Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan-Downloader-Vundo-Other-Malware [Solved]

Started by Slormer , Dec 11 2008 02:27 AM

This topic is locked

#1
Slormer

Posted 11 December 2008 - 02:27 AM

Member

Member
17 posts

I cannot reply in my thread since it was started by my brother, and my helper says not to PM. Please enable me to post in my thread, as I would like to continue cleaning: http://www.geekstogo...re-t220221.html
Thanks, and sorry if this was not the most efficient way.

#2
Slormer

Posted 11 December 2008 - 07:13 PM

Member

Topic Starter
Member
17 posts

Thanks for the reopen, Here is the most recent HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:16 PM, on 11/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Brett\My Documents\My Dropbox\shared yo\viron\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {63D5D2A2-8AC6-45BC-8711-88A651A9F41B} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {78856A84-9BB3-4F68-834E-C2F909210522} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Apoint Touchpad.lnk = C:\Program Files\Apoint\Apoint.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.ultimate-guitar.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228781197125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1228781410437
O20 - AppInit_DLLs: katrack.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

--
End of file - 6219 bytes

Edited by Slormer, 11 December 2008 - 07:15 PM.

#3
Fred21543

Posted 12 December 2008 - 09:03 AM

Member 1K

Member
1,351 posts

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

#4
Slormer

Posted 12 December 2008 - 06:18 PM

Member

Topic Starter
Member
17 posts

SDFix: Version 1.240
Run by Brett on 12/12/2008 at 06:47 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSmxoe.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Start Menu

Rebooting

Checking Files :

Trojan Files Found:

C:\188220~1 - Deleted
C:\WINDOWS\system32\drivers\TDSSmxoe.sys - Deleted
C:\WINDOWS\system32\TDSSwupe.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSWUPE.dat - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 19:10:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f8,db,87,d4,d0,70,d7,20,be,f1,1c,f6,22,84,7b,b2,9b,f6,5d,66,3f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:26,07,24,61,d2,cc,ae,de,8b,8e,5e,58,c2,91,7e,18,6b,43,95,0d,f2,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:11,bd,a7,be,cf,1c,10,1e,52,60,53,f9,1a,40,c1,43,5d,4e,8c,07,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5c,a3,0d,00,2d,39,75,ab,3c,c8,e6,aa,fd,2f,7d,16,9d,c5,71,89,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:35,59,9b,1b,5e,23,57,76,38,97,c2,9f,62,a0,ab,3f,8c,66,23,b8,cb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSktpa.dll"
"tdssservers"="\systemroot\system32\TDSSwupe.dat"
"tdssmain"="\systemroot\system32\TDSSirry.dll"
"tdsslog"="\systemroot\system32\TDSSyavh.dll"
"tdssadw"="\systemroot\system32\TDSSncun.dll"
"tdssinit"="\systemroot\system32\TDSSqqck.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSehys.log"
"TDSSproc"="\systemroot\system32\TDSSwghd.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSktpa.dll"
"tdssservers"="\systemroot\system32\TDSSwupe.dat"
"tdssmain"="\systemroot\system32\TDSSirry.dll"
"tdsslog"="\systemroot\system32\TDSSyavh.dll"
"tdssadw"="\systemroot\system32\TDSSncun.dll"
"tdssinit"="\systemroot\system32\TDSSqqck.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSehys.log"
"TDSSproc"="\systemroot\system32\TDSSwghd.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSktpa.dll"
"tdssservers"="\systemroot\system32\TDSSwupe.dat"
"tdssmain"="\systemroot\system32\TDSSirry.dll"
"tdsslog"="\systemroot\system32\TDSSyavh.dll"
"tdssadw"="\systemroot\system32\TDSSncun.dll"
"tdssinit"="\systemroot\system32\TDSSqqck.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSehys.log"
"TDSSproc"="\systemroot\system32\TDSSwghd.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\Lsa]
"Authentication Packages"=str(7):"msv1_0\0wvauth\0C:\WINDOWS\system32\awtrSllj\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmxoe.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmxoe.sys"
"TDSSl"="\systemroot\system32\TDSSktpa.dll"
"tdssservers"="\systemroot\system32\TDSSwupe.dat"
"tdssmain"="\systemroot\system32\TDSSirry.dll"
"tdsslog"="\systemroot\system32\TDSSyavh.dll"
"tdssadw"="\systemroot\system32\TDSSncun.dll"
"tdssinit"="\systemroot\system32\TDSSqqck.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSehys.log"
"TDSSproc"="\systemroot\system32\TDSSwghd.log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=str(7):"msv1_0\0wvauth\0C:\WINDOWS\system32\awtrSllj\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Control\Lsa]
"Authentication Packages"=str(7):"msv1_0\0wvauth\0C:\WINDOWS\system32\awtrSllj\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:86,c4,bb,b9,4d,2d,00,a9,7d,cd,eb,cf,12,9c,51,6f,71,63,e9,c9,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:4c,93,09,13,02,70,88,4b,0e,38,e3,92,8b,ad,6d,b2,22,85,a3,e8,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,17,ee,3e,4b,0c,1d,50,21,ab,f6,c1,43,c9,c5,c5,8c,c9,..
"khjeh"=hex:ba,a7,c1,d5,ce,15,94,76,fe,4e,a8,59,94,18,f6,3c,ae,82,03,ee,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,24,60,e0,14,eb,93,f9,00,c1,08,2d,4a,80,1f,1c,ee,3d,db,ca,3e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8d,4f,7e,bc,8c,89,11,28,47,96,b9,5f,16,36,09,7c,93,61,40,67,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:d4,bb,2d,24,13,74,05,f6,fe,a9,0c,7c,36,3f,3b,e0,17,7d,3c,2b,a3,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\njbgqqmw.sys 25088 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"="C:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe:*:Enabled:Malwarebytes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"="C:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe:*:Enabled:Malwarebytes"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Thu 23 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 19 Sep 2007 5,853 ...HR --- "C:\Documents and Settings\Brett\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:27 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brett\My Documents\My Dropbox\shared yo\viron\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {63D5D2A2-8AC6-45BC-8711-88A651A9F41B} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {78856A84-9BB3-4F68-834E-C2F909210522} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Apoint Touchpad.lnk = C:\Program Files\Apoint\Apoint.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.ultimate-guitar.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228781197125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1228781410437
O20 - AppInit_DLLs: katrack.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

--
End of file - 5706 bytes

#5
Fred21543

Posted 15 December 2008 - 11:10 PM

Member 1K

Member
1,351 posts

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#6
Slormer

Posted 16 December 2008 - 01:39 AM

Member

Topic Starter
Member
17 posts

ComboFix 08-12-15.04 - Brett 2008-12-16 1:41:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1438 [GMT -5:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brett\Application Data\IUpd721
c:\documents and settings\Brett\Application Data\IUpd721\Logs\scns.log
c:\temp\DIV55
c:\windows\system32\Cache
c:\windows\system32\op4
c:\windows\system32\rwwoauyp.ini
c:\windows\system32\vos

