Jump to content

  2. Viewing Profile: Posts: Westablished

Westablished

Member Since 26 Jul 2010
Offline Last Active Aug 15 2010 04:49 PM
-----

Posts I've Made

In Topic: Most elusive malware ever...

15 August 2010 - 04:51 PM

 screen317, on Aug 14 2010, 08:07 PM, said:

Hi,

Could you please copy and paste the results from VirusTotal here?

Re-scan if need be.

I deleted most of them based on the results of the scans.

In Topic: Most elusive malware ever...

13 August 2010 - 08:17 AM

 screen317, on Aug 9 2010, 09:03 PM, said:

Hi,


I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar


Let me know if you decided to uninstall it.



Next, before we continue, please go to VirusTotal, and upload the following files for analysis:
c:\windows\system32\jvgrdfr.dll
c:\windows\Vconocubale.dat
c:\windows\system32\vsxrg.dll
c:\windows\system32\anap.dll
c:\windows\system32\mslnn.dll
c:\documents and settings\Administrator\144609.BAT
c:\windows\system32\drivers\rkyagwy.sys
c:\windows\system32\drivers\tcpip.sys



Next, please update MBAM, and run a Quick Scan. Remove what is found and post its log.


-screen317

Oooootay. I uninstalled Viewpoint Media Player and ran all but one file through virustotal.com. The file c:\windows\system32\drivers\rkyagwy.sys would not go through. I also ran an MBAM Quick Scan and Full Scan and removed what was found. Here are the results for both scans.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/12/2010 2:15:35 PM
mbam-log-2010-08-12 (14-15-35).txt

Scan type: Quick scan
Objects scanned: 136177
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/12/2010 6:10:40 PM
mbam-log-2010-08-12 (18-10-40).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 187305
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\wpadotpt.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E61B02F4-AD35-4CB9-98BE-9E5EB8FBF421}\RP9\A0000633.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

In Topic: Most elusive malware ever...

09 August 2010 - 09:28 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:27:47 AM, on 8/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7898 bytes

In Topic: Most elusive malware ever...

