009-04-11 19:16 -------- dc----w
c:\program files\Virtual Hottie 2
2009-04-06 23:42 . 2007-01-23 09:55 -------- dc-h--w
c:\program files\InstallShield Installation Information
2009-04-03 03:50 . 2009-04-03 03:50 -------- dc----w
c:\program files\Perfect World Entertainment
2009-04-03 00:46 . 2007-09-04 08:23 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\GetRightToGo
2009-04-02 22:53 . 2009-04-02 22:52 -------- dc----w
c:\program files\7-Zip
2009-03-28 21:11 . 2007-01-29 12:16 -------- dc----w
c:\program files\Teamspeak
2009-03-27 15:14 . 2008-03-26 10:47 453152 -c--a-w
c:\windows\system32\NVUNINST.EXE
2009-03-26 17:09 . 2007-01-27 20:18 -------- dc----w
c:\program files\Common Files\Blizzard Entertainment
2009-03-26 03:15 . 2008-04-25 04:11 -------- dc--a-w
c:\documents and settings\All Users\Application Data\TEMP
2009-03-07 02:21 . 2008-07-10 11:46 -------- dc----w
c:\program files\Google
2009-01-31 21:49 . 2007-01-23 09:00 76487 -c--a-w
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 21:40 . 2004-08-04 12:00 250048 --sha-r
C:\ntldr
2009-01-29 20:16 . 2008-02-16 02:28 107888 -c--a-w
c:\windows\system32\CmdLineExt.dll
2009-01-27 21:22 . 2007-01-23 00:41 90112 ----a-w
c:\windows\DUMP75cc.tmp
2008-11-04 07:44 . 2007-01-27 21:35 77984 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-04 22:32 . 2007-09-04 22:32 134 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2004-08-04 12:00 1580544
30A609E00BD1D4FFC49D6B5A432BE7F2
c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848
9DD07AF82244867CA36681EA2D29CE79
c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848
D2F9064E5A73AB5F4958A86740E3D2EE
c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_03.54.31
)))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 22:16 . 2009-04-18 22:16 16384
c:\windows\temp\Perflib_Perfdata_504.dat
+ 2009-04-18 22:16 . 2009-04-18 22:16 16384
c:\windows\temp\Perflib_Perfdata_4bc.dat
+ 2004-08-04 12:00 . 2008-04-14 00:12 1614848
c:\windows\system32\mssfc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA
Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-
Watch.exe" [2005-05-25 517632]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-
07 342848]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-09
1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe"
[2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog
Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe"
[2006-07-12 352256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27
13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe"
[2008-05-27 413696]
"HPDJ Taskbar
Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb
11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-
8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Component Manager"="c:\program
files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-
01-07 659456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-
03-27 86016]
"SunJavaUpdateSched"="c:\program
files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HP Software Update"="c:\program files\HP\HP Software
Update\HPWuSchd2.exe" [BU]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[BU]
"SoundMAX"="c:\program files\Analog
Devices\SoundMAX\Smax4.exe" [2006-04-10 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-
27 1657376]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color
Pro\NCProTray.exe [2008-1-23 49220]
Privoxy.lnk - c:\program files\Vidalia
Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program
files\AlienGUIse\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application
Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common
Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"
=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\team
fortress 2\\hl2.exe"=
"c:\\Program
Files\\Steam\\SteamApps\\muffinmanv2\\garrysmod\\hl2.exe"
=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4
dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-
downloader.exe"=
"c:\\Program Files\\World of
Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-
3.1.0.9767-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 74832ed9;74832ed9; [x]
R3 DBKDRVR54;DBKDRVR54; [x]
R3 LycoFltr;Lycosa Keyboard; [x]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 XDva092;XDva092; [x]
S2 Viewpoint Manager Service;Viewpoint Manager
Service;c:\program
files\Viewpoint\Common\ViewpointService.exe [2007-01-04
24652]
S3 whfltr2k;WheelMouse USB Lower Filter
Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-
25 6784]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SFC
*Deregistered* - adfs
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - eeCtrl
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - ForceWare Intelligent Application Manager
(IAM)
*Deregistered* - Ftdisk
*Deregistered* - giveio
*Deregistered* - Gpc
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - javaquickstarterservice
*Deregistered* - JGOGO
*Deregistered* - JRAID
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NCPro
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - nSvcIp
*Deregistered* - Ntfs
*Deregistered* - nTuneService
*Deregistered* - Null
*Deregistered* - NVR0Dev
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - pnkbstra
*Deregistered* - pnkbstrb
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - sfc
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - speedfan
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec Core LC
*Deregistered* - symlcbrd
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
*Deregistered* - zumbus
*Deregistered* - ZuneBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\{3216e3e5-ae40-11db-a437-
806d6172696f}]
\Shell\AutoRun\command - d:\bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
Updater\GoogleUpdaterService.exe [2008-08-20 23:59]

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-3993023176-1894927675-2772396615-1005.job
- c:\documents and settings\Will's Dojo\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe
[2008-09-03 02:16]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Wdf01000.sys


.
------- Supplementary Scan -------
.
uStart Page =
hxxp://securityresponse.symantec.com/avcenter/fix_homepag
e
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Will's
Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ffsearch.net/s/?
ref=adr&q=
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\metrics.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{81B
F1D23-5F17-408D-AC6B-
BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\All Users\Application
Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\battl
efieldheroespatcher@ea.com\platform\WINNT_x86-
msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google
Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint.dll
.