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_IPRIP
-------\Legacy_TNIDRIVER
-------\Service_Iprip
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 03:55 . 2008-12-15 03:55 <DIR> d-------- C:\ad1dc0008bf9911c9298d0124c57
2008-12-15 03:52 . 2008-12-15 04:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-14 03:15 . 2008-12-14 03:15 1,393 --a------ c:\windows\imsins.BAK
2008-12-13 03:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-13 03:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-12 18:34 . 2008-12-12 18:35 <DIR> d-------- c:\windows\ERUNT
2008-12-12 18:22 . 2008-12-12 19:13 <DIR> d-------- C:\SDFix
2008-12-12 12:05 . 2008-12-12 12:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-12 02:26 . 2008-12-12 02:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-12 02:22 . 2008-12-12 02:22 <DIR> d-------- c:\documents and settings\Brett\Application Data\SUPERAntiSpyware.com
2008-12-11 01:30 . 2008-12-11 01:30 <DIR> d-------- c:\program files\CCleaner
2008-12-10 21:35 . 2008-12-10 21:35 25,088 --a------ c:\windows\system32\drivers\rtsuvywt.sys
2008-12-09 17:21 . 2008-12-09 17:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 17:15 . 2008-12-09 17:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-09 16:00 . 2008-12-10 21:13 4 --a------ c:\windows\nlzmcdff
2008-12-09 14:59 . 2008-12-09 14:59 25,088 --a------ c:\windows\system32\drivers\oqfrqkyf.sys
2008-12-08 23:11 . 2008-12-08 23:11 <DIR> d-------- c:\program files\Lavasoft
2008-12-08 23:11 . 2008-12-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 19:07 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-08 17:56 . 2008-12-16 01:45 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-08 17:40 . 2008-12-16 01:43 5,741,600 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 17:40 . 2008-12-16 01:43 598,048 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-08 17:40 . 2008-12-16 01:43 45,936 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 17:40 . 2008-12-16 01:43 3,124 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-08 16:59 . 2008-12-08 22:56 4 --a------ c:\windows\xfhdzceg
2008-12-08 15:46 . 2008-12-08 15:46 25,088 --a------ c:\windows\system32\drivers\phqghume.sys
2008-12-08 03:11 . 2008-12-08 03:11 <DIR> d-------- C:\VundoFix Backups
2008-12-08 02:22 . 2008-12-08 16:38 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes
2008-12-08 02:22 . 2008-12-08 02:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-07 21:58 . 2008-12-07 21:58 0 --a------ c:\windows\system32\regsvr32
2008-12-07 17:11 . 2008-12-07 17:11 <DIR> d-------- c:\program files\CleanMyPC
2008-12-05 18:14 . 2008-12-06 18:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-05 18:14 . 2008-12-05 18:14 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-05 17:39 . 2008-12-16 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-05 14:46 . 2008-12-05 14:46 <DIR> d-------- C:\!KillBox
2008-12-05 14:38 . 2008-12-05 14:38 <DIR> d-------- c:\program files\Portable Applications
2008-12-05 13:50 . 2008-12-05 14:17 <DIR> d-------- c:\program files\QUAD Utilities
2008-12-05 13:39 . 2008-12-05 13:19 13,596,592 --a------ C:\sd.exe
2008-12-05 13:00 . 2008-12-05 13:00 <DIR> d-------- c:\documents and settings\Brett\Application Data\True Sword
2008-12-05 12:59 . 2008-12-07 04:20 <DIR> d-------- c:\program files\True Sword 5
2008-12-05 12:59 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll
2008-12-05 12:59 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll
2008-12-05 05:52 . 2008-12-16 01:36 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 05:52 . 2008-12-16 01:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 03:34 . 2008-12-16 01:43 1,924 --a------ c:\windows\mweoqwdw
2008-12-05 03:33 . 2008-12-07 01:00 <DIR> d-------- c:\windows\system32\Pe
2008-12-05 03:32 . 2008-12-08 17:05 800 --a------ C:\log.udt
2008-12-04 04:02 . 2008-12-04 04:02 <DIR> d-------- c:\program files\Power Tab Software
2008-12-03 22:30 . 2008-12-03 22:30 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-03 13:52 . 2008-12-03 13:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys.bak
2008-12-03 13:52 . 2008-12-03 13:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys.bak
2008-12-03 02:16 . 2008-12-03 03:21 <DIR> d-------- c:\program files\World of Warcraft.temp
2008-12-03 02:14 . 2008-12-03 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 17:02 . 2008-12-01 17:02 244 --ah----- C:\sqmnoopt14.sqm
2008-12-01 17:02 . 2008-12-01 17:02 232 --ah----- C:\sqmdata14.sqm
2008-12-01 13:29 . 2008-12-01 13:29 244 --ah----- C:\sqmnoopt13.sqm
2008-12-01 13:29 . 2008-12-01 13:29 232 --ah----- C:\sqmdata13.sqm
2008-11-27 00:21 . 2004-08-04 05:00 125,952 --a------ c:\windows\system32\dllcache\ftpsv251.dll
2008-11-27 00:21 . 2004-08-04 05:00 7,909 --a------ c:\windows\system32\ftpctrs.ini
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\dllcache\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 6,144 --a------ c:\windows\system32\dllcache\ftpmib.dll
2008-11-27 00:21 . 2004-08-04 05:00 2,549 --a------ c:\windows\system32\ftpctrs.h
2008-11-21 16:25 . 2007-08-13 07:37 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\Wave Systems Corp
2008-11-21 16:25 . 2007-08-13 07:45 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\Intel
2008-11-21 16:25 . 2007-08-13 07:32 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\InstallShield
2008-11-21 16:25 . 2007-08-13 07:53 <DIR> d--h----- c:\documents and settings\LocalUserjane\Application Data\Gtek
2008-11-21 16:25 . 2008-11-21 16:25 <DIR> d-------- c:\documents and settings\LocalUserjane
2008-11-21 16:18 . 2007-08-13 07:37 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\Wave Systems Corp
2008-11-21 16:18 . 2007-08-13 07:45 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\Intel
2008-11-21 16:18 . 2007-08-13 07:32 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\InstallShield
2008-11-21 16:18 . 2007-08-13 07:53 <DIR> d--h----- c:\documents and settings\LocalUserbob\Application Data\Gtek
2008-11-21 16:18 . 2008-11-21 16:18 <DIR> d-------- c:\documents and settings\LocalUserbob

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 06:45 --------- d-----w c:\documents and settings\Brett\Application Data\Dropbox
2008-12-16 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 05:35 --------- d-----w c:\documents and settings\Brett\Application Data\Azureus
2008-12-14 08:17 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-12 07:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-12 07:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 01:17 --------- d-----w c:\program files\Sun
2008-12-11 01:11 --------- d-----w c:\program files\Java
2008-12-09 22:51 --------- d-----w c:\program files\Winamp
2008-12-09 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-09 22:15 --------- d-----w c:\program files\QuickTime
2008-12-09 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 21:43 --------- d-----w c:\documents and settings\Brett\Application Data\Wave Systems Corp
2008-12-07 21:20 --------- d-----w c:\program files\EditPlus 2
2008-12-06 05:02 --------- d-----w c:\program files\mIRC
2008-12-05 17:41 --------- d-----w c:\program files\Steam
2008-12-05 11:14 --------- d-----w c:\program files\Bonjour
2008-12-05 09:48 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2008-12-05 04:34 --------- d-----w c:\program files\AutoIt3
2008-12-03 21:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:41 --------- d-----w c:\program files\Azureus
2008-11-16 02:30 --------- d-----w c:\program files\TVUPlayer
2008-11-16 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-13 04:40 --------- d-----w c:\documents and settings\Brett\Application Data\mIRC
2008-11-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 20:38 --------- d-----w c:\program files\RealVNC
2008-10-30 19:45 --------- d-----w c:\program files\Diablo II
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 21:48 --------- d-----w c:\program files\Cheat Engine
2008-10-17 11:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\AVG7
2008-10-05 20:06 165,798 ----a-w c:\windows\Video Cleaner Uninstaller.exe
2008-12-08 22:09 66,576 ----a-w c:\program files\mozilla firefox\components\aacfbeb.dll
2008-07-01 21:52 66,936 -csha-w c:\windows\dlinfo_0.drv
2008-05-09 02:26 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="c:\program files\Stardock\Object Desktop\IconX\IconX.exe" [2004-07-17 121856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

