Multiple items not cleared by Malwarebytes

hausarian · May 22, 2010

Hello. I have used Malwarebytes for a long time and rarely run across something that cannot be removed. I have run MBAM several times and I am unable to remove items called Unruy and another rootkit item called aikebxbw. I have also run Mcafee and it does not locate any items to be removed. I have experienced some redirecting behavior from firefox, when I try to come to malwarebytes.org and these forums. I have a laptop I am using to transfer files to and from the infected machine. I am using Flash Disinfector on the thumb drive to protect the laptop.

Here are the logs from MBAM, dds, and gmer. Let me know what I need to do next. Thanks.

I also included a hijackthis log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Bench 1 at 20:48:01.68 on Fri 05/21/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2625 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\Drivers\bwcsrv.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

Executable.exe 4

C:\Documents and Settings\Bench 1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mWinlogon: Taskman=c:\documents and settings\bench 1\application data\uxjj.exe

BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - No File

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.1.10.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [steelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.1.10.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194125623140

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194125618625

DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://smarthelp.ihost.com/wps/com/ibm/gesc/selfenab/contextroot/SEP_UserProfile/plugins/IbmEgath.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bench1~1\applic~1\mozilla\firefox\profiles\r0ydh2rt.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll

FF - component: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-6 28544]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [2003-12-21 19840]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-3 104000]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]

R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2005-7-11 372480]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-3 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-3 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-3 168776]

R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2010-5-19 11136]

S1 b1204ba5;b1204ba5;c:\windows\system32\drivers\b1204ba5.sys --> c:\windows\system32\drivers\b1204ba5.sys [?]

S2 gupdate1c9bd89c539fe72;Google Update Service (gupdate1c9bd89c539fe72);c:\program files\google\update\GoogleUpdate.exe [2009-4-15 133104]

S2 pkzlkrr;pkzlkrr;c:\windows\system32\drivers\zafsjkqn.sys --> c:\windows\system32\drivers\zafsjkqn.sys [?]

S3 isaxbox;isaxbox;c:\windows\system32\isaxbox.sys [2004-8-4 2304]

S3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\drivers\vadapter.sys --> c:\windows\system32\drivers\vadapter.sys [?]

=============== Created Last 30 ================

2010-05-22 00:45:41 0 ----a-w- c:\documents and settings\bench 1\defogger_reenable

2010-05-22 00:40:37 54016 ----a-w- c:\windows\system32\drivers\kxjnj.sys

2010-05-22 00:12:00 0 d-sha-r- C:\autorun.inf

2010-05-21 22:39:58 0 d--h--w- c:\windows\system32\GroupPolicy

2010-05-21 22:02:19 0 d-----w- c:\docume~1\bench1~1\applic~1\QuickScan

2010-05-20 17:57:17 0 d-----w- c:\docume~1\bench1~1\applic~1\Office Genuine Advantage

2010-05-20 02:41:55 11136 ----a-w- c:\windows\system32\drivers\Mo3Fltr.sys

2010-05-16 16:47:37 2335270 ----a-w- c:\windows\system32\a4c18.mht

2010-05-16 16:07:11 0 d-----w- C:\!KillBox

2010-05-15 07:03:16 0 d-----w- C:\swsetup

2010-05-15 06:39:32 3244 ----a-w- c:\windows\system32\wbem\Outlook_01caf3f96043b81c.mof

2010-05-15 04:13:53 0 d-----w- C:\spoolerlogs

2010-05-15 04:12:17 823808 ----a-w- c:\windows\system32\drivers\aikebxbw.sys

2010-05-15 04:11:17 174592 ----a-w- c:\windows\Njosia.exe

2010-05-15 04:11:17 0 d-----w- c:\docume~1\bench1~1\applic~1\ATManager

2010-04-27 22:57:18 0 d-----w- c:\program files\iPod

2010-04-27 22:57:10 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-03 23:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll

2010-04-03 23:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2010-04-03 23:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-04-03 23:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll

2010-04-03 23:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-04-03 23:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-04-02 20:54:38 600680 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2009-10-03 17:34:38 17538 ----a-w- c:\program files\common files\biga.sys

2009-10-03 17:34:38 14031 ----a-w- c:\program files\common files\lezacadenu.db

2009-10-03 17:34:38 12221 ----a-w- c:\program files\common files\pejotamyb.scr

2009-10-03 17:34:38 10402 ----a-w- c:\program files\common files\qevynake.lib

2009-10-03 17:34:38 10073 ----a-w- c:\program files\common files\yrohihely._sy

2009-10-03 17:09:00 17864 ----a-w- c:\program files\common files\uqarywe.dat

2009-10-03 17:09:00 16653 ----a-w- c:\program files\common files\gebasus.lib

2009-10-03 17:09:00 16503 ----a-w- c:\program files\common files\yqep.exe

2009-10-03 17:09:00 10579 ----a-w- c:\program files\common files\widy.bat

2009-10-03 17:08:59 15416 ----a-w- c:\program files\common files\hixytovy.inf

2009-10-03 17:08:59 12858 ----a-w- c:\program files\common files\iropijytev.pif

2009-10-03 17:08:59 10689 ----a-w- c:\program files\common files\pypat.dl

2009-10-03 17:08:59 10597 ----a-w- c:\program files\common files\azimuty.com

2009-07-14 22:20:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071420090715\index.dat

============= FINISH: 20:49:23.92 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4126

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/21/2010 8:40:32 PM

mbam-log-2010-05-21 (20-40-32).txt

Scan type: Quick scan

Objects scanned: 128569

Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe (Trojan.Unruy) -> Failed to unload process.

