Malware doctor

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Re: Malware doctor12th June 2009, 2:28 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:45 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222717864515
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: pevsystemstart - Unknown owner - cmd /k start /i "/dC:" "C:\Combo-Fix\HIDEC.exe" "C:\WINDOWS\system32\CF24473.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 13481 bytes

Re: Malware doctor12th June 2009, 2:31 am

Open HijackThis.
Choose "Do a system scan only"
Check the boxes in front of these lines:

O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Re: Malware doctor12th June 2009, 2:44 am

Code:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

6/11/2009 10:43:41 PM
mbam-log-2009-06-11 (22-43-41).txt

Scan type: Quick Scan
Objects scanned: 81340
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Re: Malware doctor12th June 2009, 2:46 am

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

Malware doctor - Page 1 CF_download_FF

Malware doctor - Page 1 CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV. (Mcafee)
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Re: Malware doctor12th June 2009, 8:52 am

Oh wow, what a mess. Can you handle this Origin? these spam bots rootkits don't like to die easily.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Malware doctor - Page 1 DXwU4

Re: Malware doctor12th June 2009, 10:54 am

ComboFix 09-06-11.06 - David's 06/11/2009 23:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.357 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\drivers\52106874.sys
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile...

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_avast!antivirus
-------\Legacy_avast!AVSControlService
-------\Service_avast!AVSControlService

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 00:57 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 02:47 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

Re: Malware doctor12th June 2009, 10:55 am

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 23:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1136)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF8751.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 03:24
ComboFix2.txt 2009-06-10 02:23

Pre-Run: 30,128,640,000 bytes free
Post-Run: 30,124,294,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
350 --- E O F --- 2009-04-08 07:00

Re: Malware doctor12th June 2009, 10:59 am

Hello.
I will step in here and finish it off, lets get these rootkits off the system.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
npggsvc
62a4ad86
b30c2fcc
94ddfa21

File::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\48.tmp
c:\windows\system32\sgc315j0e19g.dll
c:\windows\system32\qgc715j0e19g .exe

Rootkit::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys

Folder::
c:\program files\LimeWire
c:\windows\system32\796525

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Malware doctor - Page 1 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Re: Malware doctor12th June 2009, 7:16 pm

ComboFix 09-06-12.01 - David's 06/12/2009 15:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.403 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\CFScript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 19:09 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 18:29 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_03.20.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 19:08 . 2009-06-12 19:08 16384 c:\windows\temp\Perflib_Perfdata_304.dat
+ 2009-06-12 19:01 . 2009-06-12 19:01 389120 c:\windows\system32\CF1958.exe
.

Re: Malware doctor12th June 2009, 7:16 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.

Re: Malware doctor12th June 2009, 7:16 pm

------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2208)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF1958.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 19:13
ComboFix2.txt 2009-06-12 03:24
ComboFix3.txt 2009-06-10 02:23

Pre-Run: 30,148,493,312 bytes free
Post-Run: 30,135,545,856 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
335 --- E O F --- 2009-04-08 07:00

Re: Malware doctor12th June 2009, 7:38 pm

Hello.
That didn't work, did you copy and paste EVERYTHING inside Notpad

To me, it looks like you might have left it blank, or missed File:: maybe.

Re: Malware doctor12th June 2009, 7:52 pm

Yeah, I copied everything. I even double checked.

Re: Malware doctor12th June 2009, 7:58 pm

Hello.
This machine is badly infected. Try running the script again, but do it from safe mode.