c:\documents and settings\Brett\Start Menu\Programs\Startup\
Apoint Touchpad.lnk - c:\program files\Apoint\Apoint.exe [2007-08-13 159744]
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-07-03 8767575]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 10:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brett^Start Menu^Programs^Startup^Shortcut to Apoint.lnk]
path=c:\documents and settings\Brett\Start Menu\Programs\Startup\Shortcut to Apoint.lnk
backup=c:\windows\pss\Shortcut to Apoint.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-02-22 05:46 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
--a------ 2007-11-29 09:40 262144 c:\program files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2007-08-01 12:00 753664 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"WebClient"=2 (0x2)
"Wave UCSPlus"=2 (0x2)
"VSS"=3 (0x3)
"vmount2"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"SSDPSRV"=3 (0x3)
"SQLWriter"=3 (0x3)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"Softmon"=2 (0x2)
"seclogon"=2 (0x2)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Network Monitor"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KeyAccess"=2 (0x2)
"Iprip"=2 (0x2)
"Intel Targeted Multicast"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel Local Scheduler Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FCI"=2 (0x2)
"cmdService"=2 (0x2)
"CBA8"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"srservice"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"EvtEng"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51337:UDP"= 51337:UDP:Azureus
"51337:TCP"= 51337:TCP:Azureus
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680]
R2 MSSQL$POPKIN10SQL;MSSQL$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe -sPOPKIN10SQL []
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys [2008-12-08 25088]
S0 ebssut;ebssut;c:\windows\system32\drivers\jbflru.sys []
S0 f6ab5a88f4d8de2c51bc04841e87a038;f6ab5a88f4d8de2c51bc04841e87a038;c:\windows\system32\f6ab5a88f4d8de2c51bc04841e87a038.sys []
S0 mweoqwdw;mweoqwdw;c:\windows\system32\drivers\njbgqqmw.sys []
S0 sovpIas;sovpIas;c:\windows\system32\drivers\luwxvhaf.sys []
S0 ujylt;ujylt;c:\windows\system32\drivers\dqon.sys []
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SQLAgent$POPKIN10SQL;SQLAgent$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlagent.EXE -i POPKIN10SQL []
S4 CBA8;LANDesk® Management Agent;"c:\program files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 122880]
S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-08-01 753664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 Softmon;LANDesk® Software Monitoring Service;"c:\progra~1\LANDesk\LDClient\softmon.exe" [2007-09-05 266240]
S4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-14 c:\windows\Tasks\At1.job
- c:\documents and settings\Brett\Templates\Brengkolang.com []

2008-12-14 c:\windows\Tasks\At2.job
- c:\documents and settings\Brett\Templates\Brengkolang.com []
.
- - - - ORPHANS REMOVED - - - -

BHO-{63D5D2A2-8AC6-45BC-8711-88A651A9F41B} - (no file)
BHO-{78856A84-9BB3-4F68-834E-C2F909210522} - (no file)
Notify-dimsntfy - (no file)
MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-IUpd721 - c:\documents and settings\Brett\Application Data\NI.GSCNS\IUpd721.exe
MSConfigStartUp-pcqdggcfwk - c:\windows\system32\saskcizgvixr.dll
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-Registry Cleaner Scheduler - c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath - c:\documents and settings\Brett\Application Data\Mozilla\Firefox\Profiles\7b5syowm.Brertt\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 01:44:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\njbgqqmw.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Stardock\sdmcp.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\stacsv.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-16 1:49:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 06:49:26

Pre-Run: 42,869,080,064 bytes free
Post-Run: 42,768,498,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

357 --- E O F --- 2008-12-15 08:48:34

#7
Slormer

Posted 20 December 2008 - 10:42 PM

Member

Topic Starter
Member
17 posts

Seems like my only problems right now are some bookmarks not working, random redirects to 'bottomdollar.com' and other weird 'testing clickfraud' sites. On sites such as: http://www.ultimate-..._guitar_pro.htm where I click the 'Download Hysteria Guitar Tab' button, it loads for a second then nothing happens. These buttons used to work before everything. (Not sure if the virus' did this or if it was a safety measure that was turned on). Also, youtube and any other types of streaming videos take a long time before they start playing, but once they do they are fine, and not slow to stream. This is new also. Thanks

Edited by Slormer, 21 December 2008 - 04:00 PM.

#8
Fred21543

Posted 27 December 2008 - 04:27 PM

Member 1K

Member
1,351 posts

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and re-download and run the new version of Combofix following the same instructions;

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#9
Slormer

Posted 27 December 2008 - 05:02 PM

Member

Topic Starter
Member
17 posts

Done.

ComboFix 08-12-26.03 - Brett 2008-12-27 17:37:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1222 [GMT -5:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
AV: AVG 7.5.549 *On-access scanning enabled* (Outdated)
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\log.udt
c:\windows\system32\iifcyxxy.dll
c:\windows\system32\prunnet.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-24 13:20 . 2008-12-24 13:20 25,088 --a------ c:\windows\system32\drivers\phqghume.sys
2008-12-22 12:12 . 2008-12-24 12:59 4 --a------ c:\windows\aylnlfdx
2008-12-19 16:31 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-19 16:31 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-19 16:31 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-19 16:31 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-19 16:31 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-19 16:31 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-19 16:31 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-19 16:31 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-19 16:30 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-19 16:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-19 15:54 . 2008-12-19 15:58 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-17 08:07 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-12-15 03:55 . 2008-12-15 03:55 <DIR> d-------- C:\ad1dc0008bf9911c9298d0124c57
2008-12-15 03:52 . 2008-12-15 04:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-13 03:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-13 03:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-12 18:34 . 2008-12-12 18:35 <DIR> d-------- c:\windows\ERUNT
2008-12-12 18:22 . 2008-12-12 19:13 <DIR> d-------- C:\SDFix
2008-12-12 12:05 . 2008-12-12 12:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-12 02:26 . 2008-12-12 02:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-12 02:22 . 2008-12-12 02:22 <DIR> d-------- c:\documents and settings\Brett\Application Data\SUPERAntiSpyware.com
2008-12-11 01:30 . 2008-12-11 01:30 <DIR> d-------- c:\program files\CCleaner
2008-12-10 21:35 . 2008-12-10 21:35 25,088 --a------ c:\windows\system32\drivers\rtsuvywt.sys
2008-12-10 14:50 . 2008-10-23 07:36 286,720 --------- c:\windows\system32\dllcache\gdi32.dll
2008-12-09 17:21 . 2008-12-09 17:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 17:15 . 2008-12-09 17:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-09 16:00 . 2008-12-10 21:13 4 --a------ c:\windows\nlzmcdff
2008-12-09 14:59 . 2008-12-09 14:59 25,088 --a------ c:\windows\system32\drivers\oqfrqkyf.sys
2008-12-08 23:11 . 2008-12-08 23:11 <DIR> d-------- c:\program files\Lavasoft
2008-12-08 23:11 . 2008-12-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 19:07 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-08 17:56 . 2008-12-24 14:36 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-08 17:40 . 2008-12-24 14:33 5,752,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 17:40 . 2008-12-27 17:35 778,272 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-08 17:40 . 2008-12-24 14:33 46,020 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 17:40 . 2008-12-27 17:35 3,740 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-08 16:59 . 2008-12-08 22:56 4 --a------ c:\windows\xfhdzceg
2008-12-08 03:11 . 2008-12-08 03:11 <DIR> d-------- C:\VundoFix Backups
2008-12-08 02:22 . 2008-12-08 16:38 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes
2008-12-08 02:22 . 2008-12-08 02:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-07 21:58 . 2008-12-07 21:58 0 --a------ c:\windows\system32\regsvr32
2008-12-07 17:11 . 2008-12-07 17:11 <DIR> d-------- c:\program files\CleanMyPC
2008-12-05 18:14 . 2008-12-06 18:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-05 18:14 . 2008-12-05 18:14 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-05 17:39 . 2008-12-24 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-05 14:46 . 2008-12-05 14:46 <DIR> d-------- C:\!KillBox
2008-12-05 14:38 . 2008-12-05 14:38 <DIR> d-------- c:\program files\Portable Applications
2008-12-05 13:50 . 2008-12-05 14:17 <DIR> d-------- c:\program files\QUAD Utilities
2008-12-05 13:39 . 2008-12-05 13:19 13,596,592 --a------ C:\sd.exe
2008-12-05 13:00 . 2008-12-05 13:00 <DIR> d-------- c:\documents and settings\Brett\Application Data\True Sword
2008-12-05 12:59 . 2008-12-07 04:20 <DIR> d-------- c:\program files\True Sword 5
2008-12-05 12:59 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll
2008-12-05 12:59 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll
2008-12-05 05:52 . 2008-12-21 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 05:52 . 2008-12-21 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 03:34 . 2008-12-21 23:17 1,924 --a------ c:\windows\mweoqwdw
2008-12-05 03:33 . 2008-12-07 01:00 <DIR> d-------- c:\windows\system32\Pe
2008-12-04 04:02 . 2008-12-04 04:02 <DIR> d-------- c:\program files\Power Tab Software
2008-12-03 22:30 . 2008-12-03 22:30 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-03 13:52 . 2008-12-03 13:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys.bak
2008-12-03 13:52 . 2008-12-03 13:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys.bak
2008-12-03 02:16 . 2008-12-03 03:21 <DIR> d-------- c:\program files\World of Warcraft.temp
2008-12-03 02:14 . 2008-12-03 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 17:02 . 2008-12-01 17:02 244 --ah----- C:\sqmnoopt14.sqm
2008-12-01 17:02 . 2008-12-01 17:02 232 --ah----- C:\sqmdata14.sqm
2008-12-01 13:29 . 2008-12-01 13:29 244 --ah----- C:\sqmnoopt13.sqm
2008-12-01 13:29 . 2008-12-01 13:29 232 --ah----- C:\sqmdata13.sqm
2008-11-27 00:21 . 2004-08-04 05:00 7,909 --a------ c:\windows\system32\ftpctrs.ini
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\dllcache\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 2,549 --a------ c:\windows\system32\ftpctrs.h

