wabbit

Members
  • Content count

    12
  • Joined

  • Last visited

About wabbit

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hello. I'm having a problem where (some) search results in Google redirect me to a different page. Thanks for any help. ------------------------------------------------------- Malwarebytes' Anti-Malware 1.41 Database version: 3005 Windows 5.1.2600 Service Pack 2 10/21/2009 7:05:44 PM mbam-log-2009-10-21 (19-05-44).txt Scan type: Quick Scan Objects scanned: 101004 Time elapsed: 3 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:06:51 PM, on 10/21/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Avira\AntiVir Desktop\sched.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Zune\ZuneLauncher.exe D:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\Google Talk\googletalk.exe D:\Program Files\Skype\Phone\Skype.exe D:\Documents\OSX\dock\YzDock.exe D:\Documents\OSX\shadow\YzShadow.exe D:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zune Launcher] "d:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: YzDock.lnk = D:\Documents\OSX\dock\YzDock.exe O4 - Startup: YzShadow.lnk = D:\Documents\OSX\shadow\YzShadow.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228619869890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228619863546 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe -- End of file - 4764 bytes
  2. http://en.wikipedia.org/wiki/Flyakite_OS_X It changes the look to emulate OS X. I've now uninstalled it and have everything up to date. Again, thanks so much!
  3. Thank you very much negster! Really appreciated. I believe the failures are because of the Flyakite pack I have installed. It changes the UI, and as a result, replaces some of the system files. I should be able to uninstall it and restore the proper files.
  4. ComboFix 09-04-14.09 - Matt 04/15/2009 14:02.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.672 [GMT -4:00] Running from: c:\documents and settings\Matt\Desktop\newfix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) FW: COMODO Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 ))))))))))))))))))))))))))))))) . 2009-04-14 13:25 . 2009-04-14 13:25 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-04-13 23:48 . 2009-04-13 23:54 -------- d-----w C:\aerdna 2009-04-12 18:04 . 2009-04-12 18:04 -------- d-----w C:\ARK 2009-04-11 19:02 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-11 19:02 . 2009-04-11 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-04-10 01:57 . 2009-04-10 01:57 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-10 01:57 . 2009-04-10 01:57 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\acccore 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes 2009-04-09 23:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-09 23:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-09 23:43 . 2009-04-09 23:43 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\{21B4600E-FC31-4C16-95B2-3185286220D2} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-15 18:05 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys 2009-04-15 18:05 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys 2009-04-13 23:52 . 2005-09-07 19:58 -------- d-----w c:\program files\QuickTime 2009-04-10 19:50 . 2006-02-19 16:06 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-10 01:57 . 2008-10-03 21:23 -------- d-----w c:\program files\Java 2009-04-10 00:31 . 2007-03-26 14:26 2555 ---ha-w C:\IPH.PH 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\program files\AIM6 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\program files\Common Files\AOL 2009-04-10 00:30 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-04 02:51 . 2008-12-15 00:41 -------- d-----w c:\documents and settings\Matt\Application Data\FileZilla 2009-02-27 16:38 . 2008-11-13 23:10 -------- d---a-w c:\documents and settings\All Users\Application Data\Sports Interactive 2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll 2009-01-08 19:13 . 2004-10-30 01:29 37120 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-12-13 19:40 . 2007-12-13 19:40 127 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\fusioncache.dat . ------- Sigcheck ------- [-] 2004-06-17 17:58 560128 31FB2D788A9AA618452C02E8375B6DCD c:\windows\$hf_mig$\KB840987\SP1QFE\user32.dll [-] 2004-06-17 17:55 528896 530FE6F930201285D4D2BBBBC6A584AE c:\windows\$NtServicePackUninstall$\user32.dll [-] 2001-08-18 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtUninstallKB840987$\user32.dll [7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\FlyakiteOSX\Backup\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\ServicePackFiles\i386\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\system32\user32.dll [7] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll [-] 2004-01-08 19:23 585216 6626545292428AE1ED5B4237404B346A c:\windows\$NtServicePackUninstall$\wininet.dll [-] 2001-08-18 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll [7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB867282$\wininet.dll [7] 2005-01-27 17:13 656896 B5E043E440B210014E021B24CF0A72E3 c:\windows\FlyakiteOSX\Backup\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\ServicePackFiles\i386\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\dllcache\wininet.dll [-] 2004-06-17 08:03 1954688 ED0D7A5F1138CCFD3ECAF8F6AC691F13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe [-] 2004-06-17 17:00 1903872 37EEE86E396C2FC1508E3A499631F709 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe [-] 2001-08-18 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe [7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\FlyakiteOSX\Backup\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe [-] 2006-03-11 15:26 2014208 969F998BBEDBFD55F1FCC094FA4DA886 c:\windows\system32\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\system32\dllcache\ntkrnlpa.exe [-] 2004-06-17 17:22 2051584 F240DC474F8EDB2D95514D831DF069E5 c:\windows\$hf_mig$\KB840987\SP1QFE\ntoskrnl.exe [-] 2004-06-17 17:00 1881856 2CEBD574C16191344F207ED8A65AE4F6 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe [-] 2001-08-18 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\FlyakiteOSX\Backup\ntoskrnl.exe [-] 2006-03-11 15:26 2138368 FEA005A44FB744A31BE860F6E8BF8AB6 c:\windows\system32\ntoskrnl.exe [-] 2004-08-04 06:19 2138368 4A4F02487352AB73B554B5960C14CEF4 c:\windows\system32\dllcache\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\_BACKUP\EXE\bootscreen\no_HT\ntoskrnl.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\explorer.exe [-] 2001-08-18 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\FlyakiteOSX\Backup\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\ServicePackFiles\i386\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\system32\dllcache\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\_BACKUP\EXE\explorer.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\FlyakiteOSX\Backup\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\ServicePackFiles\i386\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\dllcache\wuauclt.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\_BACKUP\EXE\wuauclt.exe . ((((((((((((((((((((((((((((( SnapShot@2009-04-13_14.16.23.21 ))))))))))))))))))))))))))))))))))))))))) . + 2006-09-25 20:19 . 2009-04-15 18:05 3337 c:\windows\system32\mmf.sys - 2006-09-25 20:19 . 2009-04-13 18:15 3337 c:\windows\system32\mmf.sys + 2009-04-15 18:03 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE - 2009-04-13 18:12 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COMODO Firewall Pro"="d:\program files\Comodo\Firewall\cfp.exe" [2008-12-06 1797880] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\Matt\Start Menu\Programs\Startup\ YzShadow.lnk - e:\documents\osx\shadow\YzShadow.exe [2004-10-29 151552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-29 113664] YzDock.lnk - d:\program files\Downloads\yz_dck0083\YzDock.exe [2003-6-3 386560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.X264"= x264vfw.dll "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.I263"= I263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli mkbnvo.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2007-06-19 13:21 61440 ----a-r d:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] 2007-03-01 03:06 2321600 ----a-w c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] 2006-09-25 14:12 90112 ----a-w c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security] 2008-12-06 15:20 1797880 ----a-w d:\program files\Comodo\Firewall\cfp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] 2003-09-17 14:43 57344 ----a-w d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] 2007-04-03 22:29 165784 ----a-w d:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-10-01 22:57 289576 ----a-r d:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService] 2004-06-11 03:15 83968 ----a-w c:\windows\system32\nvraidservice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2006-09-01 20:57 282624 ----a-w c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-04-10 01:57 148888 ----a-w c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 05:00 90112 ------w c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2003-10-06 06:57 24576 ----a-w c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "Bonjour Service"=2 (0x2) "iPod Service"=3 (0x3) "O&O Defrag"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "aawservice"=2 (0x2) "ALG"=3 (0x3) "JavaQuickStarterService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23660:TCP"= 23660:TCP:BitComet 23660 TCP "23660:UDP"= 23660:UDP:BitComet 23660 UDP R3 RivaTunerEx;RivaTunerEx; [x] R4 Mouphu;Mouphu;c:\windows\system32\drivers\acpiec.sys [2001-08-18 11648] S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-06 101776] S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-30 31504] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289] S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2006-09-26 2560] S2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2003-03-05 15840] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-15 c:\windows\Tasks\1-Click Maintenance.job - d:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 14:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newstoday.com/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\7z9hg8wh.New\ FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\C2MP\npdivx32.dll FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-15 14:05 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ba,a9,b5,d8,67,78,ff,31,34,92,80,51,97,48,82,ff,77,cd,ca,ec,61,9a,b9, c9,a5,5e,d3,ca,1a,1f,6f,9b,6e,31,93,bc,c3,b5,b8,0c,b6,1e,cf,b1,d3,82,8f,b8,\ "??