************************************************************************
**

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 15:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************
**
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CL
SID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\!CAUTION! NEVER A
OR CHANGE ANY KEY*]
"??
"=hex:e1,ff,eb,15,e2,c5,c9,1a,bf,8e,34,97,80,5c,fc,35,6d,ef,c5,
a7,68,9c,b3,

af,75,51,c4,8a,7e,0c,a4,a7,c1,84,4c,46,59,2f,05,d6,12,fe,8a,7
5,23,8c,47,5b,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\License information*]
"datasecu"=hex:a5,e3,42,59,84,ea,7a,91,0c,81,2e,9f,74,59,60
,48,b3,67,4e,94,56,

4a,d2,a4,2c,17,1f,94,60,0b,3d,81,2d,88,2c,f4,9c,7a,47,75,9d,8
e,82,54,e4,03,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,
98
.
--------------------- DLLs Loaded Under Running Processes ---------
------------

- - - - - - - > 'winlogon.exe'(1072)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\zlib.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\cscript.exe
.
************************************************************************
**
.
Completion time: 2009-04-18 15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 22:27
ComboFix2.txt 2009-04-18 07:57
ComboFix3.txt 2009-04-18 04:03

Pre-Run: 24,690,053,120 bytes free
Post-Run: 18,294,288,384 bytes free

389 --- E O F --- 2008-03-12 14:01


Report •

#14
April 18, 2009 at 15:43:01
Programs are still randomly crashing and my taskbar seems
to keep getting "refreshed"; it will dissapear and come back,
oddly.

Report •

#15
April 18, 2009 at 17:32:53
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\DUMP75cc.tmp

Driver::
74832ed9

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please post the Hijack This log requested in the bottom of response # 1

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Report •

#16
April 19, 2009 at 05:02:35
ComboFix 09-04-19.01 - Will's Dojo 04/19/2009 4:35.4 -
NTFSx86
Running from: c:\documents and settings\Will's
Dojo\Desktop\Combo3Fx.exe
Command switches used :: c:\documents and settings\Will's
Dojo\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*

FILE ::
c:\windows\DUMP75cc.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DUMP75cc.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_74832ed9


((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-
19 )))))))))))))))))))))))))))))))
.

2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\NCH
Software
2010-07-10 06:21 . 2009-04-18 21:19 1173464 -c--a-w
c:\documents and settings\LocalService\Local
Settings\Application Data\FontCache3.0.0.0.dat
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\windows\system32\XPSViewer
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\Sony
Setup
2009-04-18 07:14 . 2009-04-18 07:14 189472 -c--a-w
c:\windows\system32\PnkBstrB.xtr
2009-04-18 07:13 . 2009-04-18 07:13 139152 -c--a-w
c:\documents and settings\Will's Dojo\Application
Data\PnkBstrK.sys
2009-04-18 07:12 . 2009-04-18 07:12 794408 -c--a-w
c:\windows\system32\pbsvc.exe
2009-04-18 06:46 . 2009-04-18 06:46 -------- dc----w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\PunkBuster
2009-04-18 03:25 . 2009-04-18 03:29 410984 -c--a-w
c:\windows\system32\deploytk.dll
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\Malwarebytes
2009-04-18 02:48 . 2009-04-06 22:32 15504 -c--a-w
c:\windows\system32\drivers\mbam.sys
2009-04-18 02:48 . 2009-04-06 22:32 38496 -c--a-w
c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-04-18 02:35 . 2009-04-18 02:35 8192 -csha-w
c:\windows\system32\Thumbs.db
2009-04-18 02:35 . 2009-04-18 02:35 16896 -csha-w
c:\windows\Thumbs.db
2009-04-17 21:12 . 2009-04-19 11:40 209615 -c--a-w
c:\windows\system32\nvapps.xml
2009-04-17 10:44 . 2009-04-17 10:45 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\vlc
2009-04-17 05:09 . 2009-04-17 05:09 74240 -c--a-w
c:\windows\system32\zlib.dll
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\eMule
2009-04-14 21:52 . 2009-04-14 22:04 13588 -c--a-w
c:\windows\system32\wpa.dbl
2009-04-14 01:34 . 2009-04-14 21:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\uTorrent
2009-03-30 01:48 . 2009-04-15 03:05 -------- dc----w
c:\documents and settings\Will's Dojo\Photof---et
2009-03-27 17:03 . 2009-03-27 17:03 401408 -c--a-w
c:\windows\system32\nvcuvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\program files\NCH Software
2010-07-10 06:50 . 2010-07-10 06:50 -------- dc----w
c:\program files\Sony
2010-07-10 06:21 . 2010-07-10 06:21 -------- dc----w
c:\program files\MSBuild
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\program files\Reference Assemblies
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\program files\Sony Setup
2009-04-19 11:40 . 2008-01-02 07:30 -------- dc----w
c:\program files\DNA
2009-04-19 11:40 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\DNA
2009-04-19 11:40 . 2007-10-29 02:55 -------- dc----w
c:\program files\Steam
2009-04-19 09:16 . 2008-08-20 22:11 -------- dc----w
c:\documents and settings\All Users\Application Data\Google
Updater
2009-04-18 07:17 . 2007-10-21 00:12 138168 -c--a-w
c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 07:14 . 2007-10-21 00:12 189472 -c--a-w
c:\windows\system32\PnkBstrB.exe
2009-04-18 07:12 . 2007-10-21 00:12 75064 -c--a-w
c:\windows\system32\PnkBstrA.exe
2009-04-18 04:54 . 2009-04-18 04:54 -------- dc----w
c:\program files\VirusTotalUploader
2009-04-18 04:34 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\BitTorrent
2009-04-18 03:29 . 2007-01-27 20:27 -------- dc----w
c:\program files\Java
2009-04-18 02:56 . 2009-04-18 02:56 17846 -c--a-w
C:\avenger.txt
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:40 . 2007-05-23 05:20 -------- dc----w
c:\program files\EA GAMES
2009-04-17 21:12 . 2007-11-16 00:56 -------- dc----w
c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:41 . 2009-04-17 10:41 -------- dc----w
c:\program files\VideoLAN
2009-04-16 06:26 . 2009-03-26 17:09 -------- dc----w
c:\program files\World of Warcraft
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\program files\eMule
2009-04-15 02:58 . 2009-03-30 01:44 -------- dc----w
c:\program files\Photof---et
2009-04-14 01:49 . 2009-04-14 01:49 -------- dc----w
c:\program files\PFPortChecker
2009-04-14 01:34 . 2009-04-14 01:34 -------- dc----w
c:\program files\uTorrent
2009-04-13 01:24 . 2008-06-13 05:26 -------- dc----w
c:\program files\SpeedFan
2009-04-13 01:24 . 2007-09-16 08:03 -------- dc----w
c:\program files\Common Files\AOL
2009-04-12 01:43 . 2008-07-17 08:44 -------- dc----w
c:\documents and settings\All Users\Application
Data\FLEXnet
2009-04-11 19:16 . 2009-04-11 19:16 -------- dc----w
c:\program files\Virtual Hottie 2
2009-04-06 23:42 . 2007-01-23 09:55 -------- dc-h--w
c:\program files\InstallShield Installation Information
2009-04-03 03:50 . 2009-04-03 03:50 -------- dc----w
c:\program files\Perfect World Entertainment
2009-04-03 00:46 . 2007-09-04 08:23 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\GetRightToGo
2009-04-02 22:53 . 2009-04-02 22:52 -------- dc----w
c:\program files\7-Zip
2009-03-28 21:11 . 2007-01-29 12:16 -------- dc----w
c:\program files\Teamspeak
2009-03-27 15:14 . 2008-03-26 10:47 453152 -c--a-w
c:\windows\system32\NVUNINST.EXE
2009-03-26 17:09 . 2007-01-27 20:18 -------- dc----w
c:\program files\Common Files\Blizzard Entertainment
2009-03-26 03:15 . 2008-04-25 04:11 -------- dc--a-w
c:\documents and settings\All Users\Application Data\TEMP
2009-03-07 02:21 . 2008-07-10 11:46 -------- dc----w
c:\program files\Google
2009-01-31 21:49 . 2007-01-23 09:00 76487 -c--a-w
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 21:40 . 2004-08-04 12:00 250048 --sha-r
C:\ntldr
2009-01-29 20:16 . 2008-02-16 02:28 107888 -c--a-w
c:\windows\system32\CmdLineExt.dll
2008-11-04 07:44 . 2007-01-27 21:35 77984 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-04 22:32 . 2007-09-04 22:32 134 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2004-08-04 12:00 1580544
30A609E00BD1D4FFC49D6B5A432BE7F2
c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848
9DD07AF82244867CA36681EA2D29CE79
c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848
D2F9064E5A73AB5F4958A86740E3D2EE
c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_03.54.31
)))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 11:39 . 2009-04-19 11:39 16384
c:\windows\temp\Perflib_Perfdata_594.dat
+ 2009-04-19 11:39 . 2009-04-19 11:39 16384
c:\windows\temp\Perflib_Perfdata_534.dat
+ 2007-02-06 05:27 . 2008-10-16 21:06 268648
c:\windows\system32\mucltui.dll
+ 2004-08-04 12:00 . 2008-04-14 00:12 1614848
c:\windows\system32\mssfc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA
Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-
Watch.exe" [2005-05-25 517632]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-
07 342848]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-09
1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe"
[2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog
Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe"
[2006-07-12 352256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27
13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe"
[2008-05-27 413696]
"HPDJ Taskbar
Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb
11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-
8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Component Manager"="c:\program
files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-
01-07 659456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-
03-27 86016]
"SunJavaUpdateSched"="c:\program
files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HP Software Update"="c:\program files\HP\HP Software
Update\HPWuSchd2.exe" [BU]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[BU]
"SoundMAX"="c:\program files\Analog
Devices\SoundMAX\Smax4.exe" [2006-04-10 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-
27 1657376]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color
Pro\NCProTray.exe [2008-1-23 49220]
Privoxy.lnk - c:\program files\Vidalia
Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program
files\AlienGUIse\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application
Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common
Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"
=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\team
fortress 2\\hl2.exe"=
"c:\\Program
Files\\Steam\\SteamApps\\muffinmanv2\\garrysmod\\hl2.exe"
=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4
dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-
downloader.exe"=
"c:\\Program Files\\World of
Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-
3.1.0.9767-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 DBKDRVR54;DBKDRVR54; [x]
R3 LycoFltr;Lycosa Keyboard; [x]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 XDva092;XDva092; [x]
S2 Viewpoint Manager Service;Viewpoint Manager
Service;c:\program
files\Viewpoint\Common\ViewpointService.exe [2007-01-04
24652]
S3 whfltr2k;WheelMouse USB Lower Filter
Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-
25 6784]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SFC
*Deregistered* - sfc