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe (Trojan.Unruy) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe (Trojan.Unruy) -> Delete on reboot.

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe (Trojan.Unruy) -> Delete on reboot.

C:\WINDOWS\system32\drivers\aikebxbw.sys (Rootkit.Agent) -> Delete on reboot.

Attach.zip

hijackthis.zip

gringo_pr · May 22, 2010

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

:run combofix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

In your next post I need the following

Log From Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

hausarian · May 22, 2010

Thanks Gringo. Running Combofix now. I will post the logs when completed.

gringo_pr · May 22, 2010

ok I will be waiting

gringo

hausarian · May 22, 2010

OK. Combofix detected rootkit activity and asked to reboot. I clicked OK and the system rebooted and now is displaying a blank screen. Should I do something or continue to wait? It has been about 15 minutes.

gringo_pr · May 22, 2010

what do you mean by a blank screen?

gringo

hausarian · May 22, 2010

No desktop, no text, no command prompt. The screen isn't displaying anything.

gringo_pr · May 22, 2010

if you press control alt delete will it bring up the task manager?

hausarian · May 22, 2010

Tried ctrl alt del and nothing, also, just noticed my keyboard isn't lit up.

gringo_pr · May 22, 2010

OK

it is a black screen or does it have your background? what does it have?

how are you replying to me?

try to restart the computer and let me know what happened.

try to start in safe mode.

gringo

hausarian · May 22, 2010

It was a completely black/blank screen.

I am responding from my laptop, the computer we are working on is my desktop.

I was unable to boot up normally, so I tried safe mode.

The safe mode boot up gets to about halfway down the screen of multi(0)disk(0)rdisk(0)partition(1)Windows... items and stops there.

gringo_pr · May 22, 2010

under the safe mode menu try last known good and see if that gets things up

gringo

hausarian · May 22, 2010

Same blank screen.

gringo_pr · May 22, 2010

do you know if the recovery console was installed?

when it starts up does it ask you which operating system to start and after about 5 seconds goes into xp?

gringo

hausarian · May 22, 2010

It never said the recovery console was installed, but I do have a recovery console or xp choice when i boot, it has been there for a long time though, since before all of this happened.

gringo_pr · May 22, 2010

I am goig to ask some friends about this so might be a delay in responding back to but don't worry I will be back

gringo

hausarian · May 22, 2010

OK. Thanks.

gringo_pr · May 22, 2010

Hello

while we wait for some answers I would like you to do this so we can get a scan to see where we are

OTLPE:

Print these instruction out so that you know what you are doing.

There are two programs to download.

First

ISOBurner - this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions if needed.

Second

Download OTLPE.iso & burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download
When downloaded double click & this will then open ISOBurner to burn the file to CD
Reboot your system using the boot CD you just created
Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop
Double-click on the OTLPE icon
When asked Do you wish to load the remote registry, select Yes
When asked Do you wish to load remote user profile(s) for scanning, select Yes
Ensure the box Automatically Load All Remaining Users is checked and press OK
OTL should now start. Change the following settings
- Change Drivers to Non-Microsoft
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Post the contents of the C:\OTL.txt file in your reply

gringo

hausarian · May 22, 2010

Following the instructions. I created the boot disk and launched OTLPE. I don't see where this step can be followed:

OTL should now start. Change the following settings

* Change Drivers to Non-Microsoft

Under drivers I only have the choices None, All, and Use Safelist. I kept it on Use Safelist. Here is the log, let me know if I need to make any changes and rescan. Thanks.

OTL logfile created on: 5/22/2010 9:42:35 AM - Run

OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.50 Gb Total Space | 12.47 Gb Free Space | 16.74% Space Free | Partition Type: NTFS

Drive D: | 465.65 Gb Total Space | 69.32 Gb Free Space | 14.89% Space Free | Partition Type: FAT32

Drive E: | 298.09 Gb Total Space | 80.98 Gb Free Space | 27.16% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2008/07/13 08:46:39 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/06/24 17:50:38 | 000,423,280 | ---- | M] (Juniper Networks) [Auto] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)

SRV - [2007/02/06 17:47:12 | 000,105,248 | ---- | M] (Logitech Inc.) [Auto] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)

SRV - [2007/02/06 17:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) [Auto] -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2006/11/30 08:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)

SRV - [2006/11/30 08:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)

SRV - [2006/11/17 13:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2004/10/04 02:08:00 | 000,073,728 | ---- | M] () [Auto] -- C:\WINDOWS\system32\drivers\BWCSRV.EXE -- (bwcsrv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | System] -- -- (PRAGMArppmhenbvg)