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847] "1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9, e9 "2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8, df,a0,cb,29,a7,07,62,23,54 "3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29, 0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\13D3AF07D4AFC792B9BD996AC108D6B5] "1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,0a,4e,8a,24,18,b0,7f, 17,12,df,d0,2e,5e,18,49,90,15,18,bd,aa,84,24,4a,2c "2"=hex:03,13,8a,80,bd,85,45,8e "3"=hex:c5,67,bb,80,ed,9a,1c,4c,47,f8,db,1d,54,01,61,af,01,f5,c6,0f,e5,eb,a0, a5,f7,65,7e,92,a9,e2,f2,9b,84,41,62,14,61,c6,77,4b,92,f2,1a,87,a7,ad,90,02,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88, 02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\ "8"=hex:23,61,9d,27,41,7b,c8,5d,ae,96,20,b9,1b,81,0b,89,6f,d7,35,30,83,89,61, 55,fc,d7,bc,b4,9a,68,24,eb,75,f8,f6,9c,a0,5c,eb,31 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:b3,b5,ff,62,ba,b6,61,46 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222] "1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94, fd "2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d, 78,d5,ad,68,1b,c8,4a,9b,03 "3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd, 70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC] "1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14 "2"=hex:47,6d,e8,b1,c6,c5,94,c0 "3"=hex:ff,5f,d9,f6,1a,34,78,84,76,5f,7f,90,ab,e1,38,bd,61,7f,f3,fa,19,69,69, bf,dc,6f,50,bb,5a,a9,b7,33,74,5c,14,6b,a2,9e,fb,ae,7a,95,1a,da,46,42,75,c8,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,37,8f,51,32,e7,48,19, 07,20,db,60,8f,b3,8d,05,f9,f8,bf,5c,0a,18,35,6b,a2,f0,ae,0d,45,30,c2,8c,b6,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:20,6b,93,83,a9,c4,e9,ff "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\F347AA9A592B216D597E028785020CD4] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,0d,ef,4b,fc,af,c2,2e,ad "2"=hex:04,29,6a,69,56,d3,ea,41,db,c1,1a,08,f4,34,4d,ff "3"=hex:32,86,2a,ee,c9,6b,ae,c6,13,4d,f1,e4,e6,50,00,23,a6,72,90,88,61,9d,43, ec,7f,e5,b2,1e,85,49,bf,69,63,2a,32,dd,d4,8b,4d,35,66,08,7e,6f,60,77,fe,b6,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d, 97,49,3e,e5,49,ef,df,ad,a2 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,9f,2d,73,41,bb,e9,42, a6,25,4f,d7,78,4c,16,ee,93,1f,77,7e,c8,5a,1e,88,57,6f,83,6b,0d,c1,a1,cf,3f,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:2d,42,aa,42,9c,87,c8,68 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3 "2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61, 5e,d2,5e,7f,21,14,b5,b2,29 "3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,ce,d6,da,a0,ab,80,e1,24 "2"=hex:70,52,20,b5,8f,72,73,3d "3"=hex:5d,e5,41,e5,42,87,19,9b,9f,7e,68,66,73,82,04,cb,f6,93,92,79,c9,6e,95, aa,d7,c2,ab,d8,ca,96,83,b1,3a,cf,fb,cf,9d,3e,5e,05,f0,fc,e6,ad,0e,d4,fb,de,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\ "7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,29,7c,70,46,35,dc,d7,79 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,04,93,48,c8,90,e3,70, e7,31,82,3f,28,9f,11,d4,80,41,41,ca,c1,a3,77,63,a2,3b,6f,05,06,ed,f6,d5,4d,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:4b,72,8f,bc,6c,3f,e4,15 "10"=hex:0f,1f,9e,11,ed,e3,a4,c9 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:ca,83,4b,e3,ee,91,d7,cd,f5,32,44,0c,77,e5,53,a2,75,7f,09,ef,24,bd,4a, d5,4c,6a,4e,38,57,0a,42,64,c5,4a,2b,c9,3b,c9,d5,fe,40,49,e9,f0,4d,70,3d,c9,\ "13"=hex:28,05,a2,0c,1e,2f,c2,cd,69,6f,98,ba,4c,7d,fb,68,24,09,3c,b9,40,12,55, 27 "14"=hex:4e,63,05,ff,92,a2,5b,c8 "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:86,63,88,f7,9f,82,fb,c8,7e,99,f5,1d,90,a3,9f,76 "22"=hex:81,20,8f,ab,28,6a,52,9c "15"=hex:84,9c,13,98,fb,e0,35,aa,ed,c3,02,6e,bc,cd,1e,7b,f8,1b,ce,bb,55,77,30, a0,94,4a,1f,0f,2e,24,bb,a9,2d,eb,bf,fd,37,4a,ce,73,65,f1,3c,13,be,73,09,1d,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG08.00.00.01WORKSTATION"="5E01032C829F777D2BD79FD09058B3014C0886A79A67C866C54E1649CD0673D70B7229A450B C0DEED2B4B2324E6015A8C45DAAA8C1A483DF71C94D489738EF68971CA1359EF2062BBB6B5D66C89 5 C55F970C8B18B9969BC4CBE70ADA2A0445FDEBE25B3316EB04ECD4D03B38BC62A32A56FD10D8768A C C83AC4325A04B36AA0FC631BA93EF165DD35F405D99F977C270E81C96F67A1087EABEF7675AD5E00 D F6B67495F17CA41B62F199C69B65C5680009586F9D607BEEB103260E6CB75A8CF2221EB60D9F8BF9 8 0F43DEFF875861009C525E09DD4E4DA724D71CCE27239FE264124DDC7CE85EBFEBC9E127BECC74CF E BC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8E D D5E5BE2F6E667A6A0AC4980AC7933BA7FD869164D6794FEBC9E127BECC74CE17FB6D3997F38D9BBF 8 32B9AE82AD3456AF824E3CD495685CFC15D5DD85A524D2B53BF251C77DF1F0AE11FE15200DF27E98 7 41B8E6B9560C4240825C7A9BC61198050703A20A3AF6620D351A5CB9D89565055FAFD1D667D7D241 7 2F6690F47324ABB434B5845C1D15FD09A61C733321010EA3933F6F9A247159CF648372C51FC95728 9 E4A029AFC5B4D426C551B649608DB64FBAA79897172F04629921E65D943766E7FA23B99C27BE5947 F 56DB897AD3961BBF3AE6CFB3B36D92D7A674CF52AED1D09E8AE555981C751AB3C45D4215B6F0D45F 0 FF9C9EA4EA7CF3C7AEA46E48C841C35754E8F58477CEFD06CE16F5D626F1FCFEC859C503EC99E97E 8 8ACC27C2FDA17079504D956D50B890BA3C3882ED6D0CF7BC732FCC6451A29FF4EFAA5F1C033574CE D ED792DD1998A244D186E5D517B334883E2C80859102FC424D6C8943A9AF555581BAC850D2BA29BF2 0 881B79EE30D481F603BC4932E9CB19E86355CA5FEC1E8D514964DFD0CCBC0735B06E9B4B9F9D7BC0 6 708BBAD091FE798A2A62964CECC9E7D98C50A35FEE81A35B45BE354A5C56D56CF9D4E5114793F4D8 1 14364B3A53D146808232F988A99A570F155D0A677B7481766AD442425653079D6AB07A969693049E E 19CEBA174D0E4FC7E78BC91DCCFA3DB148775CEA07D5AD5A73931D1F1782055E0F6AA092FA6BF813 5 0712D07E63B1C36D0336F83BBAF0D080D47CDAB33599C7B04C2C7F352BD96282C105D8E736333304 C 7A20579AC88735CEDC1A71E2382DF3491BACBD6913BAAEAC461E01676C477943BAFBBA516726B565 1 B730E4C000CA861CEF3655B07E27228D4B22F872951E91A322E67C6192A9BDB06A723430CDFA71A6 B E0FE804D2EA927FB6DC741FEA7B23AE1657AE1C64E0162139EC29B639A3F6CEE924BA29FCCCD9646 E D160139CA6A26DF8DFE075738A189B5926D5BE25BECB180DCDEB63D1E449E49049888A18F91E528E D 8ADC261622EFED0A64156078958E7" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_044f&Pid_b202\6&2a1fb601&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(3132) e:\documents\osx\shadow\YzShadow.dll c:\windows\System32\cscui.dll d:\program files\Downloads\yz_dck0083\YzDock.dll c:\windows\system32\credui.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\Avira\AntiVir Desktop\avguard.exe d:\program files\Comodo\Firewall\cmdagent.exe . ************************************************************************** . Completion time: ~,10time:~,-3machine was rebootedCombobatch-by ComboFix-quarantined-files.txt 2009-04-15 18:06 ComboFix2.txt 2009-04-13 23:54 ComboFix3.txt 2009-04-13 18:23 ComboFix4.txt 2009-04-10 21:11 ComboFix5.txt 2009-04-15 18:02 Pre-Run: 1,761,148,928 bytes free Post-Run: 1,746,444,288 bytes free 415
  5. All done!
  6. Sure! ----------------------------------------------------------------- 2009-04-13 23:49:10 . 2009-04-13 23:49:11 320,959 ----a-w C:\Qoobox\Quarantine\[75]-Submit_2009-04-13@19.49.zip 2009-04-12 18:03:26 . 2009-04-13 18:34:05 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Xxudokupu.bin.vir 2009-04-12 18:03:25 . 2009-04-13 23:39:02 408 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Xgazulukace.dat.vir 2009-04-10 01:07:49 . 2009-04-13 23:50:20 8,245 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-04-10 01:06:07 . 2009-04-13 23:48:42 348 ----a-w C:\Qoobox\Quarantine\catchme.log 2001-08-18 12:00:00 . 2008-09-15 00:27:59 502,272 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir 2001-08-18 12:00:00 . 2004-08-04 07:56:46 155,648 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\igakotadoqevoyox.dll.vir 2001-08-18 12:00:00 . 2009-04-13 23:49:09 45,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\mkbnvo.dll.vir
  7. Nothing came up during the scans. MGA Report: ------------------------------------------------------------ Diagnostic Report (1.9.0006.1): ----------------------------------------- WGA Data--> Validation Status: Validation Control not Installed Validation Code: 0 Online Validation Code: N/A Cached Validation Code: N/A Windows Product Key: *****-*****-JDWWM-KTBMG-FWQK8 Windows Product Key Hash: xifFAL52i4gPL3ABmxreqtQK8HU= Windows Product ID: 55277-OEM-2114346-00351 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 5.1.2600.2.00010300.2.0.hom ID: {89742C47-FB8C-48DD-9E4D-65A7C53EB442}(1) Is Admin: Yes TestCab: 0x0 WGA Version: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005 Resolution Status: N/A WgaER Data--> ThreatID(s): N/A Version: N/A WGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 WGATray.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Default Browser: D:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> File Mismatch: C:\WINDOWS\system32\ntoskrnl.exe[5.1.2600.2180] File Mismatch: C:\WINDOWS\system32\setupapi.dll[5.1.2600.2180] File Mismatch: C:\WINDOWS\system32\syssetup.dll[5.1.2600.2180] Other data--> Office Details: <GenuineResults><MachineData><UGUID>{89742C47-FB8C-48DD-9E4D-65A7C53EB442}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FWQK8</PKey><PID>55277-OEM-2114346-00351</PID><PIDType>3</PIDType><SID>S-1-5-21-1390067357-2052111302-839522115</SID><SYSTEM><Manufacturer>NVIDIA</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20040826000000.000000+000</Date></BIOS><HWID>0DE53D4F01844E66</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Licensing Data--> N/A HWID Data--> N/A OEM Activation 1.0 Data--> BIOS string matches: no Marker string from BIOS: N/A Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005 OEM Activation 2.0 Data--> N/A