[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\{3216e3e5-ae40-11db-a437-
806d6172696f}]
\Shell\AutoRun\command - d:\bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
Updater\GoogleUpdaterService.exe [2008-08-20 23:59]

2009-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-3993023176-1894927675-2772396615-1005.job
- c:\documents and settings\Will's Dojo\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe
[2008-09-03 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://securityresponse.symantec.com/avcenter/fix_homepag
e
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Will's
Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ffsearch.net/s/?
ref=adr&q=
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\metrics.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{81B
F1D23-5F17-408D-AC6B-
BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\All Users\Application
Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\battl
efieldheroespatcher@ea.com\platform\WINNT_x86-
msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google
Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint.dll
.

************************************************************************
**

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 04:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************
**

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\74
832ed9]
"ImagePath"="\SystemRoot\System32\drivers\74832ed9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CL
SID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\!CAUTION! NEVER A
OR CHANGE ANY KEY*]
"??
"=hex:e1,ff,eb,15,e2,c5,c9,1a,bf,8e,34,97,80,5c,fc,35,6d,ef,c5,
a7,68,9c,b3,

af,75,51,c4,8a,7e,0c,a4,a7,c1,84,4c,46,59,2f,05,d6,12,fe,8a,7
5,23,8c,47,5b,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\License information*]
"datasecu"=hex:a5,e3,42,59,84,ea,7a,91,0c,81,2e,9f,74,59,60
,48,b3,67,4e,94,56,

4a,d2,a4,2c,17,1f,94,60,0b,3d,81,2d,88,2c,f4,9c,7a,47,75,9d,8
e,82,54,e4,03,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,
98
.
--------------------- DLLs Loaded Under Running Processes ---------
------------

- - - - - - - > 'winlogon.exe'(1072)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(1128)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
.
************************************************************************
**
.
Completion time: 2009-04-19 4:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 11:51
ComboFix2.txt 2009-04-18 22:27
ComboFix3.txt 2009-04-18 07:57
ComboFix4.txt 2009-04-18 04:03