DRV - File not found [Kernel | Auto] -- -- (pkzlkrr)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand] -- -- (ndisva)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - File not found [Kernel | On_Demand] -- -- (catchme)

DRV - File not found [Kernel | System] -- -- (Beep)

DRV - File not found [Kernel | System] -- -- (b1204ba5)

DRV - [2010/05/22 00:09:27 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\aikebxbw.sys -- (aikebxbw)

DRV - [2010/04/03 18:55:31 | 010,232,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2008/06/24 17:35:06 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)

DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)

DRV - [2008/04/15 10:05:58 | 000,011,136 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Mo3Fltr.sys -- (Mo3Fltr)

DRV - [2008/04/13 20:11:56 | 000,002,304 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\isaxbox.sys -- (isaxbox)

DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/02/06 17:45:04 | 000,025,632 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)

DRV - [2007/02/06 17:44:36 | 001,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)

DRV - [2007/02/06 17:42:40 | 001,691,808 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)

DRV - [2007/02/03 10:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)

DRV - [2007/02/03 10:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)

DRV - [2006/11/30 08:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2006/11/30 08:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2006/11/30 08:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)

DRV - [2006/11/30 08:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2006/11/30 08:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2006/11/30 08:50:00 | 000,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)

DRV - [2006/07/05 17:08:28 | 000,241,152 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV - [2006/05/10 16:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2006/03/17 19:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)

DRV - [2005/07/11 01:46:00 | 000,372,480 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (CBBCM43)

DRV - [2003/12/21 04:21:00 | 000,019,840 | ---- | M] (BUFFALO INC.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\BWCDRV.SYS -- (bwcdrv)

DRV - [2003/12/17 09:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)

DRV - [2003/12/17 09:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)

DRV - [2003/12/17 09:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\Bench_1_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\Bench_1_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKU\Bench_1_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\Bench_1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Bench_1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\Bench_1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\Sample_User_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"

FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"

FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7

FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.18

FF - prefs.js..extensions.enabledItems: fsonlinescanner@f-secure.com:1.01

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.64

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546

FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.22

FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.6.3

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 02:02:24 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/04 20:56:43 | 000,000,000 | ---D | M]

[2008/06/25 20:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Extensions

[2010/05/21 18:02:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions

[2008/05/14 01:37:25 | 000,000,000 | ---D | M] (Metal Lion - Brushed iCe Chrome) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{01C901F4-12C5-4515-A5DE-CC0FD4F20BCA}

[2009/10/31 18:31:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2008/06/17 08:06:20 | 000,000,000 | ---D | M] (Aquatint Redone) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{47e5a66c-0e35-11dc-8314-0800200c9a66}

[2008/05/14 01:37:26 | 000,000,000 | ---D | M] (Metal Lion - 300) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{4A207596-AED2-4223-929F-BBE1D691B7CD}

[2010/04/20 00:30:21 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}

[2010/04/20 00:30:15 | 000,000,000 | ---D | M] (Aero Fox) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}

[2009/09/25 11:46:28 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2008/05/14 01:37:26 | 000,000,000 | ---D | M] (azureFox) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{800e72c4-0a2c-4bc5-a10a-1ee66dfd762a}

[2008/05/14 01:37:27 | 000,000,000 | ---D | M] (BlackJapanMAX) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{8e12f188-352c-4476-8198-e9b8f4a4353a}

[2010/04/20 00:30:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

[2010/02/05 10:20:32 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}

[2010/05/21 18:02:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

[2009/11/03 13:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\fsonlinescanner@f-secure.com

[2010/04/20 00:30:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\browser\extensions

[2010/04/20 00:30:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\mac\mozapps\extensions

[2010/04/20 00:30:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\browser\extensions

[2010/04/20 00:30:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions

[2010/05/20 19:21:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2008/11/11 03:38:54 | 000,663,552 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

[2009/10/13 02:34:30 | 000,077,824 | ---- | M] (Kaneva, LLC.) -- C:\Program Files\Mozilla Firefox\plugins\npkanevapatch.dll

Hosts file not found

O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - No CLSID value found.

O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\Bench_1_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4 - HKLM..\Run: [combofix] C:\ComboFix\CF3864.cfx File not found

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [steelSeries World of Warcraft MMO Gaming Mouse] C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe ()

O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF3864.cfx File not found

O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)

O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\Bench_1_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\Bench_1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\Bench_1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\Bench_1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Sample_User_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\Sample_User_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)

O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)

O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)

O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} http://www.srtest.com/srl_bin/sysreqlab_ind.cab (System Requirements Lab Class)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftu...b?1194125623140 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1194125618625 (MUWebControl Class)

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} https://smarthelp.ihost.com/wps/com/ibm/ges...ns/IbmEgath.cab (IBM Access Support)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1

O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\Bench 1\Application Data\uxjj.exe) - C:\Documents and Settings\Bench 1\Application Data\uxjj.exe File not found

O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/11/03 17:00:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2007/11/23 17:43:59 | 000,000,000 | ---D | M] - C:\Autorun -- [ NTFS ]

O32 - AutoRun File - [2010/05/21 20:12:00 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2007/10/10 20:47:58 | 000,000,000 | ---D | M] - D:\autorun -- [ FAT32 ]