  8. Sorry, I did not receive this dialog. Latest log: -------------------------------------------------------------------- ComboFix 09-04-13.01 - Matt 2009-04-13 19:49.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.663 [GMT -4:00] Running from: c:\documents and settings\Matt\Desktop\aerdna.exe Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) FW: COMODO Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\igakotadoqevoyox.dll. c:\windows\mkbnvo.dll c:\windows\Xgazulukace.dat c:\windows\Xxudokupu.bin . ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-12 18:04 . 2009-04-12 18:04 -------- d-----w C:\ARK 2009-04-11 19:02 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-11 19:02 . 2009-04-11 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-04-10 01:57 . 2009-04-10 01:57 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-10 01:57 . 2009-04-10 01:57 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\acccore 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes 2009-04-09 23:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-09 23:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 23:52 . 2005-09-07 19:58 -------- d-----w c:\program files\QuickTime 2009-04-13 23:51 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys 2009-04-10 19:50 . 2006-02-19 16:06 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-10 01:57 . 2008-10-03 21:23 -------- d-----w c:\program files\Java 2009-04-10 00:31 . 2007-03-26 14:26 2555 ---ha-w C:\IPH.PH 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\program files\AIM6 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\program files\Common Files\AOL 2009-04-10 00:30 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-04 02:51 . 2008-12-15 00:41 -------- d-----w c:\documents and settings\Matt\Application Data\FileZilla 2009-02-27 16:38 . 2008-11-13 23:10 -------- d---a-w c:\documents and settings\All Users\Application Data\Sports Interactive 2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll 2009-04-13 23:51 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys . ------- Sigcheck ------- [-] 2004-06-17 17:58 560128 31FB2D788A9AA618452C02E8375B6DCD c:\windows\$hf_mig$\KB840987\SP1QFE\user32.dll [-] 2004-06-17 17:55 528896 530FE6F930201285D4D2BBBBC6A584AE c:\windows\$NtServicePackUninstall$\user32.dll [-] 2001-08-18 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtUninstallKB840987$\user32.dll [7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\FlyakiteOSX\Backup\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\ServicePackFiles\i386\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\system32\user32.dll [7] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll [-] 2004-01-08 19:23 585216 6626545292428AE1ED5B4237404B346A c:\windows\$NtServicePackUninstall$\wininet.dll [-] 2001-08-18 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll [7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB867282$\wininet.dll [7] 2005-01-27 17:13 656896 B5E043E440B210014E021B24CF0A72E3 c:\windows\FlyakiteOSX\Backup\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\ServicePackFiles\i386\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\dllcache\wininet.dll [-] 2004-06-17 08:03 1954688 ED0D7A5F1138CCFD3ECAF8F6AC691F13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe [-] 2004-06-17 17:00 1903872 37EEE86E396C2FC1508E3A499631F709 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe [-] 2001-08-18 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe [7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\FlyakiteOSX\Backup\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe [-] 2006-03-11 15:26 2014208 969F998BBEDBFD55F1FCC094FA4DA886 c:\windows\system32\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\system32\dllcache\ntkrnlpa.exe [-] 2004-06-17 17:22 2051584 F240DC474F8EDB2D95514D831DF069E5 c:\windows\$hf_mig$\KB840987\SP1QFE\ntoskrnl.exe [-] 2004-06-17 17:00 1881856 2CEBD574C16191344F207ED8A65AE4F6 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe [-] 2001-08-18 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\FlyakiteOSX\Backup\ntoskrnl.exe [-] 2006-03-11 15:26 2138368 FEA005A44FB744A31BE860F6E8BF8AB6 c:\windows\system32\ntoskrnl.exe [-] 2004-08-04 06:19 2138368 4A4F02487352AB73B554B5960C14CEF4 c:\windows\system32\dllcache\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\_BACKUP\EXE\bootscreen\no_HT\ntoskrnl.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\explorer.exe [-] 2001-08-18 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\FlyakiteOSX\Backup\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\ServicePackFiles\i386\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\system32\dllcache\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\_BACKUP\EXE\explorer.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\FlyakiteOSX\Backup\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\ServicePackFiles\i386\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\dllcache\wuauclt.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\_BACKUP\EXE\wuauclt.exe . ((((((((((((((((((((((((((((( SnapShot@2009-04-13_14.16.23.21 ))))))))))))))))))))))))))))))))))))))))) . + 2006-09-25 20:19 . 2009-04-13 23:51 3337 c:\windows\system32\mmf.sys - 2006-09-25 20:19 . 2009-04-13 18:15 3337 c:\windows\system32\mmf.sys + 2009-04-13 23:50 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE - 2009-04-13 18:12 . 2005-10-21 00:02 163328 c:\windows\erdnt\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COMODO Firewall Pro"="d:\program files\Comodo\Firewall\cfp.exe" [2008-12-06 1797880] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\Matt\Start Menu\Programs\Startup\ YzShadow.lnk - e:\documents\osx\shadow\YzShadow.exe [2004-10-29 151552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-29 113664] YzDock.lnk - d:\program files\Downloads\yz_dck0083\YzDock.exe [2003-06-03 386560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.X264"= x264vfw.dll "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.I263"= I263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli mkbnvo.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] -ra------ 2007-06-19 09:21 61440 d:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-09-25 10:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security] --a------ 2008-12-06 11:20 1797880 d:\program files\Comodo\Firewall\cfp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2003-09-17 10:43 57344 d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 18:29 165784 d:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] -ra------ 2008-10-01 18:57 289576 d:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService] --a------ 2004-06-10 23:15 83968 c:\windows\system32\nvraidservice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-09-01 16:57 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2009-04-09 21:57 148888 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2003-10-06 02:57 24576 c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "Bonjour Service"=2 (0x2) "iPod Service"=3 (0x3) "O&O Defrag"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "aawservice"=2 (0x2) "ALG"=3 (0x3) "JavaQuickStarterService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23660:TCP"= 23660:TCP:BitComet 23660 TCP "23660:UDP"= 23660:UDP:BitComet 23660 UDP R3 RivaTunerEx;RivaTunerEx; [x] R4 Mouphu;Mouphu;c:\windows\system32\drivers\acpiec.sys [2001-08-18 11648] S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-06 101776] S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-30 31504] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289] S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2006-09-26 2560] S2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2003-03-05 15840] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-13 c:\windows\Tasks\1-Click Maintenance.job - d:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 10:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newstoday.com/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\7z9hg8wh.New\ FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\C2MP\npdivx32.dll FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 19:52 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ba,a9,b5,d8,67,78,ff,31,34,92,80,51,97,48,82,ff,77,cd,ca,ec,61,9a,b9, c9,a5,5e,d3,ca,1a,1f,6f,9b,6e,31,93,bc,c3,b5,b8,0c,b6,1e,cf,b1,d3,82,8f,b8,\ "??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847] "1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9, e9 "2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8, df,a0,cb,29,a7,07,62,23,54 "3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29, 0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\13D3AF07D4AFC792B9BD996AC108D6B5] "1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,0a,4e,8a,24,18,b0,7f, 17,12,df,d0,2e,5e,18,49,90,15,18,bd,aa,84,24,4a,2c "2"=hex:03,13,8a,80,bd,85,45,8e "3"=hex:c5,67,bb,80,ed,9a,1c,4c,47,f8,db,1d,54,01,61,af,01,f5,c6,0f,e5,eb,a0, a5,f7,65,7e,92,a9,e2,f2,9b,84,41,62,14,61,c6,77,4b,92,f2,1a,87,a7,ad,90,02,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88, 02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\ "8"=hex:23,61,9d,27,41,7b,c8,5d,ae,96,20,b9,1b,81,0b,89,6f,d7,35,30,83,89,61, 55,fc,d7,bc,b4,9a,68,24,eb,75,f8,f6,9c,a0,5c,eb,31 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:b3,b5,ff,62,ba,b6,61,46 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222] "1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94, fd "2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d, 78,d5,ad,68,1b,c8,4a,9b,03 "3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd, 70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC] "1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14 "2"=hex:47,6d,e8,b1,c6,c5,94,c0 "3"=hex:ff,5f,d9,f6,1a,34,78,84,76,5f,7f,90,ab,e1,38,bd,61,7f,f3,fa,19,69,69, bf,dc,6f,50,bb,5a,a9,b7,33,74,5c,14,6b,a2,9e,fb,ae,7a,95,1a,da,46,42,75,c8,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,37,8f,51,32,e7,48,19, 07,20,db,60,8f,b3,8d,05,f9,f8,bf,5c,0a,18,35,6b,a2,f0,ae,0d,45,30,c2,8c,b6,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:20,6b,93,83,a9,c4,e9,ff "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\F347AA9A592B216D597E028785020CD4] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,0d,ef,4b,fc,af,c2,2e,ad "2"=hex:04,29,6a,69,56,d3,ea,41,db,c1,1a,08,f4,34,4d,ff "3"=hex:32,86,2a,ee,c9,6b,ae,c6,13,4d,f1,e4,e6,50,00,23,a6,72,90,88,61,9d,43, ec,7f,e5,b2,1e,85,49,bf,69,63,2a,32,dd,d4,8b,4d,35,66,08,7e,6f,60,77,fe,b6,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d, 97,49,3e,e5,49,ef,df,ad,a2 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,9f,2d,73,41,bb,e9,42, a6,25,4f,d7,78,4c,16,ee,93,1f,77,7e,c8,5a,1e,88,57,6f,83,6b,0d,c1,a1,cf,3f,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:2d,42,aa,42,9c,87,c8,68 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3 "2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61, 5e,d2,5e,7f,21,14,b5,b2,29 "3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,ce,d6,da,a0,ab,80,e1,24 "2"=hex:70,52,20,b5,8f,72,73,3d "3"=hex:5d,e5,41,e5,42,87,19,9b,9f,7e,68,66,73,82,04,cb,f6,93,92,79,c9,6e,95, aa,d7,c2,ab,d8,ca,96,83,b1,3a,cf,fb,cf,9d,3e,5e,05,f0,fc,e6,ad,0e,d4,fb,de,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\ "7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,29,7c,70,46,35,dc,d7,79 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,04,93,48,c8,90,e3,70, e7,31,82,3f,28,9f,11,d4,80,41,41,ca,c1,a3,77,63,a2,3b,6f,05,06,ed,f6,d5,4d,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:4b,72,8f,bc,6c,3f,e4,15 "10"=hex:0f,1f,9e,11,ed,e3,a4,c9 