09 August 2010 - 09:26 AM

ComboFix 10-08-08.02 - Administrator 08/09/2010 7:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.689 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}
c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\install.rdf
c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}
c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome.manifest
c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\_cfg.js
c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\overlay.xul
c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\install.rdf
C:\install.exe
c:\program files\\setup.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\program files\Setup.exe
C:\settingsxx.exe
c:\settingsxx.exe\config.bin
c:\windows\ogakuwafonutuliv.dll
c:\windows\system32\Install.txt
c:\windows\system32\msippsth.dll
c:\windows\system32\szetyj67v.txt
c:\windows\uhitiholuracan.dll
c:\windows\wpadotpt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Service_6to4
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-07-29 22:55 . 2010-08-09 12:32 120 ----a-w- c:\windows\Vconocubale.dat
2010-07-29 22:55 . 2010-08-09 12:32 0 ----a-w- c:\windows\Gqeletaso.bin
2010-07-29 10:44 . 2010-08-09 13:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tor
2010-07-29 10:44 . 2010-08-09 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vidalia
2010-07-29 10:44 . 2010-07-29 10:44 -------- d-----w- c:\program files\Vidalia Bundle
2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\system32\1033
2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\srchasst
2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\mui
2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\msagent
2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\ime
2010-07-29 01:45 . 2010-08-09 14:11 -------- d-----w- c:\windows\apppatch
2010-07-29 01:37 . 2010-07-29 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\FastSum
2010-07-28 11:54 . 2010-07-28 11:54 8192 ----a-w- c:\windows\system32\jvgrdfr.dll
2010-07-28 00:41 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dyvaediqa
2010-07-28 00:19 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bvnykhuqo
2010-07-28 00:16 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wspqfonro
2010-07-28 00:13 . 2002-09-20 18:53 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys
2010-07-28 00:12 . 2004-04-26 17:49 381056 ----a-w- c:\windows\system32\drivers\senfilt.sys
2010-07-28 00:12 . 2001-09-11 22:20 30208 ----a-w- c:\windows\system32\wdmioctl.dll
2010-07-28 00:12 . 2001-09-11 22:20 1285632 ----a-w- c:\windows\system32\SMMedia.dll
2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\windows\VirtualEar
2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\program files\Analog Devices
2010-07-28 00:12 . 2003-08-20 02:36 65536 ----a-w- c:\windows\system32\Audio3d.dll
2010-07-28 00:12 . 2003-06-16 15:32 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-07-28 00:12 . 2002-04-17 22:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2010-07-28 00:12 . 2001-10-04 22:50 991232 ----a-w- c:\windows\system32\virtear.dll
2010-07-28 00:12 . 2001-09-19 20:47 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-07-28 00:02 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\qkrmbqijv
2010-07-27 23:55 . 2010-07-27 23:55 84480 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-07-27 21:32 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fygaahjkc
2010-07-27 09:57 . 2010-07-27 09:57 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver
2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\windows\Java
2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\program files\CPUID
2010-07-27 01:46 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\yhkihvfgt
2010-07-27 01:07 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\htwuesfir
2010-07-27 00:51 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\mkbgvwvwl
2010-07-26 23:37 . 2010-07-26 23:37 152 ----a-w- c:\documents and settings\Administrator\144609.BAT
2010-07-26 23:36 . 2010-07-27 00:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uaslvvroh
2010-07-26 22:54 . 2010-07-26 22:54 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-26 22:54 . 2010-07-26 22:54 -------- d-----w- c:\program files\Trend Micro
2010-07-26 22:43 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\kdltoslhj
2010-07-26 22:38 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fkueepkru
2010-07-26 22:35 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vgqyxjbef
2010-07-26 22:13 . 2010-07-26 22:14 -------- d-----w- C:\709a56d30d630d308b
2010-07-26 21:44 . 2010-07-26 21:45 -------- d-----w- C:\3b843a0df5cc5ac51ec48e9e
2010-07-26 21:32 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx
2010-07-26 21:09 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr
2010-07-26 21:07 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx
2010-07-26 20:06 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wvblwbdgp
2010-07-26 19:56 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\eptbcghmw
2010-07-26 12:37 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\boivscjnv
2010-07-26 12:37 . 2010-07-26 12:37 8192 ----a-w- c:\windows\system32\vsxrg.dll
2010-07-26 12:33 . 2010-07-26 12:33 8192 ----a-w- c:\windows\system32\anap.dll
2010-07-26 12:30 . 2010-07-26 12:30 8192 ----a-w- c:\windows\system32\mslnn.dll
2010-07-26 11:32 . 2010-07-26 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ttaqkdjes
2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 04:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 04:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 04:06 . 2010-07-26 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bpfjlwwky
2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\xircom
2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\wbem\snmp
2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\program files\microsoft frontpage
2010-07-26 03:15 . 2010-07-26 03:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\huvbjrvho
2010-07-25 21:38 . 2010-07-25 21:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-07-25 21:29 . 2010-08-09 14:20 766464 ----a-w- c:\windows\system32\drivers\rkyagwy.sys
2010-07-25 21:29 . 2010-07-25 22:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dtxykhtbs
2010-07-25 21:28 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-25 18:34 . 2010-07-25 22:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-25 18:34 . 2010-07-25 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 17:33 . 2010-07-28 12:37 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-25 17:32 . 2010-07-25 17:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-25 17:32 . 2010-07-28 12:37 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-13 22:15 . 2010-07-12 18:32 822784 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-07-12 23:39 . 2010-08-06 14:34 -------- d-----w- c:\program files\Steam
2010-07-11 10:02 . 2010-07-11 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-11 00:19 . 2010-07-11 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe Limited
2010-07-11 00:18 . 2010-07-11 00:18 1556992 ----a-w- c:\windows\is-Q5O1S.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 14:19 . 2009-08-30 04:00 -------- d-----w- c:\program files\SpeedFan
2010-07-30 02:35 . 2009-09-02 03:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-07-29 01:43 . 2009-10-27 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-28 20:49 . 2009-08-29 21:03 -------- d-----w- c:\program files\Unlocker
2010-07-28 00:12 . 2009-08-29 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\program files\SystemRequirementsLab
2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2010-07-27 01:45 . 2010-07-09 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 17:45 . 2009-11-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-11 00:27 . 2009-09-29 06:48 -------- d-----w- c:\program files\CDBurnerXP
2010-07-04 05:05 . 2010-07-04 05:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-07-04 05:05 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-06-17 02:16 . 2010-06-17 02:16 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-06-17 02:16 . 2010-06-17 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\program files\Yahoo!
2010-06-10 19:46 . 2009-12-07 02:25 -------- d-----w- c:\program files\Google
2010-06-10 01:04 . 2009-08-30 03:30 14048 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-08 20:57 . 2009-12-19 21:37 14048 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 21:14 . 2010-05-24 21:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcp71.dll
2010-05-24 21:14 . 2010-05-24 21:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\jmc.dll
2010-05-24 21:14 . 2010-05-24 21:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcr71.dll
2010-05-21 02:20 . 2010-05-21 02:20 85504 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-05-20 06:13 . 2009-09-06 09:27 64768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
1997-04-28 16:52 . 2009-12-01 23:56 112 ------r- c:\program files\SETUP.M_E
1997-04-28 16:48 . 2009-12-01 23:56 78 ------r- c:\program files\SETUP.M_C
2009-12-17 04:23 . 2009-12-17 09:16 908248 --sh--r- c:\windows\windomgr.exe
.