O32 - AutoRun File - [2010/05/21 20:12:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]

O32 - AutoRun File - [2010/05/21 20:12:00 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/22 00:03:33 | 000,000,000 | --SD | C] -- C:\ComboFix

[2010/05/21 20:36:46 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bench 1\Desktop\OTL.exe

[2010/05/21 20:36:44 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Bench 1\Desktop\HijackThis.exe

[2010/05/21 20:12:00 | 000,000,000 | RHSD | C] -- C:\autorun.inf

[2010/05/21 18:39:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy

[2010/05/21 18:02:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Application Data\QuickScan

[2010/05/20 13:57:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Application Data\Office Genuine Advantage

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT

[2010/05/20 13:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK

[2010/05/20 13:01:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA

[2010/05/19 22:41:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Application Data\InstallShield

[2010/05/19 09:36:55 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bench 1\Desktop\bill.exe

[2010/05/16 12:07:11 | 000,000,000 | ---D | C] -- C:\!KillBox

[2010/05/15 03:03:16 | 000,000,000 | ---D | C] -- C:\swsetup

[2010/05/15 01:23:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ptrrqvnra

[2010/05/15 01:22:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe

[2010/05/15 01:22:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Sun

[2010/05/15 00:13:53 | 000,000,000 | ---D | C] -- C:\spoolerlogs

[2010/05/15 00:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\qcfbwthqe

[2010/05/15 00:11:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Application Data\ATManager

[2010/05/10 22:37:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\Windows Server

[2010/04/27 18:57:18 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/04/27 18:57:10 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/22 09:41:30 | 011,010,048 | -H-- | M] () -- C:\Documents and Settings\Bench 1\NTUSER.DAT

[2010/05/22 00:09:31 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2010/05/22 00:09:31 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2010/05/22 00:09:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/22 00:09:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\aikebxbw.sys

[2010/05/22 00:04:20 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/21 23:39:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/05/21 23:29:56 | 000,005,480 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Attach.zip

[2010/05/21 23:27:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/21 23:27:01 | 000,271,767 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml

[2010/05/21 23:26:57 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/05/21 23:26:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/05/21 20:45:41 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Bench 1\defogger_reenable

[2010/05/21 20:29:02 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Bench 1\ntuser.ini

[2010/05/21 20:02:46 | 003,693,686 | R--- | M] () -- C:\Documents and Settings\Bench 1\Desktop\ComboFix.exe

[2010/05/21 17:46:36 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\dds.scr

[2010/05/21 17:42:46 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Defogger.exe

[2010/05/21 17:35:42 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Bench 1\Desktop\HijackThis.exe

[2010/05/21 17:15:06 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\jukcpzic.exe

[2010/05/21 17:14:38 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bench 1\Desktop\OTL.exe

[2010/05/21 17:11:08 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Flash_Disinfector.exe

[2010/05/20 22:24:23 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\World of Warcraft.lnk

[2010/05/19 09:36:55 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bench 1\Desktop\bill.exe

[2010/05/18 17:19:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/05/16 13:17:24 | 000,000,663 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/16 12:47:38 | 002,335,270 | ---- | M] () -- C:\WINDOWS\System32\a4c18.mht

[2010/05/15 14:16:56 | 000,000,729 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Shortcut to Mctray.lnk

[2010/05/15 02:39:32 | 000,527,940 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/05/15 02:39:32 | 000,446,888 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/05/15 02:39:32 | 000,074,084 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/05/15 01:34:44 | 000,044,056 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/05/15 00:11:06 | 000,174,592 | ---- | M] () -- C:\WINDOWS\Njosia.exe

[2010/05/14 23:40:22 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\YouTube Downloader.lnk

[2010/05/12 12:40:28 | 000,074,597 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Eric Resume 5-2010 rev.rtf

[2010/05/12 10:11:25 | 000,072,996 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Eric Resume 4-2010 rev.rtf

[2010/05/01 17:04:18 | 000,345,345 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\small me3.jpg

[2010/05/01 16:57:08 | 000,520,006 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\me3.jpg

[2010/05/01 16:44:56 | 000,163,885 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\ericad1.jpg

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2010/04/23 22:34:19 | 000,381,156 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\Air&Eric12small.jpg

[2010/04/23 22:32:05 | 000,092,160 | ---- | M] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/04/23 11:31:48 | 000,317,388 | ---- | M] () -- C:\Documents and Settings\Bench 1\Desktop\ericbody1.jpg

[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/22 00:04:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/22 00:00:10 | 003,693,686 | R--- | C] () -- C:\Documents and Settings\Bench 1\Desktop\ComboFix.exe

[2010/05/21 23:29:56 | 000,005,480 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Attach.zip

[2010/05/21 20:47:57 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\dds.scr

[2010/05/21 20:45:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bench 1\defogger_reenable

[2010/05/21 20:45:15 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Defogger.exe

[2010/05/21 20:36:45 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\jukcpzic.exe

[2010/05/21 20:11:46 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Flash_Disinfector.exe

[2010/05/21 18:08:13 | 000,012,215 | ---- | C] () -- C:\Documents and Settings\Bench 1\hs_err_pid4064.log