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:ca,83,4b,e3,ee,91,d7,cd,f5,32,44,0c,77,e5,53,a2,75,7f,09,ef,24,bd,4a, d5,4c,6a,4e,38,57,0a,42,64,c5,4a,2b,c9,3b,c9,d5,fe,40,49,e9,f0,4d,70,3d,c9,\ "13"=hex:28,05,a2,0c,1e,2f,c2,cd,69,6f,98,ba,4c,7d,fb,68,24,09,3c,b9,40,12,55, 27 "14"=hex:4e,63,05,ff,92,a2,5b,c8 "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:86,63,88,f7,9f,82,fb,c8,7e,99,f5,1d,90,a3,9f,76 "22"=hex:81,20,8f,ab,28,6a,52,9c "15"=hex:84,9c,13,98,fb,e0,35,aa,ed,c3,02,6e,bc,cd,1e,7b,f8,1b,ce,bb,55,77,30, a0,94,4a,1f,0f,2e,24,bb,a9,2d,eb,bf,fd,37,4a,ce,73,65,f1,3c,13,be,73,09,1d,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG08.00.00.01WORKSTATION"="5E01032C829F777D2BD79FD09058B3014C0886A79A67C866C54E1649CD0673D70B7229A450B C0DEED2B4B2324E6015A8C45DAAA8C1A483DF71C94D489738EF68971CA1359EF2062BBB6B5D66C89 5 C55F970C8B18B9969BC4CBE70ADA2A0445FDEBE25B3316EB04ECD4D03B38BC62A32A56FD10D8768A C C83AC4325A04B36AA0FC631BA93EF165DD35F405D99F977C270E81C96F67A1087EABEF7675AD5E00 D F6B67495F17CA41B62F199C69B65C5680009586F9D607BEEB103260E6CB75A8CF2221EB60D9F8BF9 8 0F43DEFF875861009C525E09DD4E4DA724D71CCE27239FE264124DDC7CE85EBFEBC9E127BECC74CF E BC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8E D D5E5BE2F6E667A6A0AC4980AC7933BA7FD869164D6794FEBC9E127BECC74CE17FB6D3997F38D9BBF 8 32B9AE82AD3456AF824E3CD495685CFC15D5DD85A524D2B53BF251C77DF1F0AE11FE15200DF27E98 7 41B8E6B9560C4240825C7A9BC61198050703A20A3AF6620D351A5CB9D89565055FAFD1D667D7D241 7 2F6690F47324ABB434B5845C1D15FD09A61C733321010EA3933F6F9A247159CF648372C51FC95728 9 E4A029AFC5B4D426C551B649608DB64FBAA79897172F04629921E65D943766E7FA23B99C27BE5947 F 56DB897AD3961BBF3AE6CFB3B36D92D7A674CF52AED1D09E8AE555981C751AB3C45D4215B6F0D45F 0 FF9C9EA4EA7CF3C7AEA46E48C841C35754E8F58477CEFD06CE16F5D626F1FCFEC859C503EC99E97E 8 8ACC27C2FDA17079504D956D50B890BA3C3882ED6D0CF7BC732FCC6451A29FF4EFAA5F1C033574CE D ED792DD1998A244D186E5D517B334883E2C80859102FC424D6C8943A9AF555581BAC850D2BA29BF2 0 881B79EE30D481F603BC4932E9CB19E86355CA5FEC1E8D514964DFD0CCBC0735B06E9B4B9F9D7BC0 6 708BBAD091FE798A2A62964CECC9E7D98C50A35FEE81A35B45BE354A5C56D56CF9D4E5114793F4D8 1 14364B3A53D146808232F988A99A570F155D0A677B7481766AD442425653079D6AB07A969693049E E 19CEBA174D0E4FC7E78BC91DCCFA3DB148775CEA07D5AD5A73931D1F1782055E0F6AA092FA6BF813 5 0712D07E63B1C36D0336F83BBAF0D080D47CDAB33599C7B04C2C7F352BD96282C105D8E736333304 C 7A20579AC88735CEDC1A71E2382DF3491BACBD6913BAAEAC461E01676C477943BAFBBA516726B565 1 B730E4C000CA861CEF3655B07E27228D4B22F872951E91A322E67C6192A9BDB06A723430CDFA71A6 B E0FE804D2EA927FB6DC741FEA7B23AE1657AE1C64E0162139EC29B639A3F6CEE924BA29FCCCD9646 E D160139CA6A26DF8DFE075738A189B5926D5BE25BECB180DCDEB63D1E449E49049888A18F91E528E D 8ADC261622EFED0A64156078958E7" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_044f&Pid_b202\6&2a1fb601&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(3052) e:\documents\osx\shadow\YzShadow.dll c:\windows\System32\cscui.dll d:\program files\Downloads\yz_dck0083\YzDock.dll c:\windows\system32\credui.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\Avira\AntiVir Desktop\avguard.exe d:\program files\Comodo\Firewall\cmdagent.exe . ************************************************************************** . Completion time: 2009-04-13 19:54 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-13 23:53 ComboFix2.txt 2009-04-13 18:23 ComboFix3.txt 2009-04-10 21:11 ComboFix4.txt 2009-04-10 20:04 ComboFix5.txt 2009-04-13 23:48 Pre-Run: 1,710,850,048 bytes free Post-Run: 1,693,528,064 bytes free 418 -------------------------------------------------------------------------------------- Earlier log: -------------------------------------------------------------------------------------- ComboFix 09-04-04.01 - Matt 2009-04-10 17:00:34.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.630 [GMT -4:00] Running from: d:\program files\BitComet\Downloads\ComboFix.exe FW: COMODO Firewall *disabled* WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 ))))))))))))))))))))))))))))))) . 2009-04-09 21:57 . 2009-04-09 21:57 410,984 --a------ c:\windows\system32\deploytk.dll 2009-04-09 21:57 . 2009-04-09 21:57 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-04-09 20:31 . 2009-04-09 20:31 <DIR> d-------- c:\program files\AIM6 2009-04-09 20:31 . 2009-04-09 20:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore 2009-04-09 19:59 . 2009-04-09 19:59 <DIR> d-------- c:\documents and settings\Matt\Application Data\Malwarebytes 2009-04-09 19:59 . 2009-04-09 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-09 19:59 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 19:59 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-04-09 19:43 . 2009-04-10 16:59 408 --a------ c:\windows\Xgazulukace.dat 2009-04-09 19:43 . 2009-04-10 10:29 0 --a------ c:\windows\Xxudokupu.bin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-10 19:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-10 01:57 --------- d-----w c:\program files\Java 2009-04-10 00:31 --------- d-----w c:\program files\Common Files\AOL 2009-04-10 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-10 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-04 02:51 --------- d-----w c:\documents and settings\Matt\Application Data\FileZilla 2009-02-27 16:38 --------- d---a-w c:\documents and settings\All Users\Application Data\Sports Interactive 2005-05-13 21:12 217,073 --sha-r c:\windows\meta4.exe 2005-10-24 15:13 66,560 --sha-r c:\windows\MOTA113.exe 2005-10-14 01:27 422,400 --sha-r c:\windows\x2.64.exe 2005-10-07 23:14 308,224 --sha-r c:\windows\system32\avisynth.dll 2005-07-14 16:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll 2005-06-26 19:32 616,448 --sha-r c:\windows\system32\cygwin1.dll 2005-06-22 02:37 45,568 --sha-r c:\windows\system32\cygz.dll 2004-01-25 04:00 70,656 --sha-r c:\windows\system32\i420vfw.dll 2006-04-27 14:24 2,945,024 --sha-r c:\windows\system32\Smab.dll 2005-02-28 17:16 240,128 --sha-r c:\windows\system32\x.264.exe 2004-01-25 04:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll . ------- Sigcheck ------- 2004-06-17 13:58 560128 31fb2d788a9aa618452c02e8375b6dcd c:\windows\$hf_mig$\KB840987\SP1QFE\user32.dll 2004-06-17 13:55 528896 530fe6f930201285d4d2bbbbc6a584ae c:\windows\$NtServicePackUninstall$\user32.dll 2001-08-18 08:00 561152 be57a5c3abd240514b98f6bca872fb21 c:\windows\$NtUninstallKB840987$\user32.dll 2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\FlyakiteOSX\Backup\user32.dll 2004-08-04 03:56 576512 fb77859d24d31cb3ca43177cf0ebddce c:\windows\ServicePackFiles\i386\user32.dll 2004-08-04 03:56 576512 fb77859d24d31cb3ca43177cf0ebddce c:\windows\system32\user32.dll 2005-01-27 13:08 657920 a8eac5330876548e9966a7d13025d196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll 2004-01-08 15:23 585216 6626545292428ae1ed5b4237404b346a c:\windows\$NtServicePackUninstall$\wininet.dll 2001-08-18 08:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll 2004-08-04 03:56 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB867282$\wininet.dll 2005-01-27 13:13 656896 b5e043e440b210014e021b24cf0a72e3 c:\windows\FlyakiteOSX\Backup\wininet.dll 2005-01-27 13:13 677888 2776bc171008017adac08e979015795e c:\windows\ServicePackFiles\i386\wininet.dll 2005-01-27 13:13 677888 2776bc171008017adac08e979015795e c:\windows\system32\wininet.dll 2005-01-27 13:13 677888 2776bc171008017adac08e979015795e c:\windows\system32\dllcache\wininet.dll 2004-05-26 21:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e c:\windows\$hf_mig$\KB840987\SP1QFE\winlogon.exe 2001-08-18 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 c:\windows\$NtServicePackUninstall$\winlogon.exe 2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\ServicePackFiles\i386\winlogon.exe 2008-09-14 20:27 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe 2004-06-17 04:03 1954688 ed0d7a5f1138ccfd3ecaf8f6ac691f13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe 2004-06-17 13:00 1903872 37eee86e396c2fc1508e3a499631f709 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe 2001-08-18 08:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe 2004-08-04 01:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\FlyakiteOSX\Backup\ntkrnlpa.exe 2004-08-04 01:58 2014208 5c68acba1b51b34eb2ad10693bcb39f2 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe 2006-03-11 11:26 2014208 969f998bbedbfd55f1fcc094fa4da886 c:\windows\system32\ntkrnlpa.exe 2004-08-04 01:58 2014208 5c68acba1b51b34eb2ad10693bcb39f2 c:\windows\system32\dllcache\ntkrnlpa.exe 2004-06-17 13:22 2051584 f240dc474f8edb2d95514d831df069e5 c:\windows\$hf_mig$\KB840987\SP1QFE\ntoskrnl.exe 2004-06-17 13:00 1881856 2cebd574c16191344f207ed8a65ae4f6 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe 2001-08-18 08:00 1982208 a29222d5281056e497408fcc9062f749 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe 2004-08-04 02:19 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\FlyakiteOSX\Backup\ntoskrnl.exe 2006-03-11 11:26 2138368 fea005a44fb744a31be860f6e8bf8ab6 c:\windows\system32\ntoskrnl.exe 2004-08-04 02:19 2138368 4a4f02487352ab73b554b5960c14cef4 c:\windows\system32\dllcache\ntoskrnl.exe 2004-08-04 02:19 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\_BACKUP\EXE\bootscreen\no_HT\ntoskrnl.exe 2004-08-04 03:56 1364480 c9b3630199ac0b64fcaf9aad699e5f17 c:\windows\explorer.exe 2001-08-18 08:00 1000960 5a26fc6010886d25b3e412493dd95ed8 c:\windows\$NtServicePackUninstall$\explorer.exe 2004-08-04 03:56 1032192 a0732187050030ae399b241436565e64 c:\windows\FlyakiteOSX\Backup\explorer.exe 2004-08-04 03:56 1364480 c9b3630199ac0b64fcaf9aad699e5f17 c:\windows\ServicePackFiles\i386\explorer.exe 2004-08-04 03:56 1364480 c9b3630199ac0b64fcaf9aad699e5f17 c:\windows\system32\dllcache\explorer.exe 2004-08-04 03:56 1032192 a0732187050030ae399b241436565e64 c:\windows\_BACKUP\EXE\explorer.exe 2004-08-03 14:02 113944 4fe41a819f5a1ff0923f12b34830a6ca c:\windows\FlyakiteOSX\Backup\wuauclt.exe 2004-08-03 14:02 106264 9c2857949c30858424a11301083f563e c:\windows\ServicePackFiles\i386\wuauclt.exe 2004-08-03 14:02 106264 9c2857949c30858424a11301083f563e c:\windows\system32\wuauclt.exe 2004-08-03 14:02 106264 9c2857949c30858424a11301083f563e c:\windows\system32\dllcache\wuauclt.exe 2004-08-03 14:02 113944 4fe41a819f5a1ff0923f12b34830a6ca c:\windows\_BACKUP\EXE\wuauclt.exe . ((((((((((((((((((((((((((((( SnapShot@2009-04-09_21.10.46.75 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-04 07:56:46 156,672 ----a-w c:\windows\ecotabiv.dll - 2008-06-10 06:32:34 139,264 ----a-w c:\windows\FlyakiteOSX\Backup\javaws.exe + 2009-04-10 01:57:02 148,888 ----a-w c:\windows\FlyakiteOSX\Backup\javaws.exe - 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe + 2009-04-10 01:57:02 144,792 ----a-w c:\windows\system32\java.exe - 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe + 2009-04-10 01:57:02 144,792 ----a-w c:\windows\system32\javaw.exe - 2008-06-10 06:32:34 126,976 ----a-w c:\windows\system32\javaws.exe + 2009-04-10 01:57:02 136,600 ----a-w c:\windows\system32\javaws.exe - 2009-04-10 01:09:55 3,337 --sha-w c:\windows\system32\mmf.sys + 2009-04-10 21:03:35 3,337 --sha-w c:\windows\system32\mmf.