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 22:41 --------- d-----w c:\documents and settings\Brett\Application Data\Azureus
2008-12-27 02:26 --------- d-----w c:\program files\Steam
2008-12-24 20:10 --------- d-----w c:\documents and settings\Brett\Application Data\Dropbox
2008-12-17 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 07:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-12 07:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 01:17 --------- d-----w c:\program files\Sun
2008-12-11 01:11 --------- d-----w c:\program files\Java
2008-12-09 22:51 --------- d-----w c:\program files\Winamp
2008-12-09 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-09 22:15 --------- d-----w c:\program files\QuickTime
2008-12-09 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 21:43 --------- d-----w c:\documents and settings\Brett\Application Data\Wave Systems Corp
2008-12-07 21:20 --------- d-----w c:\program files\EditPlus 2
2008-12-06 05:02 --------- d-----w c:\program files\mIRC
2008-12-05 11:14 --------- d-----w c:\program files\Bonjour
2008-12-05 09:48 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2008-12-05 04:34 --------- d-----w c:\program files\AutoIt3
2008-12-03 21:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:41 --------- d-----w c:\program files\Azureus
2008-11-16 02:30 --------- d-----w c:\program files\TVUPlayer
2008-11-16 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-13 04:40 --------- d-----w c:\documents and settings\Brett\Application Data\mIRC
2008-11-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 20:38 --------- d-----w c:\program files\RealVNC
2008-10-30 19:45 --------- d-----w c:\program files\Diablo II
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-05 20:06 165,798 ----a-w c:\windows\Video Cleaner Uninstaller.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-12-08 22:09 66,576 ----a-w c:\program files\mozilla firefox\components\aacfbeb.dll
2008-07-01 21:52 66,936 -csha-w c:\windows\dlinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="c:\program files\Stardock\Object Desktop\IconX\IconX.exe" [2004-07-17 121856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Brett\Start Menu\Programs\Startup\
Apoint Touchpad.lnk - c:\program files\Apoint\Apoint.exe [2007-08-13 159744]
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-07-03 8767575]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 10:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brett^Start Menu^Programs^Startup^Shortcut to Apoint.lnk]
path=c:\documents and settings\Brett\Start Menu\Programs\Startup\Shortcut to Apoint.lnk
backup=c:\windows\pss\Shortcut to Apoint.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-02-22 05:46 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
--a------ 2007-11-29 09:40 262144 c:\program files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2007-08-01 12:00 753664 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"WebClient"=2 (0x2)
"Wave UCSPlus"=2 (0x2)
"VSS"=3 (0x3)
"vmount2"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"SSDPSRV"=3 (0x3)
"SQLWriter"=3 (0x3)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"Softmon"=2 (0x2)
"seclogon"=2 (0x2)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Network Monitor"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KeyAccess"=2 (0x2)
"Iprip"=2 (0x2)
"Intel Targeted Multicast"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel Local Scheduler Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FCI"=2 (0x2)
"cmdService"=2 (0x2)
"CBA8"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"srservice"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"EvtEng"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51337:UDP"= 51337:UDP:Azureus
"51337:TCP"= 51337:TCP:Azureus
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680]
R2 MSSQL$POPKIN10SQL;MSSQL$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe -sPOPKIN10SQL []
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S0 ebssut;ebssut;c:\windows\system32\drivers\jbflru.sys []
S0 f6ab5a88f4d8de2c51bc04841e87a038;f6ab5a88f4d8de2c51bc04841e87a038;c:\windows\system32\f6ab5a88f4d8de2c51bc04841e87a038.sys []
S0 sovpIas;sovpIas;c:\windows\system32\drivers\luwxvhaf.sys []
S0 ujylt;ujylt;c:\windows\system32\drivers\dqon.sys []
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SQLAgent$POPKIN10SQL;SQLAgent$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlagent.EXE -i POPKIN10SQL []
S4 CBA8;LANDesk® Management Agent;"c:\program files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 122880]
S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-08-01 753664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 Softmon;LANDesk® Software Monitoring Service;"c:\progra~1\LANDesk\LDClient\softmon.exe" [2007-09-05 266240]
S4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-27 c:\windows\Tasks\At1.job
- c:\documents and settings\Brett\Templates\Brengkolang.com []

2008-12-27 c:\windows\Tasks\At2.job
- c:\documents and settings\Brett\Templates\Brengkolang.com []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\biolsp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 17:41:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\Brett\Application Data\Azureus\azureus.statistics.saving 184 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\biolsp.dll
.
Completion time: 2008-12-27 17:42:39
ComboFix-quarantined-files.txt 2008-12-27 22:42:36

Pre-Run: 22,227,480,576 bytes free
Post-Run: 22,219,075,584 bytes free

337 --- E O F --- 2008-12-21 03:28:24

#10
Fred21543

Posted 28 December 2008 - 06:32 PM

Member 1K

Member
1,351 posts

You are running 2 Antivirus Programs, AVG and Kaspersky. It is not recommended to run multiple antivirus products on a single machine as they can cause serious issues to the stability of that machine. I recommend you remove all but one of the products via Start>Control Panel>Add/Remove Programs.

I recommend you uninstall True Sword 5, it is reputedly a rogue anti-malware product. If you choose to do so, go to Start>Control Panel>Add/Remove Programs and get rid of it that way.