[2010/05/20 13:01:02 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/05/19 22:41:55 | 000,011,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\Mo3Fltr.sys

[2010/05/16 12:47:37 | 002,335,270 | ---- | C] () -- C:\WINDOWS\System32\a4c18.mht

[2010/05/15 14:16:56 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Shortcut to Mctray.lnk

[2010/05/15 00:12:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\aikebxbw.sys

[2010/05/15 00:11:17 | 000,174,592 | ---- | C] () -- C:\WINDOWS\Njosia.exe

[2010/05/12 12:32:28 | 000,074,597 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Eric Resume 5-2010 rev.rtf

[2010/05/01 20:32:41 | 000,012,125 | ---- | C] () -- C:\Documents and Settings\Bench 1\hs_err_pid5416.log

[2010/05/01 17:04:16 | 000,345,345 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\small me3.jpg

[2010/05/01 16:56:47 | 000,520,006 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\me3.jpg

[2010/05/01 16:42:45 | 000,163,885 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\ericad1.jpg

[2010/04/29 16:35:24 | 000,012,415 | ---- | C] () -- C:\Documents and Settings\Bench 1\hs_err_pid3772.log

[2010/04/28 14:36:38 | 000,381,156 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Air&Eric12small.jpg

[2010/04/28 14:36:38 | 000,050,917 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Air&Ball.JPG

[2010/04/23 20:34:33 | 000,072,996 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\Eric Resume 4-2010 rev.rtf

[2010/04/23 11:31:46 | 000,317,388 | ---- | C] () -- C:\Documents and Settings\Bench 1\Desktop\ericbody1.jpg

[2010/02/09 11:55:05 | 000,012,345 | ---- | C] () -- C:\Documents and Settings\Bench 1\hs_err_pid2340.log

[2009/10/03 13:34:39 | 000,017,662 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\ahor.db

[2009/10/03 13:34:39 | 000,013,931 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\xotyx.dll

[2009/10/03 13:34:39 | 000,013,717 | ---- | C] () -- C:\WINDOWS\ukokyw.dll

[2009/10/03 13:34:39 | 000,010,006 | ---- | C] () -- C:\Documents and Settings\Bench 1\Application Data\ifanukumu.bat

[2009/10/03 13:34:38 | 000,019,023 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\ulytybe.dat

[2009/10/03 13:34:38 | 000,017,538 | ---- | C] () -- C:\Program Files\Common Files\biga.sys

[2009/10/03 13:34:38 | 000,014,314 | ---- | C] () -- C:\Documents and Settings\Bench 1\Application Data\uqukipikyx.dat

[2009/10/03 13:34:38 | 000,014,031 | ---- | C] () -- C:\Program Files\Common Files\lezacadenu.db

[2009/10/03 13:34:38 | 000,012,221 | ---- | C] () -- C:\Program Files\Common Files\pejotamyb.scr

[2009/10/03 13:34:38 | 000,010,402 | ---- | C] () -- C:\Program Files\Common Files\qevynake.lib

[2009/10/03 13:34:38 | 000,010,073 | ---- | C] () -- C:\Program Files\Common Files\yrohihely._sy

[2009/10/03 13:09:00 | 000,018,315 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\utabynepil.pif

[2009/10/03 13:09:00 | 000,017,864 | ---- | C] () -- C:\Program Files\Common Files\uqarywe.dat

[2009/10/03 13:09:00 | 000,016,653 | ---- | C] () -- C:\Program Files\Common Files\gebasus.lib

[2009/10/03 13:09:00 | 000,013,333 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\ritinuwela.pif

[2009/10/03 13:09:00 | 000,010,579 | ---- | C] () -- C:\Program Files\Common Files\widy.bat

[2009/10/03 13:08:59 | 000,017,804 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\ryhogo._sy

[2009/10/03 13:08:59 | 000,016,503 | ---- | C] () -- C:\Program Files\Common Files\yqep.exe

[2009/10/03 13:08:59 | 000,015,416 | ---- | C] () -- C:\Program Files\Common Files\hixytovy.inf

[2009/10/03 13:08:59 | 000,012,858 | ---- | C] () -- C:\Program Files\Common Files\iropijytev.pif

[2009/10/03 13:08:59 | 000,010,689 | ---- | C] () -- C:\Program Files\Common Files\pypat.dl

[2009/10/03 13:08:59 | 000,010,597 | ---- | C] () -- C:\Program Files\Common Files\azimuty.com

[2009/10/03 13:08:59 | 000,010,355 | ---- | C] () -- C:\WINDOWS\kojyju.sys

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/04/02 03:20:13 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Sample User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/03/23 08:31:04 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Sample User\ntuser.ini

[2009/03/23 08:31:03 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Sample User\NTUSER.DAT.LOG

[2009/03/23 08:31:02 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\Sample User\NTUSER.DAT

[2009/03/19 22:55:42 | 000,050,127 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini

[2008/12/11 01:13:00 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2008/11/01 10:06:19 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\AvayaGina.dll

[2008/10/22 05:29:06 | 000,173,550 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat

[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll

[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll

[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll

[2008/09/15 21:52:38 | 000,001,893 | ---- | C] () -- C:\WINDOWS\SparkEmulator.INI

[2008/09/15 00:24:29 | 000,092,160 | ---- | C] () -- C:\Documents and Settings\Bench 1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/09/15 00:21:47 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll

[2008/06/17 21:51:58 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Bench 1\Application Data\Final Draft Tagger Preferences

[2008/01/08 18:33:40 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2008/01/08 18:33:40 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2008/01/08 18:33:40 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2007/12/23 13:34:49 | 000,000,040 | ---- | C] () -- C:\WINDOWS\BO5140.INI

[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2007/11/03 23:39:05 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys

[2007/11/03 23:36:35 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2007/11/03 18:55:57 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2007/11/03 18:55:57 | 000,000,026 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI

[2007/11/03 17:31:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/11/03 17:17:52 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Bench 1\ntuser.ini

[2007/11/03 17:17:51 | 000,065,536 | -H-- | C] () -- C:\Documents and Settings\Bench 1\ntuser.dat.LOG

[2007/11/03 17:17:50 | 011,010,048 | -H-- | C] () -- C:\Documents and Settings\Bench 1\NTUSER.DAT

[2007/11/03 17:17:12 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2007/11/03 17:17:12 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG

[2007/11/03 17:17:12 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini

[2007/11/03 17:03:07 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini

[2007/11/03 17:03:06 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2007/11/03 17:03:06 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG

[2007/02/06 17:45:04 | 000,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys

[2007/02/06 17:42:40 | 001,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys

[2004/08/04 08:00:00 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\isaxbox.sys

[2004/07/13 00:49:00 | 000,003,264 | ---- | C] () -- C:\WINDOWS\System32\drivers\BFAIFILT.SYS

[2004/05/27 22:43:00 | 000,003,264 | ---- | C] () -- C:\WINDOWS\System32\drivers\AIFILT.SYS

[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/09/15 21:51:59 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks

[2008/09/21 22:38:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Amazon

[2010/05/15 00:11:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\ATManager

[2009/03/19 23:11:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Avaya

[2009/09/15 00:50:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\AVCWare Studio

[2008/10/01 14:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2008/06/01 17:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Final Draft

[2009/02/14 19:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\FreeStone Group

[2008/09/30 13:46:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Juniper Networks

[2008/04/18 15:41:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\LimeWire

[2008/11/09 12:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Notepad++

[2010/05/21 18:02:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\QuickScan

[2009/01/29 20:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\SteelSeries

[2009/02/12 18:58:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\SystemRequirementsLab

[2009/09/15 00:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bench 1\Application Data\Xilisoft Corporation

[2008/09/16 17:00:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks

[2008/09/19 00:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks

[2009/03/23 10:07:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sample User\Application Data\Avaya

[2009/03/23 10:18:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sample User\Application Data\Polycom

[2009/03/23 08:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sample User\Application Data\SteelSeries

[2010/05/21 23:26:57 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

< End of report >

gringo_pr · May 22, 2010

good day

Print out these instructions to use while in the Recovery Console: (This is for XP only)

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):
- Disable aikebxbw

6.Type exit and press 'Enter'. Your computer should reboot.

let me known if thisn woeked

gringo

hausarian · May 22, 2010

System booted and is running combofix

hausarian · May 22, 2010

OK Gringo, here is the combofix log

ComboFix 10-05-21.04 - Bench 1 05/22/2010 17:59:03.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2564 [GMT -4:00]

Running from: c:\documents and settings\Bench 1\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bench 1\Application Data\ATManager

c:\documents and settings\Bench 1\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent

c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server

c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server\uses32.dat

C:\feed.txt

c:\windows\Njosia.exe

c:\windows\orynixotuz.exe

c:\windows\run.log

c:\windows\system32\2688857570.dat

c:\windows\ukokyw.dll

c:\windows\wiaservim.log

c:\windows\ypijitym.exe

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_PRAGMArppmhenbvg

-------\Service_PRAGMArppmhenbvg

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))

.

2010-05-21 22:39 . 2010-05-21 22:39 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-05-21 22:02 . 2010-05-21 22:02 -------- d-----w- c:\documents and settings\Bench 1\Application Data\QuickScan

2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Office Genuine Advantage

2010-05-20 02:41 . 2008-04-15 14:05 11136 ----a-w- c:\windows\system32\drivers\Mo3Fltr.sys

2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\documents and settings\Bench 1\Application Data\InstallShield

2010-05-16 16:07 . 2010-05-16 16:07 -------- d-----w- C:\!KillBox

2010-05-15 07:03 . 2010-05-15 07:03 -------- d-----w- C:\swsetup

2010-05-15 05:34 . 2010-05-15 05:34 44056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-15 05:23 . 2010-05-15 06:18 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ptrrqvnra

2010-05-15 05:22 . 2010-05-15 05:22 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2010-05-15 04:13 . 2010-05-15 04:13 -------- d-----w- C:\spoolerlogs

2010-05-15 04:12 . 2010-05-22 04:09 0 ----a-w- c:\windows\system32\drivers\aikebxbw.sys