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 45,056 2002-12-03 22:06:52 c:\program files\Creative\SB Drive Det\bak\SBDrvDet.exe ----a-w 282,624 2006-09-01 20:57:48 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe ----a-w 66,672 2004-09-01 16:26:48 d:\program files\AIM\bak\aim.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COMODO Firewall Pro"="d:\program files\Comodo\Firewall\cfp.exe" [2008-12-06 1797880] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Kgizicuhuhoneni"="c:\windows\ecotabiv.dll" [2004-08-04 156672] c:\documents and settings\Matt\Start Menu\Programs\Startup\ YzShadow.lnk - e:\documents\osx\shadow\YzShadow.exe [2004-10-29 151552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-29 113664] YzDock.lnk - d:\program files\BitComet\yz_dck0083\YzDock.exe [2003-06-03 386560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.X264"= x264vfw.dll "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.I263"= I263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli mkbnvo.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] -ra------ 2007-06-19 09:21 61440 d:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-09-25 10:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security] --a------ 2008-12-06 11:20 1797880 d:\program files\Comodo\Firewall\cfp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2003-09-17 10:43 57344 d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 18:29 165784 d:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] -ra------ 2008-10-01 18:57 289576 d:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService] --a------ 2004-06-10 23:15 83968 c:\windows\system32\nvraidservice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2009-04-09 21:57 148888 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2003-10-06 02:57 24576 c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "Bonjour Service"=2 (0x2) "iPod Service"=3 (0x3) "O&O Defrag"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "aawservice"=2 (0x2) "ALG"=3 (0x3) "JavaQuickStarterService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23660:TCP"= 23660:TCP:BitComet 23660 TCP "23660:UDP"= 23660:UDP:BitComet 23660 UDP R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-28 101776] R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-28 31504] R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-09-26 2560] R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2004-10-29 15840] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652] S3 RivaTunerEx;RivaTunerEx;\??\d:\program files\RivaTuner\RivaTunerEx.sys --> d:\program files\RivaTuner\RivaTunerEx.sys [?] S4 Mouphu;Mouphu;c:\windows\system32\drivers\acpiec.sys [2001-08-18 11648] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-10 c:\windows\Tasks\1-Click Maintenance.job - d:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 10:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newstoday.com/ uInternet Settings,ProxyOverride = *.local Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\2klp9ndr.Mateo\ FF - prefs.js: browser.startup.homepage - hxxp://www.qbn.com FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\C2MP\npdivx32.dll FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll ---- FIREFOX POLICIES ---- # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs */ FF - user.js: ui.textSelectBackground - #BFD8FA FF - user.js: ui.textSelectForeground - #000000 . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-10 17:03:42 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ba,a9,b5,d8,67,78,ff,31,34,92,80,51,97,48,82,ff,77,cd,ca,ec,61,9a,b9, c9,a5,5e,d3,ca,1a,1f,6f,9b,6e,31,93,bc,c3,b5,b8,0c,b6,1e,cf,b1,d3,82,8f,b8,\ "??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847] "1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9, e9 "2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8, df,a0,cb,29,a7,07,62,23,54 "3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29, 0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\13D3AF07D4AFC792B9BD996AC108D6B5] "1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,0a,4e,8a,24,18,b0,7f, 17,12,df,d0,2e,5e,18,49,90,15,18,bd,aa,84,24,4a,2c "2"=hex:03,13,8a,80,bd,85,45,8e "3"=hex:c5,67,bb,80,ed,9a,1c,4c,47,f8,db,1d,54,01,61,af,01,f5,c6,0f,e5,eb,a0, a5,f7,65,7e,92,a9,e2,f2,9b,84,41,62,14,61,c6,77,4b,92,f2,1a,87,a7,ad,90,02,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88, 02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\ "8"=hex:23,61,9d,27,41,7b,c8,5d,ae,96,20,b9,1b,81,0b,89,6f,d7,35,30,83,89,61, 55,fc,d7,bc,b4,9a,68,24,eb,75,f8,f6,9c,a0,5c,eb,31 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:b3,b5,ff,62,ba,b6,61,46 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222] "1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94, fd "2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d, 78,d5,ad,68,1b,c8,4a,9b,03 "3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd, 70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC] "1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14 "2"=hex:47,6d,e8,b1,c6,c5,94,c0 "3"=hex:ff,5f,d9,f6,1a,34,78,84,76,5f,7f,90,ab,e1,38,bd,61,7f,f3,fa,19,69,69, bf,dc,6f,50,bb,5a,a9,b7,33,74,5c,14,6b,a2,9e,fb,ae,7a,95,1a,da,46,42,75,c8,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,37,8f,51,32,e7,48,19, 07,20,db,60,8f,b3,8d,05,f9,f8,bf,5c,0a,18,35,6b,a2,f0,ae,0d,45,30,c2,8c,b6,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:20,6b,93,83,a9,c4,e9,ff "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\F347AA9A592B216D597E028785020CD4] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,0d,ef,4b,fc,af,c2,2e,ad "2"=hex:04,29,6a,69,56,d3,ea,41,db,c1,1a,08,f4,34,4d,ff "3"=hex:32,86,2a,ee,c9,6b,ae,c6,13,4d,f1,e4,e6,50,00,23,a6,72,90,88,61,9d,43, ec,7f,e5,b2,1e,85,49,bf,69,63,2a,32,dd,d4,8b,4d,35,66,08,7e,6f,60,77,fe,b6,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d, 97,49,3e,e5,49,ef,df,ad,a2 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,9f,2d,73,41,bb,e9,42, a6,25,4f,d7,78,4c,16,ee,93,1f,77,7e,c8,5a,1e,88,57,6f,83,6b,0d,c1,a1,cf,3f,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:2d,42,aa,42,9c,87,c8,68 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3 "2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61, 5e,d2,5e,7f,21,14,b5,b2,29 "3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,ce,d6,da,a0,ab,80,e1,24 "2"=hex:70,52,20,b5,8f,72,73,3d "3"=hex:5d,e5,41,e5,42,87,19,9b,9f,7e,68,66,73,82,04,cb,f6,93,92,79,c9,6e,95, aa,d7,c2,ab,d8,ca,96,83,b1,3a,cf,fb,cf,9d,3e,5e,05,f0,fc,e6,ad,0e,d4,fb,de,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\ "7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,29,7c,70,46,35,dc,d7,79 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,04,93,48,c8,90,e3,70, e7,31,82,3f,28,9f,11,d4,80,41,41,ca,c1,a3,77,63,a2,3b,6f,05,06,ed,f6,d5,4d,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:4b,72,8f,bc,6c,3f,e4,15 "10"=hex:0f,1f,9e,11,ed,e3,a4,c9 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:ca,83,4b,e3,ee,91,d7,cd,f5,32,44,0c,77,e5,53,a2,75,7f,09,ef,24,bd,4a, d5,4c,6a,4e,38,57,0a,42,64,c5,4a,2b,c9,3b,c9,d5,fe,40,49,e9,f0,4d,70,3d,c9,\ "13"=hex:28,05,a2,0c,1e,2f,c2,cd,69,6f,98,ba,4c,7d,fb,68,24,09,3c,b9,40,12,55, 27 "14"=hex:4e,63,05,ff,92,a2,5b,c8 "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:86,63,88,f7,9f,82,fb,c8,7e,99,f5,1d,90,a3,9f,76 "22"=hex:81,20,8f,ab,28,6a,52,9c "15"=hex:84,9c,13,98,fb,e0,35,aa,ed,c3,02,6e,bc,cd,1e,7b,f8,1b,ce,bb,55,77,30, a0,94,4a,1f,0f,2e,24,bb,a9,2d,eb,bf,fd,37,4a,ce,73,65,f1,3c,13,be,73,09,1d,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG08.00.00.01WORKSTATION"="5E01032C829F777D2BD79FD09058B3014C0886A79A67C866C54E1649CD0673D70B7229A450B C0DEED2B4B2324E6015A8C45DAAA8C1A483DF71C94D489738EF68971CA1359EF2062BBB6B5D66C89 5 C55F970C8B18B9969BC4CBE70ADA2A0445FDEBE25B3316EB04ECD4D03B38BC62A32A56FD10D8768A C C83AC4325A04B36AA0FC631BA93EF165DD35F405D99F977C270E81C96F67A1087EABEF7675AD5E00 D F6B67495F17CA41B62F199C69B65C5680009586F9D607BEEB103260E6CB75A8CF2221EB60D9F8BF9 8 0F43DEFF875861009C525E09DD4E4DA724D71CCE27239FE264124DDC7CE85EBFEBC9E127BECC74CF E BC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8E D D5E5BE2F6E667A6A0AC4980AC7933BA7FD869164D6794FEBC9E127BECC74CE17FB6D3997F38D9BBF 8 32B9AE82AD3456AF824E3CD495685CFC15D5DD85A524D2B53BF251C77DF1F0AE11FE15200DF27E98 7 41B8E6B9560C4240825C7A9BC61198050703A20A3AF6620D351A5CB9D89565055FAFD1D667D7D241 7 2F6690F47324ABB434B5845C1D15FD09A61C733321010EA3933F6F9A247159CF648372C51FC95728 9 E4A029AFC5B4D426C551B649608DB64FBAA79897172F04629921E65D943766E7FA23B99C27BE5947 F 56DB897AD3961BBF3AE6CFB3B36D92D7A674CF52AED1D09E8AE555981C751AB3C45D4215B6F0D45F 0 FF9C9EA4EA7CF3C7AEA46E48C841C35754E8F58477CEFD06CE16F5D626F1FCFEC859C503EC99E97E 8 8ACC27C2FDA17079504D956D50B890BA3C3882ED6D0CF7BC732FCC6451A29FF4EFAA5F1C033574CE D ED792DD1998A244D186E5D517B334883E2C80859102FC424D6C8943A9AF555581BAC850D2BA29BF2 0 881B79EE30D481F603BC4932E9CB19E86355CA5FEC1E8D514964DFD0CCBC0735B06E9B4B9F9D7BC0 6 708BBAD091FE798A2A62964CECC9E7D98C50A35FEE81A35B45BE354A5C56D56CF9D4E5114793F4D8 1 14364B3A53D146808232F988A99A570F155D0A677B7481766AD442425653079D6AB07A969693049E E 19CEBA174D0E4FC7E78BC91DCCFA3DB148775CEA07D5AD5A73931D1F1782055E0F6AA092FA6BF813 5 0712D07E63B1C36D0336F83BBAF0D080D47CDAB33599C7B04C2C7F352BD96282C105D8E736333304 C 7A20579AC88735CEDC1A71E2382DF3491BACBD6913BAAEAC461E01676C477943BAFBBA516726B565 1 B730E4C000CA861CEF3655B07E27228D4B22F872951E91A322E67C6192A9BDB06A723430CDFA71A6 B E0FE804D2EA927FB6DC741FEA7B23AE1657AE1C64E0162139EC29B639A3F6CEE924BA29FCCCD9646 E D160139CA6A26DF8DFE075738A189B5926D5BE25BECB180DCDEB63D1E449E49049888A18F91E528E D 8ADC261622EFED0A64156078958E7" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_044f&Pid_b202\6&2a1fb601&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(792) c:\windows\mkbnvo.