Pre-Run: 18,169,290,752 bytes free
Post-Run: 18,255,130,624 bytes free

272 --- E O F --- 2008-03-12 14:01


Report •

#17
April 19, 2009 at 05:05:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:48 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.ex
e
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's
Dojo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page =
http://securityresponse.symantec.co...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-
435b-bc74-9c25c1c588a9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-
bc86-eabfe594f69c} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog
Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure]
C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.ex
e
O4 - HKLM\..\Run: [HPHUPD06] C:\Program
Files\HP\{AAC4FC36-8F89-4587-8DD3-
EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06]
C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog
Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA
Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-
Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program
Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program
Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe"
/d locale=en-US ee://aol/imApp
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia
Bundle\Privoxy\privoxy.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://update.microsoft.com/microso...
/x86/client/wuweb_site.cab?1233436373374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.microsoft.com/microso...
/x86/client/muweb_site.cab?1233436361062
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539}
(Crucial cpcScan) -
http://crucial.com/controls/cpcScan...
O23 - Service: FLEXnet Licensing Service - Acresso Software
Inc. - C:\Program Files\Common Files\Macrovision
Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager
(IAM) - Unknown owner - c:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Software Updater (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) -
Sun Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown
owner - c:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA -
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner -
C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner -
C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint
Corporation - C:\Program
Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7211 bytes


Report •

#18
April 19, 2009 at 05:22:13
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#19
April 19, 2009 at 14:10:28
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 19, 2009 20:00:48
Records in database: 2060951
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 172512
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:12:56


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\598143E2.exe Infected:
Trojan.Win32.BHO.ab 1
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{19406E15-8908-46A5-9372-B4B9B74691B8}\Setup.exe
Infected: Trojan.Win32.Genome.aepq 1
C:\Documents and Settings\Will's Dojo\.housecall6.6\Quarantine\cmdow.exe.bac_a02176 Infected: not-a-
virus:RiskTool.Win32.HideWindows 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthafsaafvquleoomibtqplouciyugqeese_.sys.zip Infected:
Trojan.Win32.Tdss.zks 1

The selected area was scanned.


Report •

#20
April 19, 2009 at 14:34:57
Navigate to and delete the contents of this folder but not the folder itself:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Navigate to and delete this contents of this folder but not the folder itself:

C:\Documents and Settings\Will's Dojo\.housecall6.6\Quarantine

Navigate to and delete this folder

C:\Qoobox

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{19406E15-8908-46A5-9372-B4B9B74691B8}\Setup.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the recycle bin.

Your computer should be clean, how is it operating?


Report •

#21
April 19, 2009 at 15:20:05
Thank you very much, sir, it seems to be operating fine.

This sight is extremely helpful to computer novices and for
that I thank you.

No more crashes are occuring so far. I'll post the log for safe
measures.

ComboFix 09-04-19.01 - Will's Dojo 04/19/2009 14:49.5 -
NTFSx86 NETWORK
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.2046.1629 [GMT -7:00]
Running from: c:\documents and settings\Will's
Dojo\Desktop\Combo3Fx.exe
Command switches used :: c:\documents and settings\Will's
Dojo\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*

FILE ::
c:\documents and settings\All Users\Application Data\Tarma
Installer\{19406E15-8908-46A5-9372-
B4B9B74691B8}\Setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Tarma
Installer\{19406E15-8908-46A5-9372-
B4B9B74691B8}\Setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-
19 )))))))))))))))))))))))))))))))
.