2010-05-15 04:11 . 2010-05-15 04:42 -------- d-----w- c:\documents and settings\Bench 1\Local Settings\Application Data\qcfbwthqe

2010-05-15 04:11 . 2010-05-15 04:11 84992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00006d58.dll

2010-04-27 22:57 . 2010-04-27 22:57 -------- d-----w- c:\program files\iPod

2010-04-27 22:57 . 2010-04-27 22:58 -------- d-----w- c:\program files\iTunes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-21 23:31 . 2008-04-22 04:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-21 02:25 . 2007-11-03 23:00 -------- d-----w- c:\program files\World of Warcraft

2010-05-20 17:49 . 2008-05-25 10:07 -------- d-----w- c:\program files\BitComet

2010-05-16 16:28 . 2008-11-01 14:06 -------- d-----w- c:\program files\VPNremote for Windows XP

2010-05-15 07:10 . 2008-06-27 18:48 -------- d-----w- c:\documents and settings\Bench 1\Application Data\dvdcss

2010-05-15 03:40 . 2009-09-15 03:44 -------- d-----w- c:\program files\YouTube Downloader

2010-05-14 04:43 . 2008-05-25 15:35 -------- d-----w- c:\program files\Steam

2010-04-30 00:23 . 2009-07-15 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 19:39 . 2009-07-15 02:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-07-15 02:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 22:57 . 2007-11-04 03:50 -------- d-----w- c:\program files\Common Files\Apple

2010-04-27 22:53 . 2008-07-13 12:55 -------- d-----w- c:\program files\Bonjour

2010-04-21 21:36 . 2007-11-04 03:52 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Apple Computer

2010-04-21 21:33 . 2010-04-21 21:32 -------- d-----w- c:\program files\NVIDIA Corporation

2010-04-21 21:33 . 2010-04-21 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2010-04-20 06:06 . 2010-04-20 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-20 06:02 . 2010-04-20 06:01 -------- d-----w- c:\program files\QuickTime

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll

2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-04-02 20:54 . 2009-02-13 17:01 600680 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-10-03 17:34 . 2009-10-03 17:34 17538 ----a-w- c:\program files\Common Files\biga.sys

2009-10-03 17:34 . 2009-10-03 17:34 14031 ----a-w- c:\program files\Common Files\lezacadenu.db

2009-10-03 17:34 . 2009-10-03 17:34 12221 ----a-w- c:\program files\Common Files\pejotamyb.scr

2009-10-03 17:34 . 2009-10-03 17:34 10402 ----a-w- c:\program files\Common Files\qevynake.lib

2009-10-03 17:34 . 2009-10-03 17:34 10073 ----a-w- c:\program files\Common Files\yrohihely._sy

2009-10-03 17:09 . 2009-10-03 17:09 17864 ----a-w- c:\program files\Common Files\uqarywe.dat

2009-10-03 17:09 . 2009-10-03 17:09 16653 ----a-w- c:\program files\Common Files\gebasus.lib

2009-10-03 17:09 . 2009-10-03 17:09 10579 ----a-w- c:\program files\Common Files\widy.bat

2009-10-03 17:09 . 2009-10-03 17:08 16503 ----a-w- c:\program files\Common Files\yqep.exe

2009-10-03 17:08 . 2009-10-03 17:08 15416 ----a-w- c:\program files\Common Files\hixytovy.inf

2009-10-03 17:08 . 2009-10-03 17:08 12858 ----a-w- c:\program files\Common Files\iropijytev.pif

2009-10-03 17:08 . 2009-10-03 17:08 10689 ----a-w- c:\program files\Common Files\pypat.dl

2009-10-03 17:08 . 2009-10-03 17:08 10597 ----a-w- c:\program files\Common Files\azimuty.com

2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-12-23 415232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15954:TCP"= 15954:TCP:BitComet 15954 TCP

"15954:UDP"= 15954:UDP:BitComet 15954 UDP

"10007:TCP"= 10007:TCP:BitComet 10007 TCP

"10007:UDP"= 10007:UDP:BitComet 10007 UDP

"59999:TCP"= 59999:TCP:BitComet 59999 TCP

"59999:UDP"= 59999:UDP:BitComet 59999 UDP

"59007:TCP"= 59007:TCP:BitComet 59007 TCP

"59007:UDP"= 59007:UDP:BitComet 59007 UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/6/2009 8:00 PM 28544]

R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [12/21/2003 4:21 AM 19840]

R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [7/11/2005 1:46 AM 372480]

R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [5/19/2010 10:41 PM 11136]

S1 b1204ba5;b1204ba5;c:\windows\system32\drivers\b1204ba5.sys --> c:\windows\system32\drivers\b1204ba5.sys [?]

S2 gupdate1c9bd89c539fe72;Google Update Service (gupdate1c9bd89c539fe72);c:\program files\Google\Update\GoogleUpdate.exe [4/15/2009 1:19 AM 133104]

S2 pkzlkrr;pkzlkrr;c:\windows\system32\drivers\zafsjkqn.sys --> c:\windows\system32\drivers\zafsjkqn.sys [?]