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\Comodo\Firewall\cmdagent.exe d:\program files\Comodo\Firewall\cfpupdat.exe . ************************************************************************** . Completion time: 2009-04-10 17:11:18 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-10 21:11:15 ComboFix2.txt 2009-04-10 20:04:42 Pre-Run: 1,787,576,320 bytes free Post-Run: 1,771,155,456 bytes free 441 ---------------------------------------------------------------------------------------------------- MBAM ---------------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 1971 Windows 5.1.2600 Service Pack 2 4/13/2009 8:15:05 PM mbam-log-2009-04-13 (20-15-05).txt Scan type: Quick Scan Objects scanned: 68165 Time elapsed: 1 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  9. GMER 1.0.15.14966 - http://www.gmer.net Rootkit scan 2009-04-12 14:05:27 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwEnumerateKey [0xF72F7FB2] SSDT sptd.sys ZwEnumerateValueKey [0xF72F8340] ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 871641E8 AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) ---- EOF - GMER 1.0.15 ---- -------------------------------------------------------------------------------- ComboFix 09-04-13.01 - Matt 2009-04-12 14:11.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.676 [GMT -4:00] Running from: c:\documents and settings\Matt\Desktop\aerdna.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) FW: COMODO Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe . ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-12 18:04 . 2009-04-12 18:04 -------- d-----w C:\ARK 2009-04-12 18:03 . 2009-04-12 18:03 0 ----a-w c:\windows\Xxudokupu.bin 2009-04-12 18:03 . 2009-04-12 18:03 408 ----a-w c:\windows\Xgazulukace.dat 2009-04-11 19:02 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-11 19:02 . 2009-04-11 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-04-10 01:57 . 2009-04-10 01:57 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-10 01:57 . 2009-04-10 01:57 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\acccore 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes 2009-04-09 23:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-09 23:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 23:59 . 2009-04-09 23:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 18:15 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys 2009-04-10 19:50 . 2006-02-19 16:06 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-10 01:57 . 2008-10-03 21:23 -------- d-----w c:\program files\Java 2009-04-10 00:31 . 2007-03-26 14:26 2555 ---ha-w C:\IPH.PH 2009-04-10 00:31 . 2009-04-10 00:31 -------- d-----w c:\program files\AIM6 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-10 00:31 . 2007-03-26 14:27 -------- d-----w c:\program files\Common Files\AOL 2009-04-10 00:30 . 2007-03-26 14:27 -------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-04 02:51 . 2008-12-15 00:41 -------- d-----w c:\documents and settings\Matt\Application Data\FileZilla 2009-02-27 16:38 . 2008-11-13 23:10 -------- d---a-w c:\documents and settings\All Users\Application Data\Sports Interactive 2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll 2009-04-13 18:15 . 2006-09-25 20:19 3337 --sha-w c:\windows\system32\mmf.sys . ------- Sigcheck ------- [-] 2004-06-17 17:58 560128 31FB2D788A9AA618452C02E8375B6DCD c:\windows\$hf_mig$\KB840987\SP1QFE\user32.dll [-] 2004-06-17 17:55 528896 530FE6F930201285D4D2BBBBC6A584AE c:\windows\$NtServicePackUninstall$\user32.dll [-] 2001-08-18 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtUninstallKB840987$\user32.dll [7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\FlyakiteOSX\Backup\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\ServicePackFiles\i386\user32.dll [-] 2004-08-04 07:56 576512 FB77859D24D31CB3CA43177CF0EBDDCE c:\windows\system32\user32.dll [7] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll [-] 2004-01-08 19:23 585216 6626545292428AE1ED5B4237404B346A c:\windows\$NtServicePackUninstall$\wininet.dll [-] 2001-08-18 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll [7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB867282$\wininet.dll [7] 2005-01-27 17:13 656896 B5E043E440B210014E021B24CF0A72E3 c:\windows\FlyakiteOSX\Backup\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\ServicePackFiles\i386\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\wininet.dll [-] 2005-01-27 17:13 677888 2776BC171008017ADAC08E979015795E c:\windows\system32\dllcache\wininet.dll [-] 2004-06-17 08:03 1954688 ED0D7A5F1138CCFD3ECAF8F6AC691F13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe [-] 2004-06-17 17:00 1903872 37EEE86E396C2FC1508E3A499631F709 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe [-] 2001-08-18 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe [7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\FlyakiteOSX\Backup\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe [-] 2006-03-11 15:26 2014208 969F998BBEDBFD55F1FCC094FA4DA886 c:\windows\system32\ntkrnlpa.exe [-] 2004-08-04 05:58 2014208 5C68ACBA1B51B34EB2AD10693BCB39F2 c:\windows\system32\dllcache\ntkrnlpa.exe [-] 2004-06-17 17:22 2051584 F240DC474F8EDB2D95514D831DF069E5 c:\windows\$hf_mig$\KB840987\SP1QFE\ntoskrnl.exe [-] 2004-06-17 17:00 1881856 2CEBD574C16191344F207ED8A65AE4F6 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe [-] 2001-08-18 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\FlyakiteOSX\Backup\ntoskrnl.exe [-] 2006-03-11 15:26 2138368 FEA005A44FB744A31BE860F6E8BF8AB6 c:\windows\system32\ntoskrnl.exe [-] 2004-08-04 06:19 2138368 4A4F02487352AB73B554B5960C14CEF4 c:\windows\system32\dllcache\ntoskrnl.exe [7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\_BACKUP\EXE\bootscreen\no_HT\ntoskrnl.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\explorer.exe [-] 2001-08-18 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\$NtServicePackUninstall$\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\FlyakiteOSX\Backup\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\ServicePackFiles\i386\explorer.exe [-] 2004-08-04 07:56 1364480 C9B3630199AC0B64FCAF9AAD699E5F17 c:\windows\system32\dllcache\explorer.exe [7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\_BACKUP\EXE\explorer.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\FlyakiteOSX\Backup\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\ServicePackFiles\i386\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\wuauclt.exe [-] 2004-08-03 18:02 106264 9C2857949C30858424A11301083F563E c:\windows\system32\dllcache\wuauclt.exe [7] 2004-08-03 18:02 113944 4FE41A819F5A1FF0923F12B34830A6CA c:\windows\_BACKUP\EXE\wuauclt.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 45,056 2002-12-03 22:06 c:\program files\Creative\SB Drive Det\bak\SBDrvDet.exe ----a-w 282,624 2006-09-01 20:57 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09 c:\program files\QuickTime\QTTask.exe ----a-w 66,672 2004-09-01 16:26 d:\program files\AIM\bak\aim.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COMODO Firewall Pro"="d:\program files\Comodo\Firewall\cfp.exe" [2008-12-06 1797880] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Kgizicuhuhoneni"="c:\windows\igakotadoqevoyox.dll" [2004-08-04 155648] c:\documents and settings\Matt\Start Menu\Programs\Startup\ YzShadow.lnk - e:\documents\osx\shadow\YzShadow.exe [2004-10-29 151552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-29 113664] YzDock.lnk - d:\program files\Downloads\yz_dck0083\YzDock.exe [2003-06-03 386560] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.X264"= x264vfw.dll "vidc.hfyu"= huffyuv.dll "msacm.divxa32"= DivXa32.acm "msacm.l3codec"= l3codecp.acm "vidc.I263"= I263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli mkbnvo.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] -ra------ 2007-06-19 09:21 61440 d:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-09-25 10:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security] --a------ 2008-12-06 11:20 1797880 d:\program files\Comodo\Firewall\cfp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2003-09-17 10:43 57344 d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 18:29 165784 d:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] -ra------ 2008-10-01 18:57 289576 d:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService] --a------ 2004-06-10 23:15 83968 c:\windows\system32\nvraidservice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2009-04-09 21:57 148888 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2003-10-06 02:57 24576 c:\windows\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "Bonjour Service"=2 (0x2) "iPod Service"=3 (0x3) "O&O Defrag"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "aawservice"=2 (0x2) "ALG"=3 (0x3) "JavaQuickStarterService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "d:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23660:TCP"= 23660:TCP:BitComet 23660 TCP "23660:UDP"= 23660:UDP:BitComet 23660 UDP R3 RivaTunerEx;RivaTunerEx; [x] R4 Mouphu;Mouphu;c:\windows\system32\drivers\acpiec.sys [2001-08-18 11648] S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-06 101776] S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-30 31504] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289] S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2006-09-26 2560] S2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2003-03-05 15840] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-13 c:\windows\Tasks\1-Click Maintenance.job - d:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 10:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newstoday.com/ uInternet Settings,ProxyOverride = *.local Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\7z9hg8wh.New\ FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\windows\system32\C2MP\npdivx32.dll FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 14:15 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-2052111302-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ba,a9,b5,d8,67,78,ff,31,34,92,80,51,97,48,82,ff,77,cd,ca,ec,61,9a,b9, c9,a5,5e,d3,ca,1a,1f,6f,9b,6e,31,93,bc,c3,b5,b8,0c,b6,1e,cf,b1,d3,82,8f,b8,\ "??"