------- Sigcheck -------

[-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2010-05-25 5475403]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"PowerMenu"="c:\program files\PowerMenu\PowerMenu.exe" [2002-12-20 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2009-8-9 3986552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-29 593920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Digsby.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Digsby.lnk
backup=c:\windows\pss\Digsby.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^No-IP DUC.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\No-IP DUC.lnk
backup=c:\windows\pss\No-IP DUC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MICROS~4\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEHistory]
2006-12-13 08:24 138752 ----a-w- c:\program files\IEHistoryPH\IEHistoryShellNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
2000-05-21 00:23 86016 ----a-w- c:\windows\StartupMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-07-12 23:39 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 07:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 02:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\johngaltman69@yahoo.com\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"16015:TCP"= 16015:TCP:BitComet 16015 TCP
"16015:UDP"= 16015:UDP:BitComet 16015 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/6/2009 7:53 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/6/2010 11:57 AM 136176]
S2 OTFSDMS;UNCFAT DMS;"c:\program files\AddinForUNCFAT\UNCFATDMS.exe" --> c:\program files\AddinForUNCFAT\UNCFATDMS.exe [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
*Deregistered* - rkyagwy
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]

2010-08-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: c:\windows\system32\jvgrdfr.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Fkoqofibo - c:\windows\wpadotpt.dll
HKLM-Run-Qwuyemizufa - c:\windows\ogakuwafonutuliv.dll
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-Fkoqofibo - c:\windows\wpadotpt.dll
MSConfigStartUp-FreeCall - c:\program files\FreeCall.com\FreeCall\FreeCall.exe
MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win16.exe
MSConfigStartUp-jhudhrti - c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx\lateywrtssd.exe
MSConfigStartUp-jodkdbbu - c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr\mgssfdatssd.exe
MSConfigStartUp-kqiooyhr - c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx\poepfshtssd.exe
MSConfigStartUp-mcexecwin - c:\docume~1\ADMINI~1\LOCALS~1\Temp\rctkzsj.dll
MSConfigStartUp-MChk - c:\windows\system32\dvlmp.exe
MSConfigStartUp-MSMSGS - c:\progra~1\MESSEN~1\Msmsgs.exe
MSConfigStartUp-OTFSDMS - c:\program files\AddinForUNCFAT\UNCFATDMS.exe
MSConfigStartUp-Qwuyemizufa - c:\windows\ixequyiwifa.dll
MSConfigStartUp-sta - qvlmp.dll
MSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\ADMINI~1\LOCALS~1\Temp\twuk0z860.exe
MSConfigStartUp-xgukxzrvux - c:\xgukxzrvux.exe\xgukxzrvux.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 07:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864C2EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28
\Driver\ACPI -> ACPI.sys @ 0xf781acb8
\Driver\atapi -> atapi.sys @ 0xf76ea852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkyagwy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]
@DACL=(02 0000)
@="Group Policy Environment"
"DisplayName"=expand:"@gpprefcl.dll,-1"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Environment,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExEnviron"
"ProcessGroupPolicyEx 0"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]
@DACL=(02 0000)
@="Group Policy Local Users and Groups"
"DisplayName"=expand:"@gpprefcl.dll,-2"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Local Users and Groups,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]
@DACL=(02 0000)
@="Group Policy Device Settings"
"DisplayName"=expand:"@gpprefcl.dll,-3"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Device Settings,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyDevices"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyDevices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]
@DACL=(02 0000)
@="Group Policy Network Options"
"DisplayName"=expand:"@gpprefcl.dll,-4"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Network Options,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]
@DACL=(02 0000)
@="Group Policy Drive Maps"
"DisplayName"=expand:"@gpprefcl.dll,-5"
"DllName"=expand:"gpprefcl.dll"
"EventSources"="(Group Policy Drive Maps,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyDrives"
"NoBackgroundPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyDrives"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]
@DACL=(02 0000)
@="Group Policy Folders"
"DisplayName"=expand:"@gpprefcl.dll,-6"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=""
"EventSources"="(Group Policy Folders,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyFolders"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyFolders"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]