2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\NCH
Software
2010-07-10 06:21 . 2009-04-18 21:19 1173464 -c--a-w
c:\documents and settings\LocalService\Local
Settings\Application Data\FontCache3.0.0.0.dat
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\windows\system32\XPSViewer
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\Sony
Setup
2009-04-18 07:14 . 2009-04-18 07:14 189472 -c--a-w
c:\windows\system32\PnkBstrB.xtr
2009-04-18 07:13 . 2009-04-18 07:13 139152 -c--a-w
c:\documents and settings\Will's Dojo\Application
Data\PnkBstrK.sys
2009-04-18 07:12 . 2009-04-18 07:12 794408 -c--a-w
c:\windows\system32\pbsvc.exe
2009-04-18 06:46 . 2009-04-18 06:46 -------- dc----w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\PunkBuster
2009-04-18 03:25 . 2009-04-18 03:29 410984 -c--a-w
c:\windows\system32\deploytk.dll
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\Malwarebytes
2009-04-18 02:48 . 2009-04-06 22:32 15504 -c--a-w
c:\windows\system32\drivers\mbam.sys
2009-04-18 02:48 . 2009-04-06 22:32 38496 -c--a-w
c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-04-18 02:35 . 2009-04-18 02:35 8192 -csha-w
c:\windows\system32\Thumbs.db
2009-04-18 02:35 . 2009-04-18 02:35 16896 -csha-w
c:\windows\Thumbs.db
2009-04-17 21:12 . 2009-04-19 11:40 209615 -c--a-w
c:\windows\system32\nvapps.xml
2009-04-17 10:44 . 2009-04-17 10:45 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\vlc
2009-04-17 05:09 . 2009-04-17 05:09 74240 -c--a-w
c:\windows\system32\zlib.dll
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\eMule
2009-04-14 21:52 . 2009-04-14 22:04 13588 -c--a-w
c:\windows\system32\wpa.dbl
2009-04-14 01:34 . 2009-04-14 21:18 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\uTorrent
2009-03-30 01:48 . 2009-04-15 03:05 -------- dc----w
c:\documents and settings\Will's Dojo\Photof---et
2009-03-27 17:03 . 2009-03-27 17:03 401408 -c--a-w
c:\windows\system32\nvcuvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w
c:\program files\NCH Software
2010-07-10 06:50 . 2010-07-10 06:50 -------- dc----w
c:\program files\Sony
2010-07-10 06:21 . 2010-07-10 06:21 -------- dc----w
c:\program files\MSBuild
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w
c:\program files\Reference Assemblies
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w
c:\program files\Sony Setup
2009-04-19 22:05 . 2008-01-02 07:30 -------- dc----w
c:\program files\DNA
2009-04-19 22:05 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application Data\DNA
2009-04-19 21:49 . 2008-01-02 07:30 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\BitTorrent
2009-04-19 11:43 . 2007-10-29 02:55 -------- dc----w
c:\program files\Steam
2009-04-19 09:16 . 2008-08-20 22:11 -------- dc----w
c:\documents and settings\All Users\Application Data\Google
Updater
2009-04-18 07:17 . 2007-10-21 00:12 138168 -c--a-w
c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 07:14 . 2007-10-21 00:12 189472 -c--a-w
c:\windows\system32\PnkBstrB.exe
2009-04-18 07:12 . 2007-10-21 00:12 75064 -c--a-w
c:\windows\system32\PnkBstrA.exe
2009-04-18 04:54 . 2009-04-18 04:54 -------- dc----w
c:\program files\VirusTotalUploader
2009-04-18 03:29 . 2007-01-27 20:27 -------- dc----w
c:\program files\Java
2009-04-18 02:56 . 2009-04-18 02:56 17846 -c--a-w
C:\avenger.txt
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w
c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:40 . 2007-05-23 05:20 -------- dc----w
c:\program files\EA GAMES
2009-04-17 21:12 . 2007-11-16 00:56 -------- dc----w
c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:41 . 2009-04-17 10:41 -------- dc----w
c:\program files\VideoLAN
2009-04-16 06:26 . 2009-03-26 17:09 -------- dc----w
c:\program files\World of Warcraft
2009-04-15 20:18 . 2009-04-15 20:18 -------- dc----w
c:\program files\eMule
2009-04-15 02:58 . 2009-03-30 01:44 -------- dc----w
c:\program files\Photof---et
2009-04-14 01:49 . 2009-04-14 01:49 -------- dc----w
c:\program files\PFPortChecker
2009-04-14 01:34 . 2009-04-14 01:34 -------- dc----w
c:\program files\uTorrent
2009-04-13 01:24 . 2008-06-13 05:26 -------- dc----w
c:\program files\SpeedFan
2009-04-13 01:24 . 2007-09-16 08:03 -------- dc----w
c:\program files\Common Files\AOL
2009-04-12 01:43 . 2008-07-17 08:44 -------- dc----w
c:\documents and settings\All Users\Application
Data\FLEXnet
2009-04-11 19:16 . 2009-04-11 19:16 -------- dc----w
c:\program files\Virtual Hottie 2
2009-04-06 23:42 . 2007-01-23 09:55 -------- dc-h--w
c:\program files\InstallShield Installation Information
2009-04-03 03:50 . 2009-04-03 03:50 -------- dc----w
c:\program files\Perfect World Entertainment
2009-04-03 00:46 . 2007-09-04 08:23 -------- dc----w
c:\documents and settings\Will's Dojo\Application
Data\GetRightToGo
2009-04-02 22:53 . 2009-04-02 22:52 -------- dc----w
c:\program files\7-Zip
2009-03-28 21:11 . 2007-01-29 12:16 -------- dc----w
c:\program files\Teamspeak
2009-03-27 15:14 . 2008-03-26 10:47 453152 -c--a-w
c:\windows\system32\NVUNINST.EXE
2009-03-26 17:09 . 2007-01-27 20:18 -------- dc----w
c:\program files\Common Files\Blizzard Entertainment
2009-03-26 03:15 . 2008-04-25 04:11 -------- dc--a-w
c:\documents and settings\All Users\Application Data\TEMP
2009-03-07 02:21 . 2008-07-10 11:46 -------- dc----w
c:\program files\Google
2009-01-31 21:49 . 2007-01-23 09:00 76487 -c--a-w
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 21:40 . 2004-08-04 12:00 250048 --sha-r
C:\ntldr
2009-01-29 20:16 . 2008-02-16 02:28 107888 -c--a-w
c:\windows\system32\CmdLineExt.dll
2008-11-04 07:44 . 2007-01-27 21:35 77984 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-04 22:32 . 2007-09-04 22:32 134 -c--a-w
c:\documents and settings\Will's Dojo\Local
Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2004-08-04 12:00 1580544
30A609E00BD1D4FFC49D6B5A432BE7F2
c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848
9DD07AF82244867CA36681EA2D29CE79
c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848
D2F9064E5A73AB5F4958A86740E3D2EE
c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA
Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-
Watch.exe" [2005-05-25 517632]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-
07 342848]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-09
1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe"
[2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog
Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe"
[2006-07-12 352256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27
13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe"
[2008-05-27 413696]
"HPDJ Taskbar
Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb
11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-
8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Component Manager"="c:\program
files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-
01-07 659456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-
03-27 86016]
"SunJavaUpdateSched"="c:\program
files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SoundMAX"="c:\program files\Analog
Devices\SoundMAX\Smax4.exe" [2006-04-10 729088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-
27 1657376]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color
Pro\NCProTray.exe [2008-1-23 49220]
Privoxy.lnk - c:\program files\Vidalia
Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program
files\AlienGUIse\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application
Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common
Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"
=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\team
fortress 2\\hl2.exe"=
"c:\\Program
Files\\Steam\\SteamApps\\muffinmanv2\\garrysmod\\hl2.exe"
=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4
dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-
downloader.exe"=
"c:\\Program Files\\World of
Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft
auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-
3.1.0.9767-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 DBKDRVR54;DBKDRVR54; [x]
R3 LycoFltr;Lycosa Keyboard; [x]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 XDva092;XDva092; [x]
S2 Viewpoint Manager Service;Viewpoint Manager
Service;c:\program
files\Viewpoint\Common\ViewpointService.exe [2007-01-04
24652]
S3 whfltr2k;WheelMouse USB Lower Filter
Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-
25 6784]


[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\current
version\explorer\mountpoints2\{3216e3e5-ae40-11db-a437-
806d6172696f}]
\Shell\AutoRun\command - d:\bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
Updater\GoogleUpdaterService.exe [2008-08-20 23:59]

2009-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-3993023176-1894927675-2772396615-1005.job
- c:\documents and settings\Will's Dojo\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe
[2008-09-03 02:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP
Software Update\HPWuSchd2.exe
HKLM-Run-iTunesHelper - c:\program
files\iTunes\iTunesHelper.exe


.
------- Supplementary Scan -------
.
uStart Page =
hxxp://securityresponse.symantec.com/avcenter/fix_homepag
e
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Will's
Dojo\Application Data\Mozilla\Firefox\Profiles\yjv7qy48.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ffsearch.net/s/?
ref=adr&q=
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{311
2ca9c-de6d-4884-a869-
9855de68056c}\components\metrics.dll
FF - component: c:\documents and settings\Will's
Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{81B
F1D23-5F17-408D-AC6B-
BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\All Users\Application
Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\battl
efieldheroespatcher@ea.com\platform\WINNT_x86-
msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google
Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla
Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint.dll
.