=hex:e4,ed,d9,ac,60,ef,ad,e4,dc,51,4a,07,c6,d3,3f,f5 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847] "1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9, e9 "2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8, df,a0,cb,29,a7,07,62,23,54 "3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29, 0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09 [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\13D3AF07D4AFC792B9BD996AC108D6B5] "1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,0a,4e,8a,24,18,b0,7f, 17,12,df,d0,2e,5e,18,49,90,15,18,bd,aa,84,24,4a,2c "2"=hex:03,13,8a,80,bd,85,45,8e "3"=hex:c5,67,bb,80,ed,9a,1c,4c,47,f8,db,1d,54,01,61,af,01,f5,c6,0f,e5,eb,a0, a5,f7,65,7e,92,a9,e2,f2,9b,84,41,62,14,61,c6,77,4b,92,f2,1a,87,a7,ad,90,02,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88, 02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\ "8"=hex:23,61,9d,27,41,7b,c8,5d,ae,96,20,b9,1b,81,0b,89,6f,d7,35,30,83,89,61, 55,fc,d7,bc,b4,9a,68,24,eb,75,f8,f6,9c,a0,5c,eb,31 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:b3,b5,ff,62,ba,b6,61,46 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222] "1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94, fd "2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d, 78,d5,ad,68,1b,c8,4a,9b,03 "3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd, 70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC] "1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14 "2"=hex:47,6d,e8,b1,c6,c5,94,c0 "3"=hex:ff,5f,d9,f6,1a,34,78,84,76,5f,7f,90,ab,e1,38,bd,61,7f,f3,fa,19,69,69, bf,dc,6f,50,bb,5a,a9,b7,33,74,5c,14,6b,a2,9e,fb,ae,7a,95,1a,da,46,42,75,c8,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25, 42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,37,8f,51,32,e7,48,19, 07,20,db,60,8f,b3,8d,05,f9,f8,bf,5c,0a,18,35,6b,a2,f0,ae,0d,45,30,c2,8c,b6,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:20,6b,93,83,a9,c4,e9,ff "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\F347AA9A592B216D597E028785020CD4] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,0d,ef,4b,fc,af,c2,2e,ad "2"=hex:04,29,6a,69,56,d3,ea,41,db,c1,1a,08,f4,34,4d,ff "3"=hex:32,86,2a,ee,c9,6b,ae,c6,13,4d,f1,e4,e6,50,00,23,a6,72,90,88,61,9d,43, ec,7f,e5,b2,1e,85,49,bf,69,63,2a,32,dd,d4,8b,4d,35,66,08,7e,6f,60,77,fe,b6,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4, 51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20 "7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d, 97,49,3e,e5,49,ef,df,ad,a2 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,9f,2d,73,41,bb,e9,42, a6,25,4f,d7,78,4c,16,ee,93,1f,77,7e,c8,5a,1e,88,57,6f,83,6b,0d,c1,a1,cf,3f,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:70,56,26,33,e3,20,f8,ab "10"=hex:2d,42,aa,42,9c,87,c8,68 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:81,20,8f,ab,28,6a,52,9c "13"=hex:81,20,8f,ab,28,6a,52,9c "14"=hex:81,20,8f,ab,28,6a,52,9c "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:81,20,8f,ab,28,6a,52,9c "22"=hex:81,20,8f,ab,28,6a,52,9c [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3 "2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61, 5e,d2,5e,7f,21,14,b5,b2,29 "3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8, d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB] "1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,ce,d6,da,a0,ab,80,e1,24 "2"=hex:70,52,20,b5,8f,72,73,3d "3"=hex:5d,e5,41,e5,42,87,19,9b,9f,7e,68,66,73,82,04,cb,f6,93,92,79,c9,6e,95, aa,d7,c2,ab,d8,ca,96,83,b1,3a,cf,fb,cf,9d,3e,5e,05,f0,fc,e6,ad,0e,d4,fb,de,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\ "7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2, b0,29,7c,70,46,35,dc,d7,79 "8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,04,93,48,c8,90,e3,70, e7,31,82,3f,28,9f,11,d4,80,41,41,ca,c1,a3,77,63,a2,3b,6f,05,06,ed,f6,d5,4d,\ "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:4b,72,8f,bc,6c,3f,e4,15 "10"=hex:0f,1f,9e,11,ed,e3,a4,c9 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:ca,83,4b,e3,ee,91,d7,cd,f5,32,44,0c,77,e5,53,a2,75,7f,09,ef,24,bd,4a, d5,4c,6a,4e,38,57,0a,42,64,c5,4a,2b,c9,3b,c9,d5,fe,40,49,e9,f0,4d,70,3d,c9,\ "13"=hex:28,05,a2,0c,1e,2f,c2,cd,69,6f,98,ba,4c,7d,fb,68,24,09,3c,b9,40,12,55, 27 "14"=hex:4e,63,05,ff,92,a2,5b,c8 "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:86,63,88,f7,9f,82,fb,c8,7e,99,f5,1d,90,a3,9f,76 "22"=hex:81,20,8f,ab,28,6a,52,9c "15"=hex:84,9c,13,98,fb,e0,35,aa,ed,c3,02,6e,bc,cd,1e,7b,f8,1b,ce,bb,55,77,30, a0,94,4a,1f,0f,2e,24,bb,a9,2d,eb,bf,fd,37,4a,ce,73,65,f1,3c,13,be,73,09,1d,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG08.00.00.01WORKSTATION"="5E01032C829F777D2BD79FD09058B3014C0886A79A67C866C54E1649CD0673D70B7229A450B C0DEED2B4B2324E6015A8C45DAAA8C1A483DF71C94D489738EF68971CA1359EF2062BBB6B5D66C89 5 C55F970C8B18B9969BC4CBE70ADA2A0445FDEBE25B3316EB04ECD4D03B38BC62A32A56FD10D8768A C C83AC4325A04B36AA0FC631BA93EF165DD35F405D99F977C270E81C96F67A1087EABEF7675AD5E00 D F6B67495F17CA41B62F199C69B65C5680009586F9D607BEEB103260E6CB75A8CF2221EB60D9F8BF9 8 0F43DEFF875861009C525E09DD4E4DA724D71CCE27239FE264124DDC7CE85EBFEBC9E127BECC74CF E BC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8E D D5E5BE2F6E667A6A0AC4980AC7933BA7FD869164D6794FEBC9E127BECC74CE17FB6D3997F38D9BBF 8 32B9AE82AD3456AF824E3CD495685CFC15D5DD85A524D2B53BF251C77DF1F0AE11FE15200DF27E98 7 41B8E6B9560C4240825C7A9BC61198050703A20A3AF6620D351A5CB9D89565055FAFD1D667D7D241 7 2F6690F47324ABB434B5845C1D15FD09A61C733321010EA3933F6F9A247159CF648372C51FC95728 9 E4A029AFC5B4D426C551B649608DB64FBAA79897172F04629921E65D943766E7FA23B99C27BE5947 F 56DB897AD3961BBF3AE6CFB3B36D92D7A674CF52AED1D09E8AE555981C751AB3C45D4215B6F0D45F 0 FF9C9EA4EA7CF3C7AEA46E48C841C35754E8F58477CEFD06CE16F5D626F1FCFEC859C503EC99E97E 8 8ACC27C2FDA17079504D956D50B890BA3C3882ED6D0CF7BC732FCC6451A29FF4EFAA5F1C033574CE D ED792DD1998A244D186E5D517B334883E2C80859102FC424D6C8943A9AF555581BAC850D2BA29BF2 0 881B79EE30D481F603BC4932E9CB19E86355CA5FEC1E8D514964DFD0CCBC0735B06E9B4B9F9D7BC0 6 708BBAD091FE798A2A62964CECC9E7D98C50A35FEE81A35B45BE354A5C56D56CF9D4E5114793F4D8 1 14364B3A53D146808232F988A99A570F155D0A677B7481766AD442425653079D6AB07A969693049E E 19CEBA174D0E4FC7E78BC91DCCFA3DB148775CEA07D5AD5A73931D1F1782055E0F6AA092FA6BF813 5 0712D07E63B1C36D0336F83BBAF0D080D47CDAB33599C7B04C2C7F352BD96282C105D8E736333304 C 7A20579AC88735CEDC1A71E2382DF3491BACBD6913BAAEAC461E01676C477943BAFBBA516726B565 1 B730E4C000CA861CEF3655B07E27228D4B22F872951E91A322E67C6192A9BDB06A723430CDFA71A6 B E0FE804D2EA927FB6DC741FEA7B23AE1657AE1C64E0162139EC29B639A3F6CEE924BA29FCCCD9646 E D160139CA6A26DF8DFE075738A189B5926D5BE25BECB180DCDEB63D1E449E49049888A18F91E528E D 8ADC261622EFED0A64156078958E7" [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\HID\Vid_044f&Pid_b202\6&2a1fb601&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(744) c:\windows\system32\Ati2evxx.dll c:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(800) c:\windows\mkbnvo.dll - - - - - - - > 'explorer.exe'(364) e:\documents\osx\shadow\YzShadow.dll c:\windows\System32\cscui.dll d:\program files\Downloads\yz_dck0083\YzDock.dll c:\windows\system32\credui.dll c:\windows\mkbnvo.dll c:\windows\igakotadoqevoyox.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\Avira\AntiVir Desktop\avguard.exe d:\program files\Comodo\Firewall\cmdagent.exe d:\program files\Comodo\Firewall\cfpupdat.exe . ************************************************************************** . Completion time: 2009-04-13 14:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-13 18:23 ComboFix2.txt 2009-04-10 21:11 ComboFix3.txt 2009-04-10 20:04 ComboFix4.txt 2009-04-10 14:42 ComboFix5.txt 2009-04-12 18:10 Pre-Run: 1,760,567,296 bytes free Post-Run: 1,744,969,728 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 430 ------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:34:42 PM, on 4/13/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Avira\AntiVir Desktop\sched.exe D:\Program Files\Comodo\Firewall\cfp.exe D:\Program Files\Avira\AntiVir Desktop\avgnt.exe D:\Program Files\Downloads\yz_dck0083\YzDock.exe E:\Documents\osx\shadow\YzShadow.exe D:\Program Files\Avira\AntiVir Desktop\avguard.exe D:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe D:\Program Files\Comodo\Firewall\cfpupdat.exe C:\WINDOWS\explorer.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newstoday.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Kgizicuhuhoneni] rundll32.exe "C:\WINDOWS\igakotadoqevoyox.dll",e O4 - Startup: YzShadow.lnk = E:\Documents\osx\shadow\YzShadow.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: YzDock.lnk = D:\Program Files\Downloads\yz_dck0083\YzDock.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 4578 bytes
  10. Hi! I have submitted the file, but I cannot create the LSA.txt file because it says file not found. I assume this is because the file was deleted by MBAM earlier (yesterday's post). Other logs: --------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 1967 Windows 5.1.2600 Service Pack 2 4/12/2009 8:58:29 AM mbam-log-2009-04-12 (08-58-27).txt Scan type: Quick Scan Objects scanned: 68102 Time elapsed: 1 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgizicuhuhoneni (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\uwugixivazom.dll (Trojan.Agent) -> Delete on reboot. --------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:01:41 AM, on 4/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\Explorer.EXE D:\Program Files\Comodo\Firewall\cfp.exe D:\Program Files\Avira\AntiVir Desktop\avgnt.exe D:\Program Files\Downloads\yz_dck0083\YzDock.exe E:\Documents\osx\shadow\YzShadow.exe D:\Program Files\Avira\AntiVir Desktop\avguard.exe D:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wuauclt.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newstoday.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Kgizicuhuhoneni] rundll32.exe "C:\WINDOWS\igakotadoqevoyox.dll",e O4 - Startup: YzShadow.lnk = E:\Documents\osx\shadow\YzShadow.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: YzDock.lnk = D:\Program Files\Downloads\yz_dck0083\YzDock.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 4432 bytes