Re: Malware doctor20th June 2009, 6:37 pm

ComboFix 09-06-19.01 - David's 06/20/2009 14:15.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.693 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\cfscript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\48.tmp"
"c:\windows\system32\drivers\62a4ad86.sys"
"c:\windows\system32\drivers\94ddfa21.sys"
"c:\windows\system32\drivers\b30c2fcc.sys"
"c:\windows\system32\qgc715j0e19g .exe"
"c:\windows\system32\sgc315j0e19g.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dtmb.exe
c:\program files\LimeWire
c:\windows\system32\796525
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-httpclient.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\commons-pool.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\httpcore-nio.jar
c:\program files\LimeWire\lib\httpcore.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\id3v2.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\system32\48.tmp
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\qgc715j0e19g .exe
c:\windows\system32\sgc315j0e19g.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-18 16:16 . 2009-01-28 18:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_82E9268439A85DF7929CB5.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_6FEFF9B68218417F98F549.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_3A83AC1B354F6AF3685B54.exe
2009-06-18 04:04 . 2009-06-18 04:04 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_BE590ABD701E2CB21C2EE8.exe
2009-06-18 04:04 . 2009-06-18 04:04 -------- d-----w- c:\program files\NETdecompiler
2009-06-17 01:07 . 2009-06-17 01:07 -------- d-----w- c:\program files\GlobalInfection
2009-06-16 01:52 . 2009-06-16 01:52 -------- d-----w- c:\program files\TeamViewer3
2009-06-16 01:52 . 2009-06-16 01:52 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-13 11:19 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 02:24 . 2009-02-15 04:05 -------- d-----w- c:\documents and settings\David's\Application Data\Download Manager
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_03.20.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-22 18:41 . 2009-06-20 18:07 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 18:41 . 2009-06-20 18:07 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-29 19:08 . 2009-06-20 18:07 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-29 19:08 . 2009-06-03 07:02 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 01:07 . 2009-06-17 01:07 188478 c:\windows\Installer\{DDE7BDEE-907E-4D47-AF3C-90198C08DA6A}\internet2.exe
+ 2009-06-14 20:25 . 2009-06-14 20:25 101948 c:\windows\.jagex_cache_32\loginapplet\cache--2062608270.dat

Re: Malware doctor20th June 2009, 6:38 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-20 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)

.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2116)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\anotify.exe
c:\windows\SoftwareDistribution\Download\15fdc8419110b73ae498d2bf87f8bd8a\update\update.exe
.
**************************************************************************
.
Completion time: 2009-06-20 14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 18:34
ComboFix2.txt 2009-06-12 19:13
ComboFix3.txt 2009-06-12 03:24
ComboFix4.txt 2009-06-10 02:23

Pre-Run: 28,685,307,904 bytes free
Post-Run: 27,636,109,312 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
386 --- E O F --- 2009-04-08 07:00

Re: Malware doctor20th June 2009, 7:51 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Malware doctor - Page 1 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

Re: Malware doctor20th June 2009, 7:53 pm

Well, its slower then when I started. But, nothing to serious. Thanks guys.

Re: Malware doctor21st June 2009, 2:49 pm

Please do a Full Scan in Malwarebytes and post the contents of the log back here.

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Malware doctor

descriptionRe: Malware doctor12th June 2009, 2:28 am

descriptionRe: Malware doctor12th June 2009, 2:31 am

descriptionRe: Malware doctor12th June 2009, 2:44 am

descriptionRe: Malware doctor12th June 2009, 2:46 am

descriptionRe: Malware doctor12th June 2009, 8:52 am

descriptionRe: Malware doctor12th June 2009, 10:54 am

descriptionRe: Malware doctor12th June 2009, 10:55 am

descriptionRe: Malware doctor12th June 2009, 10:59 am

descriptionRe: Malware doctor12th June 2009, 7:16 pm

descriptionRe: Malware doctor12th June 2009, 7:16 pm

descriptionRe: Malware doctor12th June 2009, 7:16 pm

descriptionRe: Malware doctor12th June 2009, 7:38 pm

descriptionRe: Malware doctor12th June 2009, 7:52 pm

descriptionRe: Malware doctor12th June 2009, 7:58 pm

descriptionRe: Malware doctor20th June 2009, 6:37 pm

descriptionRe: Malware doctor20th June 2009, 6:38 pm

descriptionRe: Malware doctor20th June 2009, 7:51 pm

descriptionRe: Malware doctor20th June 2009, 7:53 pm

descriptionRe: Malware doctor21st June 2009, 2:49 pm

descriptionRe: Malware doctor

Re: Malware doctor12th June 2009, 2:28 am

Re: Malware doctor12th June 2009, 2:31 am

Re: Malware doctor12th June 2009, 2:44 am

Re: Malware doctor12th June 2009, 2:46 am

Re: Malware doctor12th June 2009, 8:52 am

Re: Malware doctor12th June 2009, 10:54 am

Re: Malware doctor12th June 2009, 10:55 am

Re: Malware doctor12th June 2009, 10:59 am

Re: Malware doctor12th June 2009, 7:16 pm

Re: Malware doctor12th June 2009, 7:16 pm

Re: Malware doctor12th June 2009, 7:16 pm

Re: Malware doctor12th June 2009, 7:38 pm

Re: Malware doctor12th June 2009, 7:52 pm

Re: Malware doctor12th June 2009, 7:58 pm

Re: Malware doctor20th June 2009, 6:37 pm

Re: Malware doctor20th June 2009, 6:38 pm

Re: Malware doctor20th June 2009, 7:51 pm

Re: Malware doctor20th June 2009, 7:53 pm

Re: Malware doctor21st June 2009, 2:49 pm

Re: Malware doctor