************************************************************************
**

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 15:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************
**

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\sf
c]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CL
SID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\!CAUTION! NEVER A
OR CHANGE ANY KEY*]
"??
"=hex:e1,ff,eb,15,e2,c5,c9,1a,bf,8e,34,97,80,5c,fc,35,6d,ef,c5,
a7,68,9c,b3,

af,75,51,c4,8a,7e,0c,a4,a7,c1,84,4c,46,59,2f,05,d6,12,fe,8a,7
5,23,8c,47,5b,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-3993023176-1894927675-
2772396615-1005\Software\SecuROM\License information*]
"datasecu"=hex:a5,e3,42,59,84,ea,7a,91,0c,81,2e,9f,74,59,60
,48,b3,67,4e,94,56,

4a,d2,a4,2c,17,1f,94,60,0b,3d,81,2d,88,2c,f4,9c,7a,47,75,9d,8
e,82,54,e4,03,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,
98
.
--------------------- DLLs Loaded Under Running Processes ---------
------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\nvappfilter.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'lsass.exe'(1128)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WudfHost.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
c:\program files\eMule\emule.exe
c:\program files\BitTorrent\bittorrent.exe
c:\documents and settings\Will's Dojo\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
.
************************************************************************
**
.
Completion time: 2009-04-19 15:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 22:15
ComboFix2.txt 2009-04-19 11:51

Pre-Run: 21,238,923,264 bytes free
Post-Run: 14,781,132,800 bytes free

266 --- E O F --- 2008-03-12 14:01
Thanks again.


Report •

#22
April 19, 2009 at 19:07:59
Your computer appears to be clean


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#23
April 19, 2009 at 19:45:51
It's running great, thank you very much.

Report •

#24
April 19, 2009 at 20:09:38
Glad we could help.

Report •

#25
April 23, 2009 at 14:42:00
I believe I have some sort of problem, again.

My programs keep crashing randomly. For example, I'll be in
the middle of a webpage or video and Firefox or Chrome will
crash. BitTorrent is crashing, same with eMule.

I ran a Malwarebytes' Anti-Malware 1.36 scan and it came
back with nothing.



Report •

#26
April 23, 2009 at 18:11:46
Please post a new Hijack This log.

Report •

#27
April 23, 2009 at 18:29:28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:36 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Will's Dojo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.co...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
1233436373374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
1233436361062
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://play.battlefield-heroes.com/static/updater/BFHUpdater_4.0.15.0.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScan...
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - c:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6936 bytes

Doesn't look like anything's out of place, but I'm sure you know more than I do.


Report •

#28
April 23, 2009 at 19:07:10
I suspect it is a program that you have running or memory.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 13 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel> double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

The go to start> contol panel> add/remove programs and uninstall this program:

Viewpoint Manager Service or Viewpoint media player or Viewpoint

This may free up some resources. Run Hiajck This , close all windows and browsers except Hijack This, place a check to the left of the following items:

O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe


O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.ex

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Go to start> control panel> system > listed under "computer you see either " xxxmb of ram" or "x.xxgb" of ram where x = then actual number listed. Let me know what that is.


Report •

#29
April 23, 2009 at 19:51:11
I checked and fixed the hphupd06.exe things. If you want I can delete them, I don't
even use HP software/hardware anymore.

The "O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe" wasn't there to check.

Also, I couldn't find where my ram was listed in "start> control panel> system >
listed under "computer you see either " ". So I ran a DXdiagnostic and here's the
screenshot I took.

http://i42.tinypic.com/16gzn1d.jpg


Report •

#30
April 23, 2009 at 21:47:46
Only non-WinXP programs will crash, it seems.

For example; folder windows, notepad and things of that
nature wont crash.

MsPaint will crash.

Not sure if this info will help.

Could these be the product of something not virus
related(missing files)?


Report •

#31
April 25, 2009 at 05:29:57
Spyware/Malware is sometimes bundles with p2p programs such as emule. You might try uninstalling any p2p file sharing programs that you have, update and run Malware bytes and combofix as you did previously to see if any new baddies are found> then run Kaspersky again to see if it finds any new items.

If none were found try running an online memory test to check for a bad stick of memory.


Report •

#32
April 25, 2009 at 14:21:32
The only thread that was found for both scans was:

C:\Qoobox\Quarantine\C\Documents and Settings\All
Users\Application Data\Tarma Installer\{19406E15-8908-46A5-
9372-B4B9B74691B8}\Setup.exe.vir Infected:
Trojan.Win32.Genome.aepq.

I deleted it but it shouldn't have posed a thread to begin with.

My memory is fine, but is there an online scanner or
something? I can't find one.


Report •

#33
April 25, 2009 at 15:20:07
I meant to say "threat", my bad.

Report •

#34
April 25, 2009 at 15:33:27
Try the test at the following link:

http://oca.microsoft.com/en/windiag.asp

You need to delete C:\Qoobox and uninstall Combofix.

Did you try uninstalling emule?


Report •

#35
April 25, 2009 at 20:04:56
I uninstalled eMule. Still crashing. I don't have any blank CDs
so I think I might just format.

Is there any other tests I can do to somehow pinpoint the
problem?


Report •

#36
April 25, 2009 at 20:33:58
A format may be extreme.

Look for this folder and let me know if you find it:

C:\Program Files\icon drop


Report •

#37
April 25, 2009 at 21:44:45
Nope, don't have that folder.