S3 isaxbox;isaxbox;c:\windows\system32\isaxbox.sys [8/4/2004 8:00 AM 2304]

S3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\DRIVERS\vadapter.sys --> c:\windows\system32\DRIVERS\vadapter.sys [?]

S4 aikebxbw;aikebxbw;c:\windows\system32\drivers\aikebxbw.sys [5/15/2010 12:12 AM 0]

.

Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19]

2010-05-22 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll

FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npkanevapatch.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-13453124 - c:\documents and settings\All Users\Application Data\13453124\13453124.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-22 18:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1052)

c:\windows\system32\WININET.dll

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\McAfee\VirusScan Enterprise\Scriptcl.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

.

------------------------ Other Running Processes ------------------------

.

c:\system volume information\_restore{d5fffa500b1b}\svchost.exe

c:\system volume information\_restore{d5fffa500b1b}\smss.exe

c:\windows\system32\nvsvc32.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\Drivers\bwcsrv.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-05-22 18:22:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-22 22:22

ComboFix2.txt 2009-07-15 06:00

ComboFix3.txt 2009-07-06 23:54

Pre-Run: 13,334,126,592 bytes free

Post-Run: 13,353,996,288 bytes free

- - End Of File - - 87A26C14E6A879CFA75FE1DCC5DFA96C

gringo_pr · May 22, 2010

Hello hausarian

sorry for the delay

Glad we got this computer up and running again (and a big thanks for amateur)

Ok I would like you to do this next please

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

http://forums.malwarebytes.org/index.php?showtopic=51169

Collect::
c:\windows\system32\drivers\aikebxbw.sys
c:\program files\Common Files\biga.sys
c:\program files\Common Files\lezacadenu.db
c:\program files\Common Files\pejotamyb.scr
c:\program files\Common Files\qevynake.lib
c:\program files\Common Files\yrohihely._sy
c:\program files\Common Files\uqarywe.dat
c:\program files\Common Files\gebasus.lib
c:\program files\Common Files\widy.bat
c:\program files\Common Files\yqep.exe
c:\program files\Common Files\hixytovy.inf
c:\program files\Common Files\iropijytev.pif
c:\program files\Common Files\pypat.dl
c:\program files\Common Files\azimuty.com
c:\windows\system32\drivers\b1204ba5.sys
c:\windows\system32\drivers\zafsjkqn.sys 
c:\windows\system32\isaxbox.sys

Driver:: 
aikebxbw
b1204ba5
pkzlkrr
isaxbox

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

let me have this report when done

hausarian · May 22, 2010

No worries on the delay, I am just grateful for the help. Running CFScript now and will post the log when it is complete.

hausarian · May 22, 2010

Here is the latest combofix log

ComboFix 10-05-21.04 - Bench 1 05/22/2010 20:35:40.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2622 [GMT -4:00]

Running from: c:\documents and settings\Bench 1\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bench 1\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

file zipped: c:\program files\Common Files\azimuty.com

file zipped: c:\program files\Common Files\biga.sys

file zipped: c:\program files\Common Files\gebasus.lib

file zipped: c:\program files\Common Files\hixytovy.inf

file zipped: c:\program files\Common Files\iropijytev.pif

file zipped: c:\program files\Common Files\lezacadenu.db

file zipped: c:\program files\Common Files\pejotamyb.scr

file zipped: c:\program files\Common Files\pypat.dl

file zipped: c:\program files\Common Files\qevynake.lib

file zipped: c:\program files\Common Files\uqarywe.dat

file zipped: c:\program files\Common Files\widy.bat

file zipped: c:\program files\Common Files\yqep.exe

file zipped: c:\program files\Common Files\yrohihely._sy

file zipped: c:\windows\system32\drivers\aikebxbw.sys

file zipped: c:\windows\system32\isaxbox.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\azimuty.com

c:\program files\Common Files\biga.sys

c:\program files\Common Files\gebasus.lib

c:\program files\Common Files\hixytovy.inf

c:\program files\Common Files\iropijytev.pif

c:\program files\Common Files\lezacadenu.db

c:\program files\Common Files\pejotamyb.scr

c:\program files\Common Files\pypat.dl

c:\program files\Common Files\qevynake.lib

c:\program files\Common Files\uqarywe.dat

c:\program files\Common Files\widy.bat

c:\program files\Common Files\yqep.exe

c:\program files\Common Files\yrohihely._sy

c:\system volume information\_restore{d5fffa500b1b}

c:\system volume information\_restore{d5fffa500b1b}\smss.exe

c:\system volume information\_restore{d5fffa500b1b}\svchost.exe

c:\windows\system32\drivers\aikebxbw.sys

c:\windows\system32\isaxbox.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AIKEBXBW

-------\Legacy_ISAXBOX

-------\Legacy_PKZLKRR

-------\Service_aikebxbw

-------\Service_b1204ba5

-------\Service_isaxbox

-------\Service_pkzlkrr

((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))

.

2010-05-21 22:39 . 2010-05-21 22:39 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-05-21 22:02 . 2010-05-22 23:23 -------- d-----w- c:\documents and settings\Bench 1\Application Data\QuickScan