I have a question for you; have you installed RealVNC, LANDesk, and mIRC software?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...re-t220399.html
Collect::
c:\windows\system32\regsvr32
c:\windows\xfhdzceg
c:\windows\aylnlfdx
c:\windows\nlzmcdff
c:\windows\mweoqwdw
c:\program files\mozilla firefox\components\aacfbeb.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\documents and settings\Brett\Templates\Brengkolang.com
c:\windows\system32\drivers\dqon.sys
c:\windows\system32\drivers\luwxvhaf.sys
c:\windows\system32\f6ab5a88f4d8de2c51bc04841e87a038.sys
c:\windows\system32\drivers\jbflru.sys
c:\windows\system32\drivers\rtsuvywt.sys
c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\drivers\oqfrqkyf.sys
c:\windows\system32\Pe

KillAll::

Driver::
aylnlfdx
ebssut
f6ab5a88f4d8de2c51bc04841e87a038
mweoqwdw
sovpIas
ujylt
cmdService
Iprip
FCI
WmdmPmSN

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

#11
Slormer

Posted 28 December 2008 - 11:14 PM

Member

Topic Starter
Member
17 posts

Done. Yeah, I didn't actually have AVG installed, I knew multiple AV programs can mess with eachother. It was left over from a previous install, I had to get the newest version to overwrite and then Uninstall that to remove it. Truesword removed.

RealVNC, and LANDesk were installed by me, yes. They are for school. mIRC was also installed by me, no remote keylogger-sender crap there.

Made the script file, ran it. Here's the log:

ComboFix 08-12-28.01 - Brett 2008-12-28 23:46:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1387 [GMT -5:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brett\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\mozilla firefox\components\aacfbeb.dll
c:\windows\aylnlfdx
c:\windows\mweoqwdw
c:\windows\nlzmcdff
c:\windows\system32\drivers\oqfrqkyf.sys
c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\drivers\rtsuvywt.sys
c:\windows\system32\regsvr32
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\xfhdzceg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AYLNLFDX
-------\Legacy_F6AB5A88F4D8DE2C51BC04841E87A038
-------\Legacy_MWEOQWDW
-------\Service_ebssut
-------\Service_f6ab5a88f4d8de2c51bc04841e87a038
-------\Service_sovpIas
-------\Service_ujylt
-------\Service_WmdmPmSN

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 22:53 . 2008-12-28 22:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVG7
2008-12-19 16:31 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-19 16:31 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-19 16:31 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-19 16:31 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-19 16:31 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-19 16:31 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-19 16:31 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-19 16:31 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-19 16:30 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-19 16:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-19 15:54 . 2008-12-19 15:58 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-17 08:07 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-12-15 03:55 . 2008-12-15 03:55 <DIR> d-------- C:\ad1dc0008bf9911c9298d0124c57
2008-12-15 03:52 . 2008-12-15 04:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-13 03:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-13 03:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-12 18:34 . 2008-12-12 18:35 <DIR> d-------- c:\windows\ERUNT
2008-12-12 18:22 . 2008-12-12 19:13 <DIR> d-------- C:\SDFix
2008-12-12 12:05 . 2008-12-12 12:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-12 02:26 . 2008-12-12 02:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-12 02:22 . 2008-12-12 02:22 <DIR> d-------- c:\documents and settings\Brett\Application Data\SUPERAntiSpyware.com
2008-12-11 01:30 . 2008-12-11 01:30 <DIR> d-------- c:\program files\CCleaner
2008-12-10 14:50 . 2008-10-23 07:36 286,720 --------- c:\windows\system32\dllcache\gdi32.dll
2008-12-09 17:21 . 2008-12-09 17:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 17:15 . 2008-12-09 17:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-08 23:11 . 2008-12-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 19:07 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-08 17:56 . 2008-12-28 23:50 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-08 17:40 . 2008-12-28 23:48 5,752,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 17:40 . 2008-12-28 23:48 827,424 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-08 17:40 . 2008-12-28 23:48 46,020 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 17:40 . 2008-12-28 23:48 3,908 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-08 03:11 . 2008-12-08 03:11 <DIR> d-------- C:\VundoFix Backups
2008-12-08 02:22 . 2008-12-08 16:38 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes
2008-12-08 02:22 . 2008-12-08 02:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-07 17:11 . 2008-12-07 17:11 <DIR> d-------- c:\program files\CleanMyPC
2008-12-05 18:14 . 2008-12-06 18:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-05 18:14 . 2008-12-05 18:14 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-05 17:39 . 2008-12-28 23:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-05 14:46 . 2008-12-05 14:46 <DIR> d-------- C:\!KillBox
2008-12-05 13:39 . 2008-12-05 13:19 13,596,592 --a------ C:\sd.exe
2008-12-05 13:00 . 2008-12-05 13:00 <DIR> d-------- c:\documents and settings\Brett\Application Data\True Sword
2008-12-05 12:59 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll
2008-12-05 12:59 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll
2008-12-05 05:52 . 2008-12-21 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 05:52 . 2008-12-21 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 03:33 . 2008-12-07 01:00 <DIR> d-------- c:\windows\system32\Pe
2008-12-04 04:02 . 2008-12-04 04:02 <DIR> d-------- c:\program files\Power Tab Software
2008-12-03 22:30 . 2008-12-03 22:30 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-03 13:52 . 2008-12-03 13:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys.bak
2008-12-03 13:52 . 2008-12-03 13:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys.bak
2008-12-03 02:16 . 2008-12-03 03:21 <DIR> d-------- c:\program files\World of Warcraft.temp
2008-12-03 02:14 . 2008-12-03 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 17:02 . 2008-12-01 17:02 244 --ah----- C:\sqmnoopt14.sqm
2008-12-01 17:02 . 2008-12-01 17:02 232 --ah----- C:\sqmdata14.sqm
2008-12-01 13:29 . 2008-12-01 13:29 244 --ah----- C:\sqmnoopt13.sqm
2008-12-01 13:29 . 2008-12-01 13:29 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 04:20 --------- d-----w c:\documents and settings\Brett\Application Data\Dropbox
2008-12-28 03:00 --------- d-----w c:\documents and settings\Brett\Application Data\Azureus
2008-12-27 02:26 --------- d-----w c:\program files\Steam
2008-12-17 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 07:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-12 07:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 01:17 --------- d-----w c:\program files\Sun
2008-12-11 01:11 --------- d-----w c:\program files\Java
2008-12-09 22:51 --------- d-----w c:\program files\Winamp
2008-12-09 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-09 22:15 --------- d-----w c:\program files\QuickTime
2008-12-09 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 21:43 --------- d-----w c:\documents and settings\Brett\Application Data\Wave Systems Corp
2008-12-07 21:20 --------- d-----w c:\program files\EditPlus 2
2008-12-06 05:02 --------- d-----w c:\program files\mIRC
2008-12-05 11:14 --------- d-----w c:\program files\Bonjour
2008-12-05 09:48 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2008-12-05 04:34 --------- d-----w c:\program files\AutoIt3
2008-12-03 21:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:41 --------- d-----w c:\program files\Azureus
2008-11-16 02:30 --------- d-----w c:\program files\TVUPlayer
2008-11-16 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-13 04:40 --------- d-----w c:\documents and settings\Brett\Application Data\mIRC
2008-11-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 20:38 --------- d-----w c:\program files\RealVNC
2008-10-30 19:45 --------- d-----w c:\program files\Diablo II
2008-10-05 20:06 165,798 ----a-w c:\windows\Video Cleaner Uninstaller.exe
2008-07-01 21:52 66,936 -csha-w c:\windows\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.42.08.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-24 19:40:24 209,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-29 04:50:16 209,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-12-24 19:40:43 99,926 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-29 04:24:31 99,926 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-24 19:40:43 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 04:24:31 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 04:50:05 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1c4.dat
+ 2008-12-29 04:50:06 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="c:\program files\Stardock\Object Desktop\IconX\IconX.exe" [2004-07-17 121856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Brett\Start Menu\Programs\Startup\
Apoint Touchpad.lnk - c:\program files\Apoint\Apoint.exe [2007-08-13 159744]
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-07-03 8767575]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 10:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brett^Start Menu^Programs^Startup^Shortcut to Apoint.lnk]
path=c:\documents and settings\Brett\Start Menu\Programs\Startup\Shortcut to Apoint.lnk
backup=c:\windows\pss\Shortcut to Apoint.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-02-22 05:46 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
--a------ 2007-11-29 09:40 262144 c:\program files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2007-08-01 12:00 753664 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"WebClient"=2 (0x2)
"Wave UCSPlus"=2 (0x2)
"VSS"=3 (0x3)
"vmount2"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"SSDPSRV"=3 (0x3)
"SQLWriter"=3 (0x3)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"Softmon"=2 (0x2)
"seclogon"=2 (0x2)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Network Monitor"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KeyAccess"=2 (0x2)
"Iprip"=2 (0x2)
"Intel Targeted Multicast"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel Local Scheduler Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FCI"=2 (0x2)
"cmdService"=2 (0x2)
"CBA8"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"srservice"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"EvtEng"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51337:UDP"= 51337:UDP:Azureus
"51337:TCP"= 51337:TCP:Azureus
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680]
R2 MSSQL$POPKIN10SQL;MSSQL$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe -sPOPKIN10SQL []
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SQLAgent$POPKIN10SQL;SQLAgent$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlagent.EXE -i POPKIN10SQL []
S4 CBA8;LANDesk® Management Agent;"c:\program files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 122880]
S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-08-01 753664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 Softmon;LANDesk® Software Monitoring Service;"c:\progra~1\LANDesk\LDClient\softmon.exe" [2007-09-05 266240]
S4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\biolsp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 23:50:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Stardock\sdmcp.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-12-28 23:55:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 04:55:24
ComboFix2.txt 2008-12-29 04:44:31
ComboFix3.txt 2008-12-27 22:42:40