Report •

#38
April 26, 2009 at 07:36:07
Try this and see if it helps, if not that is about the limit of my ability to help.

Navigate to and delete this folder:

C:\Documents and Settings\All
Users\Application Data\Tarma Installer

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
-HKEY_LOCAL_MACHINE\software\tarma installer

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".


Report •

#39
April 26, 2009 at 12:25:10
Deleted that folder.

Here's the combofix log:

ComboFix 09-04-25.A3 - Will's Dojo 04/26/2009 12:07.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1505 [GMT -7:00]
Running from: c:\documents and settings\Will's Dojo\Desktop\ComboFsadix.exe
Command switches used :: c:\documents and settings\Will's Dojo\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

[color=blue]Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll[/COLOR]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\NCH Software
2010-08-25 03:10 . 2010-08-25 03:10 -------- dc----w c:\program files\NCH Software
2010-07-10 06:50 . 2010-07-10 06:50 -------- dc----w c:\program files\Sony
2010-07-10 06:21 . 2010-07-10 06:21 -------- dc----w c:\program files\MSBuild
2010-07-10 06:21 . 2009-04-26 19:09 1173464 -c--a-w c:\documents and
settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w c:\windows\system32\XPSViewer
2010-07-10 06:18 . 2010-07-10 06:18 -------- dc----w c:\program files\Reference Assemblies
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\Sony Setup
2010-07-10 06:06 . 2010-07-10 06:06 -------- dc----w c:\program files\Sony Setup
2009-04-26 18:57 . 2009-04-26 19:04 -------- dc----w C:\Combo3Fx
2009-04-25 05:34 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-25 05:32 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-25 05:32 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-25 05:32 . 2008-05-03 11:55 2560 -c----w c:\windows\system32\xpsp4res.dll
2009-04-25 05:32 . 2008-04-21 12:08 215552 -c----w
c:\windows\system32\dllcache\wordpad.exe
2009-04-24 02:18 . 2009-04-24 02:17 73728 -c--a-w c:\windows\system32\javacpl.cpl
2009-04-23 06:27 . 2009-04-23 06:27 -------- dc----w c:\program files\Trend Micro
2009-04-23 02:01 . 2009-04-23 02:01 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\Aventurine
2009-04-18 07:14 . 2009-04-18 07:14 189472 -c--a-w c:\windows\system32\PnkBstrB.xtr
2009-04-18 07:13 . 2009-04-18 07:13 139152 -c--a-w c:\documents and settings\Will's
Dojo\Application Data\PnkBstrK.sys
2009-04-18 07:12 . 2009-04-18 07:12 794408 -c--a-w c:\windows\system32\pbsvc.exe
2009-04-18 06:46 . 2009-04-18 06:46 -------- dc----w c:\documents and settings\Will's
Dojo\Local Settings\Application Data\PunkBuster
2009-04-18 04:54 . 2009-04-18 04:54 -------- dc----w c:\program files\VirusTotalUploader
2009-04-18 03:25 . 2009-04-24 02:17 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\Malwarebytes
2009-04-18 02:48 . 2009-04-06 22:32 15504 -c--a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 02:48 . 2009-04-06 22:32 38496 -c--a-w
c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\program files\Malwarebytes' Anti-
Malware
2009-04-18 02:48 . 2009-04-18 02:48 -------- dc----w c:\documents and settings\All
Users\Application Data\Malwarebytes
2009-04-18 02:35 . 2009-04-18 02:35 8192 -csha-w c:\windows\system32\Thumbs.db
2009-04-18 02:35 . 2009-04-18 02:35 16896 -csha-w c:\windows\Thumbs.db
2009-04-17 21:12 . 2009-04-26 18:51 209615 -c--a-w c:\windows\system32\nvapps.xml
2009-04-17 10:41 . 2009-04-23 05:41 -------- dc----w c:\program files\VideoLAN
2009-04-17 05:09 . 2009-04-17 05:09 74240 -c--a-w c:\windows\system32\zlib.dll
2009-04-15 20:18 . 2009-04-25 17:26 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\eMule
2009-04-14 21:52 . 2009-04-25 17:51 13646 -c--a-w c:\windows\system32\wpa.dbl
2009-04-14 01:49 . 2009-04-14 01:49 -------- dc----w c:\program files\PFPortChecker
2009-04-14 01:34 . 2009-04-14 01:34 -------- dc----w c:\program files\uTorrent
2009-04-14 01:34 . 2009-04-14 21:18 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\uTorrent
2009-04-11 19:16 . 2009-04-11 19:16 -------- dc----w c:\program files\Virtual Hottie 2
2009-04-03 03:50 . 2009-04-03 03:50 -------- dc----w c:\program files\Perfect World
Entertainment
2009-04-02 22:52 . 2009-04-02 22:53 -------- dc----w c:\program files\7-Zip
2009-03-30 01:48 . 2009-04-25 22:05 -------- dc----w c:\documents and settings\Will's
Dojo\Photof---et
2009-03-30 01:44 . 2009-04-15 02:58 -------- dc----w c:\program files\Photof---et