  11. 1. ------------------------------------------------------------------------------ Avira AntiVir Personal Report file date: Saturday, April 11, 2009 15:15 Scanning for 1347111 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 2) [5.1.2600] Boot mode : Normally booted Username : Matt Computer name : MATEO Version information: BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26 ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 19:05:13 ANTIVIR3.VDF : 7.1.3.42 169984 Bytes 4/11/2009 19:05:13 Engineversion : 8.2.0.138 AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42 AESCRIPT.DLL : 8.1.1.73 373114 Bytes 4/11/2009 19:05:21 AESCN.DLL : 8.1.1.10 127348 Bytes 4/11/2009 19:05:20 AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41 AEPACK.DLL : 8.1.3.12 397687 Bytes 4/11/2009 19:05:19 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56 AEHEUR.DLL : 8.1.0.114 1700214 Bytes 4/11/2009 19:05:18 AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56 AEGEN.DLL : 8.1.1.33 340340 Bytes 4/11/2009 19:05:15 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40 AECORE.DLL : 8.1.6.7 176502 Bytes 4/11/2009 19:05:14 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09 AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45 RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12 Configuration settings for the scan: Jobname.............................: Manual Selection Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\folder.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: Intelligent file selection Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Saturday, April 11, 2009 15:15 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'Runservice.exe' - '1' Module(s) have been scanned Scan process 'cmdagent.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'YzShadow.exe' - '1' Module(s) have been scanned Scan process 'YzDock.exe' - '1' Module(s) have been scanned Scan process 'cfp.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 24 processes with 24 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '57' files ). Starting the file scan: Begin scan in 'C:\' <Windows> C:\WINDOWS\system32\mmf.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! End of the scan: Saturday, April 11, 2009 15:29 Used time: 14:20 Minute(s) The scan has been done completely. 6681 Scanned directories 162126 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 162124 Files not concerned 862 Archives were scanned 2 Warnings 0 Notes --------------------------------------------------------------------------------- 2. --------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 1967 Windows 5.1.2600 Service Pack 2 4/11/2009 3:33:56 PM mbam-log-2009-04-11 (15-33-53).txt Scan type: Quick Scan Objects scanned: 68023 Time elapsed: 2 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgizicuhuhoneni (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\ujalafoqipofevin.dll (Trojan.Agent) -> Delete on reboot. ------------------------------------------------------------------------------ 3. ------------------------------------------------------------------------------ DDS (Ver_09-03-16.01) - NTFSx86 Run by Matt at 15:38:04.92 on Sat 04/11/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.669 [GMT -4:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) FW: COMODO Firewall *enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\Explorer.EXE D:\Program Files\Comodo\Firewall\cfp.exe D:\Program Files\Avira\AntiVir Desktop\avgnt.exe D:\Program Files\Downloads\yz_dck0083\YzDock.exe E:\Documents\osx\shadow\YzShadow.exe svchost.exe D:\Program Files\Avira\AntiVir Desktop\avguard.exe D:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wuauclt.exe D:\Program Files\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.newstoday.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [COMODO Firewall Pro] "d:\program files\comodo\firewall\cfp.exe" -h mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\matt\startm~1\programs\startup\yzshadow.lnk - e:\documents\osx\shadow\YzShadow.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yzdock.lnk - d:\program files\downloads\yz_dck0083\YzDock.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Trusted Zone: aol.com\free DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\windows\system32\guard32.dll LSA: Notification Packages = scecli mkbnvo.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\2klp9ndr.mateo\ FF - prefs.js: browser.startup.homepage - hxxp://www.qbn.com FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\windows\system32\c2mp\npdivx32.dll FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll FF - HiddenExtension: XUL Cache: {21B4600E-FC31-4C16-95B2-3185286220D2} - c:\documents and settings\matt\local settings\application data\{21B4600E-FC31-4C16-95B2-3185286220D2} ---- FIREFOX POLICIES ---- # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs */ FF - user.js: ui.textSelectBackground - #BFD8FA FF - user.js: ui.textSelectForeground - #000000 ============= SERVICES / DRIVERS =============== R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-4-11 11608] R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-28 101776] R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-28 31504] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-4-11 108289] R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-4-11 185089] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-11 55640] R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\firewall\cmdagent.exe [2008-10-28 618232] R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-9-26 2560] R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2004-10-29 15840] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-19 24652] S3 RivaTunerEx;RivaTunerEx;\??\d:\program files\rivatuner\rivatunerex.sys --> d:\program files\rivatuner\RivaTunerEx.sys [?] S4 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] S4 Mouphu;Mouphu;c:\windows\system32\drivers\acpiec.sys [2001-8-18 11648] =============== Created Last 30 ================ 2009-04-11 15:02 55,640 a------- c:\windows\system32\drivers\avgntflt.sys 2009-04-11 15:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira 2009-04-09 21:57 410,984 a------- c:\windows\system32\deploytk.dll 2009-04-09 21:57 73,728 a------- c:\windows\system32\javacpl.cpl 2009-04-09 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore 2009-04-09 20:31 <DIR> --d----- c:\program files\AIM6 2009-04-09 19:59 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes 2009-04-09 19:59 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-04-09 19:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-04-09 19:43 0 a------- c:\windows\Xxudokupu.bin 2009-04-09 19:43 408 a------- c:\windows\Xgazulukace.dat ==================== Find3M ==================== 2009-04-11 15:35 3,337 a--sh--- c:\windows\system32\mmf.sys 2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll 2005-05-13 17:12 217,073 a--shr-- c:\windows\meta4.exe 2005-10-24 11:13 66,560 a--shr-- c:\windows\MOTA113.exe 2005-10-13 21:27 422,400 a--shr-- c:\windows\x2.64.exe 2005-10-07 19:14 308,224 a--shr-- c:\windows\system32\avisynth.dll 2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll 2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll 2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll 2004-01-25 00:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll 2006-04-27 10:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll 2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe 2004-01-25 00:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll ============= FINISH: 15:38:26.48 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-03-16.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 10/30/2004 6:06:09 AM System Uptime: 4/11/2009 3:35:00 PM (0 hours ago) Motherboard: | | MS-7025 Processor: AMD Athlon 64 Processor 3000+ | Socket 939 | 1808/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 10 GiB total, 1.705 GiB free. D: is FIXED (NTFS) - 59 GiB total, 3.716 GiB free. E: is FIXED (NTFS) - 186 GiB total, 0.739 GiB free. F: is CDROM () G: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} Description: USB Human Interface Device Device ID: USB\VID_0DC6&PID_5000&MI_01\7&1A5D8E43&0&0001 Manufacturer: (Standard system devices) Name: USB Human Interface Device PNP Device ID: USB\VID_0DC6&PID_5000&MI_01\7&1A5D8E43&0&0001 Service: HidUsb Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&26102690&0&01 Manufacturer: Nvidia Name: NVIDIA nForce Networking Controller PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&26102690&0&01 Service: NVENETFD Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\510B1F5123C01 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\510B1F5123C01 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\6A98EE10DC00 Manufacturer: Microsoft Name: 1394 Net Adapter #2 PNP Device ID: V1394\NIC1394\6A98EE10DC00 Service: NIC1394 ==== System Restore Points =================== RP220: 3/29/2009 9:16:06 PM - System Checkpoint RP221: 3/31/2009 9:11:21 AM - System Checkpoint RP222: 4/1/2009 7:53:12 PM - System Checkpoint RP223: 4/2/2009 8:00:59 PM - System Checkpoint RP224: 4/3/2009 10:18:49 PM - System Checkpoint RP225: 4/5/2009 10:48:05 AM - System Checkpoint RP226: 4/6/2009 1:19:31 PM - System Checkpoint RP227: 4/7/2009 1:32:24 PM - System Checkpoint RP228: 4/8/2009 2:57:24 PM - System Checkpoint RP229: 4/9/2009 3:06:08 PM - System Checkpoint RP230: 4/9/2009 9:53:26 PM - Removed Java 6 Update 7 RP231: 4/9/2009 9:56:58 PM - Installed Java 6 Update 13 RP232: 4/11/2009 3:01:54 PM - Avira AntiVir Personal - 4/11/2009 15:01 ==== Installed Programs ====================== Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop 7.0 Adobe Photoshop CS3 Adobe Photoshop Lightroom Adobe Reader 7.0.8 Adobe Setup Adobe Stock Photos CS3 Adobe Type Manager Deluxe 4.1 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AOL Instant Messenger ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver ATI HydraVision Avira AntiVir Personal - Free Antivirus AVIVO Codecs CCleaner (remove only) Choice Guard Cole2k Media - Codec Pack (Advanced) COMODO Firewall Pro Creative System Information DDT Generator DivX DivX Player FileZilla Client 3.1.6 Football Manager 2009 Google Earth Google SketchUp 7 HijackThis 2.0.2 Intel A/V Codecs V2.0 iTunes Java 6 Update 13 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 2.0 Microsoft Application Error Reporting Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Mozilla Firefox (3.0.8) Mozilla Thunderbird (1.0) MSVCRT MSXML 4.0 SP2 Parser and SDK O&O Defrag Professional Edition PDF Settings Pro Evolution Soccer 2009 QuickTime RivaTuner v2.0 RC 15.8 Segoe UI SoulSeek Client 156b Sound Blaster Audigy 2 ZS SUPER
  12. Hi! Similar files are created after deleting the existing ones. I see that this is quite common here, but I want to make sure I follow the proper steps before moving forward. Thank you! --------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 1963 Windows 5.1.2600 Service Pack 2 4/11/2009 9:54:01 AM mbam-log-2009-04-11 (09-53-56).txt Scan type: Quick Scan Objects scanned: 67650 Time elapsed: 1 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgizicuhuhoneni (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\ujalafoqipofevin.dll (Trojan.Agent) -> No action taken. ---------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:56:47 AM, on 4/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\Program Files\Comodo\Firewall\cfp.exe D:\Program Files\Downloads\yz_dck0083\YzDock.exe E:\Documents\osx\shadow\YzShadow.exe D:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newstoday.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Kgizicuhuhoneni] rundll32.exe "C:\WINDOWS\ujalafoqipofevin.dll",e O4 - Startup: YzShadow.lnk = E:\Documents\osx\shadow\YzShadow.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: YzDock.lnk = D:\Program Files\Downloads\yz_dck0083\YzDock.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 4047 bytes