Pre-Run: 22,104,084,480 bytes free
Post-Run: 22,021,984,256 bytes free

336 --- E O F --- 2008-12-21 03:28:24

However, when the log popped up at the end, there was no pop-up window or browser to submit the collected files for analysis as you stated.

Edited by Slormer, 28 December 2008 - 11:45 PM.

#12
Fred21543

Posted 29 December 2008 - 04:43 PM

Member 1K

Member
1,351 posts

Do you have a zip file on your desktop from ComboFix?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Brett\Templates\Brengkolang.com
Folder::
c:\windows\system32\Pe
KillAll::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WmdmPmSN"=-
Driver::
cmdService
Iprip
FCI

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by Fred21543, 29 December 2008 - 04:44 PM.

#13
Slormer

Posted 29 December 2008 - 06:03 PM

Member

Topic Starter
Member
17 posts

Log:

ComboFix 08-12-28.04 - Brett 2008-12-29 18:02:51.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1414 [GMT -5:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brett\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\Brett\Templates\Brengkolang.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Pe

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 22:53 . 2008-12-28 22:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVG7
2008-12-19 16:31 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-19 16:31 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-19 16:31 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-19 16:31 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-19 16:31 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-19 16:31 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-19 16:31 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-19 16:31 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-19 16:30 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-19 16:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-19 15:54 . 2008-12-19 15:58 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-17 08:07 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-12-15 03:55 . 2008-12-15 03:55 <DIR> d-------- C:\ad1dc0008bf9911c9298d0124c57
2008-12-15 03:52 . 2008-12-15 04:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-13 03:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-13 03:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-12 18:34 . 2008-12-12 18:35 <DIR> d-------- c:\windows\ERUNT
2008-12-12 18:22 . 2008-12-12 19:13 <DIR> d-------- C:\SDFix
2008-12-12 12:05 . 2008-12-12 12:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-12 02:26 . 2008-12-12 02:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-12 02:22 . 2008-12-12 02:22 <DIR> d-------- c:\documents and settings\Brett\Application Data\SUPERAntiSpyware.com
2008-12-11 01:30 . 2008-12-11 01:30 <DIR> d-------- c:\program files\CCleaner
2008-12-10 14:50 . 2008-10-23 07:36 286,720 --------- c:\windows\system32\dllcache\gdi32.dll
2008-12-09 17:21 . 2008-12-09 17:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 17:15 . 2008-12-09 17:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-08 23:11 . 2008-12-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 19:07 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-08 17:56 . 2008-12-29 18:06 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-08 17:40 . 2008-12-29 18:04 5,752,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 17:40 . 2008-12-29 18:04 827,424 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-08 17:40 . 2008-12-29 18:04 46,020 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 17:40 . 2008-12-29 18:04 3,908 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-08 03:11 . 2008-12-08 03:11 <DIR> d-------- C:\VundoFix Backups
2008-12-08 02:22 . 2008-12-08 16:38 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes
2008-12-08 02:22 . 2008-12-08 02:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-07 17:11 . 2008-12-07 17:11 <DIR> d-------- c:\program files\CleanMyPC
2008-12-05 18:14 . 2008-12-06 18:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-05 18:14 . 2008-12-05 18:14 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-05 17:39 . 2008-12-29 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-05 14:46 . 2008-12-05 14:46 <DIR> d-------- C:\!KillBox
2008-12-05 13:39 . 2008-12-05 13:19 13,596,592 --a------ C:\sd.exe
2008-12-05 13:00 . 2008-12-05 13:00 <DIR> d-------- c:\documents and settings\Brett\Application Data\True Sword
2008-12-05 12:59 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll
2008-12-05 12:59 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll
2008-12-05 05:52 . 2008-12-21 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 05:52 . 2008-12-21 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 04:02 . 2008-12-04 04:02 <DIR> d-------- c:\program files\Power Tab Software
2008-12-03 22:30 . 2008-12-03 22:30 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-03 13:52 . 2008-12-03 13:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys.bak
2008-12-03 13:52 . 2008-12-03 13:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys.bak
2008-12-03 02:16 . 2008-12-03 03:21 <DIR> d-------- c:\program files\World of Warcraft.temp
2008-12-03 02:14 . 2008-12-03 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 17:02 . 2008-12-01 17:02 244 --ah----- C:\sqmnoopt14.sqm
2008-12-01 17:02 . 2008-12-01 17:02 232 --ah----- C:\sqmdata14.sqm
2008-12-01 13:29 . 2008-12-01 13:29 244 --ah----- C:\sqmnoopt13.sqm
2008-12-01 13:29 . 2008-12-01 13:29 232 --ah----- C:\sqmdata13.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 23:06 --------- d-----w c:\documents and settings\Brett\Application Data\Dropbox
2008-12-28 03:00 --------- d-----w c:\documents and settings\Brett\Application Data\Azureus
2008-12-27 02:26 --------- d-----w c:\program files\Steam
2008-12-17 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 07:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-12 07:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 01:17 --------- d-----w c:\program files\Sun
2008-12-11 01:11 --------- d-----w c:\program files\Java
2008-12-09 22:51 --------- d-----w c:\program files\Winamp
2008-12-09 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-09 22:15 --------- d-----w c:\program files\QuickTime
2008-12-09 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 21:43 --------- d-----w c:\documents and settings\Brett\Application Data\Wave Systems Corp
2008-12-07 21:20 --------- d-----w c:\program files\EditPlus 2
2008-12-06 05:02 --------- d-----w c:\program files\mIRC
2008-12-05 11:14 --------- d-----w c:\program files\Bonjour
2008-12-05 09:48 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2008-12-05 04:34 --------- d-----w c:\program files\AutoIt3
2008-12-03 21:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:41 --------- d-----w c:\program files\Azureus
2008-11-16 02:30 --------- d-----w c:\program files\TVUPlayer
2008-11-16 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-13 04:40 --------- d-----w c:\documents and settings\Brett\Application Data\mIRC
2008-11-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 20:38 --------- d-----w c:\program files\RealVNC
2008-10-30 19:45 --------- d-----w c:\program files\Diablo II
2008-10-05 20:06 165,798 ----a-w c:\windows\Video Cleaner Uninstaller.exe
2008-07-01 21:52 66,936 -csha-w c:\windows\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.42.08.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-24 19:40:24 209,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-29 23:06:10 209,321 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-12-24 19:40:43 99,926 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-29 04:54:46 99,926 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-24 19:40:43 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 04:54:46 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 23:06:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e4.dat
+ 2008-12-29 23:06:20 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="c:\program files\Stardock\Object Desktop\IconX\IconX.exe" [2004-07-17 121856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Brett\Start Menu\Programs\Startup\
Apoint Touchpad.lnk - c:\program files\Apoint\Apoint.exe [2007-08-13 159744]
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-07-03 8767575]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 10:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brett^Start Menu^Programs^Startup^Shortcut to Apoint.lnk]
path=c:\documents and settings\Brett\Start Menu\Programs\Startup\Shortcut to Apoint.lnk
backup=c:\windows\pss\Shortcut to Apoint.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-02-22 05:46 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
--a------ 2007-11-29 09:40 262144 c:\program files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2007-08-01 12:00 753664 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"WebClient"=2 (0x2)
"Wave UCSPlus"=2 (0x2)
"VSS"=3 (0x3)
"vmount2"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"SSDPSRV"=3 (0x3)
"SQLWriter"=3 (0x3)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"Softmon"=2 (0x2)
"seclogon"=2 (0x2)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Network Monitor"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KeyAccess"=2 (0x2)
"Iprip"=2 (0x2)
"Intel Targeted Multicast"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel Local Scheduler Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FCI"=2 (0x2)
"cmdService"=2 (0x2)
"CBA8"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"srservice"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"EvtEng"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51337:UDP"= 51337:UDP:Azureus
"51337:TCP"= 51337:TCP:Azureus
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680]
R2 MSSQL$POPKIN10SQL;MSSQL$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe -sPOPKIN10SQL []
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SQLAgent$POPKIN10SQL;SQLAgent$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlagent.EXE -i POPKIN10SQL []
S4 CBA8;LANDesk® Management Agent;"c:\program files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 122880]
S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-08-01 753664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 Softmon;LANDesk® Software Monitoring Service;"c:\progra~1\LANDesk\LDClient\softmon.exe" [2007-09-05 266240]
S4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: *.download.microsoft.com
Trusted Zone: update.microsoft.com
Trusted Zone: windowsupdate.microsoft.com
Trusted Zone: www.update.microsoft.com
Trusted Zone: *.ultimate-guitar.com
Trusted Zone: *.update.microsoft.com
Trusted Zone: *.windowsupdate.com
Trusted Zone: *.windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 18:06:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Stardock\sdmcp.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-29 18:12:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 23:12:43
ComboFix2.txt 2008-12-29 04:55:29
ComboFix3.txt 2008-12-29 04:44:31
ComboFix4.txt 2008-12-27 22:42:40