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 19:09 . 2008-01-02 07:30 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\DNA
2009-04-26 18:51 . 2008-01-02 07:30 -------- dc----w c:\program files\DNA
2009-04-26 18:51 . 2007-10-29 02:55 -------- dc----w c:\program files\Steam
2009-04-26 05:42 . 2008-01-02 07:30 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\BitTorrent
2009-04-26 02:56 . 2008-08-20 22:11 -------- dc----w c:\documents and settings\All
Users\Application Data\Google Updater
2009-04-26 00:23 . 2008-06-13 05:26 -------- dc----w c:\program files\SpeedFan
2009-04-25 23:26 . 2008-03-23 23:12 -------- dc----w c:\program files\NCH Swift Sound
2009-04-25 20:35 . 2008-08-09 03:24 -------- dc----w c:\program files\Winamp
2009-04-24 02:22 . 2007-09-02 23:30 -------- dc----w c:\documents and settings\All
Users\Application Data\Viewpoint
2009-04-24 02:17 . 2007-01-27 20:27 -------- dc----w c:\program files\Java
2009-04-18 07:17 . 2007-10-21 00:12 138168 -c--a-w
c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 07:14 . 2007-10-21 00:12 189472 -c--a-w c:\windows\system32\PnkBstrB.exe
2009-04-18 07:12 . 2007-10-21 00:12 75064 -c--a-w c:\windows\system32\PnkBstrA.exe
2009-04-18 02:56 . 2009-04-18 02:56 17846 -c--a-w C:\avenger.txt
2009-04-18 00:40 . 2007-05-23 05:20 -------- dc----w c:\program files\EA GAMES
2009-04-17 21:12 . 2007-11-16 00:56 -------- dc----w c:\program files\Common Files\Wise
Installation Wizard
2009-04-16 06:26 . 2009-03-26 17:09 -------- dc----w c:\program files\World of Warcraft
2009-04-13 01:24 . 2007-09-16 08:03 -------- dc----w c:\program files\Common Files\AOL
2009-04-12 01:43 . 2008-07-17 08:44 -------- dc----w c:\documents and settings\All
Users\Application Data\FLEXnet
2009-04-06 23:42 . 2007-01-23 09:55 -------- dc-h--w c:\program files\InstallShield Installation
Information
2009-04-03 00:46 . 2007-09-04 08:23 -------- dc----w c:\documents and settings\Will's
Dojo\Application Data\GetRightToGo
2009-03-28 21:11 . 2007-01-29 12:16 -------- dc----w c:\program files\Teamspeak
2009-03-27 15:14 . 2008-03-26 10:47 453152 -c--a-w c:\windows\system32\NVUNINST.EXE
2009-03-26 17:09 . 2007-01-27 20:18 -------- dc----w c:\program files\Common Files\Blizzard
Entertainment
2009-03-26 03:15 . 2008-04-25 04:11 -------- dc--a-w c:\documents and settings\All
Users\Application Data\TEMP
2009-03-07 02:21 . 2008-07-10 11:46 -------- dc----w c:\program files\Google
2009-03-06 14:22 . 2004-08-04 12:00 284160 -c--a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2005-10-15 00:17 729088 -c--a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-10-13 00:25 401408 -c--a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 -c--a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 -c--a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-11-09 06:13 1846784 -c--a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 -c--a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-10-15 01:19 2145280 -c--a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 -c--a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-09-28 18:35 2023936 -c--a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 -c--a-w c:\windows\system32\secur32.dll
2009-01-31 21:49 . 2007-01-23 09:00 76487 -c--a-w
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-31 21:40 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-01-29 20:16 . 2008-02-16 02:28 107888 -c--a-w c:\windows\system32\CmdLineExt.dll
2008-11-04 07:44 . 2007-01-27 21:35 77984 -c--a-w c:\documents and settings\Will's
Dojo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-09-04 22:32 . 2007-09-04 22:32 134 -c--a-w c:\documents and settings\Will's Dojo\Local
Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 517632]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-07 342848]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-09 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RGSC"="c:\program files\steam\steamapps\common\grand theft auto iv\RGSC\RGSCLauncher.exe"
[2009-01-31 306088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-1-23 49220]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\muffinmanv2\\garrysmod\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft auto iv\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grand theft auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 DBKDRVR54;DBKDRVR54; [x]
R3 LycoFltr;Lycosa Keyboard; [x]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; [x]
R3 XDva092;XDva092; [x]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-
01-25 6784]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3216e3e5-
ae40-11db-a437-806d6172696f}]
\Shell\AutoRun\command - d:\bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-20 23:59]

2009-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993023176-1894927675-2772396615-
1005.job
- c:\documents and settings\Will's Dojo\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
HKLM-Run-HPHUPD06 - c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-
EBC57C83374D}\hphupd06.exe
HKLM-Run-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgr.exe
HKLM-Run-HPHmon06 - c:\windows\system32\hphmon06.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://play.battlefield-
heroes.com/static/updater/BFHUpdater_4.0.15.0.cab
FF - ProfilePath - c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\
FF - prefs.js: browser.search.selectedEngine - FireSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ffsearch.net/s/?ref=adr&q=
FF - component: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{3112ca9c-de6d-4884-a869-
9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{3112ca9c-de6d-4884-a869-
9855de68056c}\components\metrics.dll
FF - component: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\{81BF1D23-5F17-408D-AC6B-
BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Will's Dojo\Application
Data\Mozilla\Firefox\Profiles\yjv7qy48.default\extensions\battlefieldheroespatcher@ea.com\platform\WIN
NT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 12:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3993023176-1894927675-2772396615-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-3993023176-1894927675-2772396615-1005\Software\SecuROM\!CAUTION!
NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,ff,eb,15,e2,c5,c9,1a,bf,8e,34,97,80,5c,fc,35,6d,ef,c5,a7,68,9c,b3,
af,75,51,c4,8a,7e,0c,a4,a7,c1,84,4c,46,59,2f,05,d6,12,fe,8a,75,23,8c,47,5b,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38

[HKEY_USERS\S-1-5-21-3993023176-1894927675-2772396615-1005\Software\SecuROM\License
information*]
"datasecu"=hex:be,f3,81,9c,0a,2e,9c,06,21,1e,a3,ff,22,db,7f,cf,93,52,31,1f,d6,
86,dd,81,dc,f0,76,01,3d,52,62,5d,d0,0e,43,63,4c,45,e1,14,b6,df,2c,f5,f4,1c,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-26 12:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 19:20
ComboFix2.txt 2009-04-19 22:15

Pre-Run: 26,930,065,408 bytes free
Post-Run: 27,316,862,976 bytes free

272 --- E O F --- 2009-04-25 17:48


Report •

#40
April 26, 2009 at 14:57:01
Did that help your program run ability?

Report •

#41
April 26, 2009 at 17:31:28
Programs aren't crashing now. Thank you. I've learned a lot
from this thread and hopefully if I do get it again I'll know what
to do.

Thanks for all your help.


Report •

#42
April 26, 2009 at 17:50:25
Glad we could help.

Report •


Ask Question