@DACL=(02 0000)
@="Group Policy Network Shares"
"DisplayName"=expand:"@gpprefcl.dll,-7"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Network Shares,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"
"NoUserPolicy"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]
@DACL=(02 0000)
@="Group Policy Files"
"DisplayName"=expand:"@gpprefcl.dll,-8"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Files,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyFiles"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyFiles"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]
@DACL=(02 0000)
@="Group Policy Data Sources"
"DisplayName"=expand:"@gpprefcl.dll,-9"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Data Sources,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]
@DACL=(02 0000)
@="Group Policy Ini Files"
"DisplayName"=expand:"@gpprefcl.dll,-10"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Ini Files,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@DACL=(02 0000)
@="Windows Search Group Policy Extension"
"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"
"EnableAsynchronousProcessing"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]
@DACL=(02 0000)
@="Group Policy Services"
"DisplayName"=expand:"@gpprefcl.dll,-11"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Services,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyServices"
"ProcessGroupPolicy"="ProcessGroupPolicyServices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]
@DACL=(02 0000)
@="Group Policy Folder Options"
"DisplayName"=expand:"@gpprefcl.dll,-12"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Folder Options,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]
@DACL=(02 0000)
@="Group Policy Scheduled Tasks"
"DisplayName"=expand:"@gpprefcl.dll,-13"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Scheduled Tasks,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]
@DACL=(02 0000)
@="Group Policy Registry"
"DisplayName"=expand:"@gpprefcl.dll,-14"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Registry,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]
@DACL=(02 0000)
@="Group Policy Printers"
"DisplayName"=expand:"@gpprefcl.dll,-16"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Printers,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]
@DACL=(02 0000)
@="Group Policy Shortcuts"
"DisplayName"=expand:"@gpprefcl.dll,-17"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Shortcuts,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]
@DACL=(02 0000)
@="Group Policy Internet Settings"
"DisplayName"=expand:"@gpprefcl.dll,-18"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Internet Settings,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyInternet"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]
@DACL=(02 0000)
@="Group Policy Start Menu Settings"
"DisplayName"=expand:"@gpprefcl.dll,-19"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Start Menu Settings,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]
@DACL=(02 0000)
@="Group Policy Regional Options"
"DisplayName"=expand:"@gpprefcl.dll,-20"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Regional Options,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]
@DACL=(02 0000)
@="Group Policy Power Options"
"DisplayName"=expand:"@gpprefcl.dll,-21"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Power Options,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]
@DACL=(02 0000)
@="Group Policy Applications"
"DisplayName"=expand:"@gpprefcl.dll,-15"
"DllName"=expand:"gpprefcl.dll"
"EnableAsynchronousProcessing"=dword:00000001
"EventSources"="(Group Policy Applications,Application)"
"GenerateGroupPolicy"="GenerateGroupPolicyApplications"
"PerUserLocalSettings"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyApplications"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1180)
c:\windows\system32\WININET.dll
c:\program files\PowerMenu\PowerMenuHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\No-IP\DUC20.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-08-09 07:25:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 14:24

Pre-Run: 34,241,175,552 bytes free
Post-Run: 34,718,134,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

- - End Of File - - 0990A26500E1DAC4F70433D0691D7A25

In Topic: Most elusive malware ever...

09 August 2010 - 08:52 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4410

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/9/2010 6:29:10 AM
mbam-log-2010-08-09 (06-29-10).txt

Scan type: Quick scan
Objects scanned: 146535
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkoqofibo (Trojan.Hiloti) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\settingsxx.exe (Spyware.SpyEyes) -> No action taken.

Files Infected:
C:\WINDOWS\ogakuwafonutuliv.dll (Trojan.BHO.H) -> No action taken.
C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.
C:\settingsxx.exe\config.bin (Spyware.SpyEyes) -> No action taken.

  1. Malwarebytes Forum
  2. Viewing Profile: Posts: Westablished
  3. Privacy Policy
  4. Terms of Use ·