Pre-Run: 22,050,111,488 bytes free
Post-Run: 22,617,640,960 bytes free

325 --- E O F --- 2008-12-21 03:28:24

No zip file from CF, I downloaded the EXE, not the archived one. This time when I ran it, it detected a newer version and updated first.

#14
Fred21543

Posted 29 December 2008 - 07:29 PM

Member 1K

Member
1,351 posts

I meant not a zip file of Combofix itself but a zip file of samples ComboFix has collected that we were going to upload.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=-
"Iprip"=-
"FCI"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#15
Slormer

Posted 30 December 2008 - 04:12 PM

Member

Topic Starter
Member
17 posts

ComboFix 08-12-29.02 - Brett 2008-12-30 3:50:26.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -5:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brett\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 22:53 . 2008-12-28 22:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVG7
2008-12-19 16:31 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-19 16:31 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-19 16:31 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-19 16:31 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-19 16:31 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-19 16:31 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-19 16:31 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-19 16:31 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-19 16:31 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-19 16:30 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-19 16:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-19 15:54 . 2008-12-19 15:58 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-17 08:07 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-12-15 03:55 . 2008-12-15 03:55 <DIR> d-------- C:\ad1dc0008bf9911c9298d0124c57
2008-12-15 03:52 . 2008-12-15 04:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-13 03:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-13 03:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-12 18:34 . 2008-12-12 18:35 <DIR> d-------- c:\windows\ERUNT
2008-12-12 18:22 . 2008-12-12 19:13 <DIR> d-------- C:\SDFix
2008-12-12 12:05 . 2008-12-12 12:05 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-12 02:26 . 2008-12-12 02:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-12 02:22 . 2008-12-12 02:22 <DIR> d-------- c:\documents and settings\Brett\Application Data\SUPERAntiSpyware.com
2008-12-11 01:30 . 2008-12-11 01:30 <DIR> d-------- c:\program files\CCleaner
2008-12-10 14:50 . 2008-10-23 07:36 286,720 --------- c:\windows\system32\dllcache\gdi32.dll
2008-12-09 17:21 . 2008-12-09 17:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 17:15 . 2008-12-09 17:15 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\program files\Apple Software Update
2008-12-09 17:14 . 2008-12-09 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-08 23:11 . 2008-12-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 19:07 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-08 17:56 . 2008-12-29 18:06 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-08 17:40 . 2008-12-29 18:04 5,752,352 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-08 17:40 . 2008-12-29 18:04 827,424 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-08 17:40 . 2008-12-29 18:04 46,020 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-08 17:40 . 2008-12-29 18:04 3,908 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-08 03:11 . 2008-12-08 03:11 <DIR> d-------- C:\VundoFix Backups
2008-12-08 02:22 . 2008-12-08 16:38 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes
2008-12-08 02:22 . 2008-12-08 02:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\Brett\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-08 02:08 . 2008-12-08 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes-BackupByMalwarebytesPortable
2008-12-07 17:11 . 2008-12-07 17:11 <DIR> d-------- c:\program files\CleanMyPC
2008-12-05 18:14 . 2008-12-06 18:27 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-05 18:14 . 2008-12-05 18:14 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-05 17:39 . 2008-12-29 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-05 17:16 . 2008-12-05 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-05 14:46 . 2008-12-05 14:46 <DIR> d-------- C:\!KillBox
2008-12-05 13:39 . 2008-12-05 13:19 13,596,592 --a------ C:\sd.exe
2008-12-05 13:00 . 2008-12-05 13:00 <DIR> d-------- c:\documents and settings\Brett\Application Data\True Sword
2008-12-05 12:59 . 2005-10-11 14:40 356,352 --a------ c:\windows\eSellerateEngine.dll
2008-12-05 12:59 . 2003-06-06 11:21 81,920 --a------ c:\windows\eSellerateControl350.dll
2008-12-05 05:52 . 2008-12-21 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 05:52 . 2008-12-21 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 04:02 . 2008-12-04 04:02 <DIR> d-------- c:\program files\Power Tab Software
2008-12-03 22:30 . 2008-12-03 22:30 <DIR> d-------- c:\program files\Guitar Pro 5
2008-12-03 13:52 . 2008-12-03 13:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys.bak
2008-12-03 13:52 . 2008-12-03 13:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys.bak
2008-12-03 02:16 . 2008-12-03 03:21 <DIR> d-------- c:\program files\World of Warcraft.temp
2008-12-03 02:14 . 2008-12-03 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 17:02 . 2008-12-01 17:02 244 --ah----- C:\sqmnoopt14.sqm
2008-12-01 17:02 . 2008-12-01 17:02 232 --ah----- C:\sqmdata14.sqm
2008-12-01 13:29 . 2008-12-01 13:29 244 --ah----- C:\sqmnoopt13.sqm
2008-12-01 13:29 . 2008-12-01 13:29 232 --ah----- C:\sqmdata13.sqm
2008-11-27 00:21 . 2004-08-04 05:00 7,909 --a------ c:\windows\system32\ftpctrs.ini
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 7,680 --a------ c:\windows\system32\dllcache\ftpctrs2.dll
2008-11-27 00:21 . 2004-08-04 05:00 2,549 --a------ c:\windows\system32\ftpctrs.h
2008-11-21 16:25 . 2007-08-13 07:37 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\Wave Systems Corp
2008-11-21 16:25 . 2007-08-13 07:45 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\Intel
2008-11-21 16:25 . 2007-08-13 07:32 <DIR> d-------- c:\documents and settings\LocalUserjane\Application Data\InstallShield
2008-11-21 16:25 . 2007-08-13 07:53 <DIR> d--h----- c:\documents and settings\LocalUserjane\Application Data\Gtek
2008-11-21 16:25 . 2008-12-28 23:18 <DIR> d-------- c:\documents and settings\LocalUserjane
2008-11-21 16:18 . 2007-08-13 07:37 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\Wave Systems Corp
2008-11-21 16:18 . 2007-08-13 07:45 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\Intel
2008-11-21 16:18 . 2007-08-13 07:32 <DIR> d-------- c:\documents and settings\LocalUserbob\Application Data\InstallShield
2008-11-21 16:18 . 2007-08-13 07:53 <DIR> d--h----- c:\documents and settings\LocalUserbob\Application Data\Gtek
2008-11-21 16:18 . 2008-12-28 23:18 <DIR> d-------- c:\documents and settings\LocalUserbob
2008-11-15 21:30 . 2008-11-15 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-13 16:53 . 2008-04-13 19:11 35,328 --a------ c:\windows\system32\iprip.dll
2008-11-13 16:53 . 2004-08-04 05:00 18,944 --a------ c:\windows\system32\simptcp.dll
2008-11-13 16:53 . 2004-08-04 05:00 18,944 --a------ c:\windows\system32\dllcache\simptcp.dll
2008-11-06 19:11 . 2008-02-22 07:06 360,448 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-06 19:10 . 2008-11-06 19:10 <DIR> d-------- C:\Intel
2008-11-06 19:10 . 2008-02-22 05:46 1,126,400 --a------ c:\windows\system32\nvcuda.dll
2008-11-06 19:10 . 2008-02-22 05:46 327,680 --a------ c:\windows\system32\nvwrsesm.dll
2008-11-06 19:10 . 2008-02-22 05:46 274,432 --a------ c:\windows\system32\nvrsesm.dll
2008-11-06 19:10 . 2008-02-22 05:46 147,456 --a------ c:\windows\system32\nvcolor.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 23:06 --------- d-----w c:\documents and settings\Brett\Application Data\Dropbox
2008-12-28 03:00 --------- d-----w c:\documents and settings\Brett\Application Data\Azureus
2008-12-27 02:26 --------- d-----w c:\program files\Steam
2008-12-17 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 06:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 07:24 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-12 07:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 01:17 --------- d-----w c:\program files\Sun
2008-12-11 01:11 --------- d-----w c:\program files\Java
2008-12-09 22:51 --------- d-----w c:\program files\Winamp
2008-12-09 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-09 22:15 --------- d-----w c:\program files\QuickTime
2008-12-09 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-09 21:43 --------- d-----w c:\documents and settings\Brett\Application Data\Wave Systems Corp
2008-12-07 21:20 --------- d-----w c:\program files\EditPlus 2
2008-12-06 05:02 --------- d-----w c:\program files\mIRC
2008-12-05 11:14 --------- d-----w c:\program files\Bonjour
2008-12-05 09:48 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2008-12-05 04:34 --------- d-----w c:\program files\AutoIt3
2008-12-03 21:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:41 --------- d-----w c:\program files\Azureus
2008-11-16 02:30 --------- d-----w c:\program files\TVUPlayer
2008-11-13 04:40 --------- d-----w c:\documents and settings\Brett\Application Data\mIRC
2008-11-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 20:38 --------- d-----w c:\program files\RealVNC
2008-10-30 19:45 --------- d-----w c:\program files\Diablo II
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-05 20:06 165,798 ----a-w c:\windows\Video Cleaner Uninstaller.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2008-07-01 21:52 66,936 -csha-w c:\windows\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.42.08.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-24 19:40:24 209,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-29 23:10:09 209,330 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-12-24 19:40:43 99,926 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-29 23:10:52 99,926 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-24 19:40:43 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 23:10:52 512,994 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-29 23:06:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e4.dat
+ 2008-12-29 23:06:20 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-19 19:51 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="c:\program files\Stardock\Object Desktop\IconX\IconX.exe" [2004-07-17 121856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Brett\Start Menu\Programs\Startup\
Apoint Touchpad.lnk - c:\program files\Apoint\Apoint.exe [2007-08-13 159744]
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-07-03 8767575]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 10:25 139264 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Brett^Start Menu^Programs^Startup^Shortcut to Apoint.lnk]
path=c:\documents and settings\Brett\Start Menu\Programs\Startup\Shortcut to Apoint.lnk
backup=c:\windows\pss\Shortcut to Apoint.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-02-22 05:46 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
--a------ 2007-11-29 09:40 262144 c:\program files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2007-08-01 12:00 753664 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-02-22 05:46 86016 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"WebClient"=2 (0x2)
"Wave UCSPlus"=2 (0x2)
"VSS"=3 (0x3)
"vmount2"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"tcsd_win32.exe"=2 (0x2)
"SSDPSRV"=3 (0x3)
"SQLWriter"=3 (0x3)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"Softmon"=2 (0x2)
"seclogon"=2 (0x2)
"RSVP"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Network Monitor"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"KeyAccess"=2 (0x2)
"Intel Targeted Multicast"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel Local Scheduler Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"CBA8"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"wscsvc"=2 (0x2)
"Wmi"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"srservice"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"EvtEng"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Brett\\My Documents\\Portable Malwarebytes Anti-Malware 1.31 MultiLang\\MalwarebytesPortable\\App\\Malwarebytes\\mbam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51337:UDP"= 51337:UDP:Azureus
"51337:TCP"= 51337:TCP:Azureus
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2008-09-19 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2008-09-19 41680]
R2 MSSQL$POPKIN10SQL;MSSQL$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlservr.exe -sPOPKIN10SQL []
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SQLAgent$POPKIN10SQL;SQLAgent$POPKIN10SQL;c:\program files\Microsoft SQL Server\MSSQL$POPKIN10SQL\Binn\sqlagent.EXE -i POPKIN10SQL []
S4 CBA8;LANDesk® Management Agent;"c:\program files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 122880]
S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-08-01 753664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 Softmon;LANDesk® Software Monitoring Service;"c:\progra~1\LANDesk\LDClient\softmon.exe" [2007-09-05 266240]
S4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: *.download.microsoft.com
Trusted Zone: update.microsoft.com
Trusted Zone: windowsupdate.microsoft.com
Trusted Zone: www.update.microsoft.com
Trusted Zone: *.ultimate-guitar.com
Trusted Zone: *.update.microsoft.com
Trusted Zone: *.windowsupdate.com
Trusted Zone: *.windowsupdate.microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 03:54:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\biolsp.dll
.
Completion time: 2008-12-30 3:55:27
ComboFix-quarantined-files.txt 2008-12-30 08:55:25
ComboFix2.txt 2008-12-29 23:12:48
ComboFix3.txt 2008-12-29 04:55:29
ComboFix4.txt 2008-12-29 04:44:31
ComboFix5.txt 2008-12-30 08:49:36

Pre-Run: 22,696,726,528 bytes free
Post-Run: 22,667,911,168 bytes free

350 --- E O F --- 2008-12-21 03:28:24

When I ran MBAM, It found a few infections, and removed them them restarted to finish. After this I went to check the log file, and there wasn't one created. I ran through the settings and found that the checkbox to save and show the log was unchecked. Checked it, and ran again, but it comes up clean now. No log.