[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\documents and settings\Kevin Kaminski\vopxq.exe \s"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\
0autocheck autochk *
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Kaminski^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 32768 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1712640 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2005-05-12 06:02 118784 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-05-12 05:33 57452 c:\program files\Java\jre1.5.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 20:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-02 21512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-08-26 99376]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-04-16 894216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-02 4107832]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-04-16 689416]
S0 epzinkyu;epzinkyu;c:\windows\system32\Drivers\epzinkyu.sys --> c:\windows\system32\Drivers\epzinkyu.sys [?]
S0 Winko72;Winko72;c:\windows\system32\Drivers\Winko72.sys --> c:\windows\system32\Drivers\Winko72.sys [?]
S1 nfr.sys;nfr.sys;\??\c:\windows\system32\drivers\nfr.sys --> c:\windows\system32\drivers\nfr.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe --> c:\program files\system\smss.exe [?]
S4 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-04 22784]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2009-01-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dad.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 01:38]
2009-02-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://start.verizon.net/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 20:06:40
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?7?9??????? ?,?B?????????????hLC? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxjvnqiidl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\id\Doom95\Config\¬ (* *]
"mouse_sensitivity"=dword:00000009
"sfx_volume"=dword:00000008
"music_volume"=dword:00000003
"show_messages"=dword:00000001
"key_right"=dword:0000004d
"key_left"=dword:0000004b
"key_up"=dword:00000048
"key_down"=dword:00000050
"key_strafeleft"=dword:00000033
"key_straferight"=dword:00000034
"key_fire"=dword:0000001d
"key_use"=dword:00000039
"key_strafe"=dword:00000038
"key_speed"=dword:00000036
"use_mouse"=dword:00000000
"full_screen"=dword:00000000
"full_keyboard"=dword:00000000
"mouseb_fire"=dword:00000000
"mouseb_strafe"=dword:00000001
"mouseb_forward"=dword:00000002
"use_joystick"=dword:00000000
"joyb_fire"=dword:00000000
"joyb_strafe"=dword:00000001
"joyb_use"=dword:00000003
"joyb_speed"=dword:00000002
"joy_id"=dword:00000000
"joy_axis_map"="yx "
"joy_feedback_DLL"=""
"joy_move_threshold"=dword:00000800
"joy_move_sensitivity"=dword:00000250
"joy_turn_threshold"=dword:00001000
"joy_turn_sensitivity"=dword:00000020
"joyb_fist_saw"=dword:ffffffff
"joyb_pistol"=dword:ffffffff
"joyb_shotgun"=dword:ffffffff
"joyb_chaingun"=dword:ffffffff
"joyb_missile"=dword:ffffffff
"joyb_plasma"=dword:ffffffff
"joyb_bfg"=dword:ffffffff
"joyb_inc"=dword:ffffffff
"joyb_dec"=dword:ffffffff
"screenblocks"=dword:00000008
"detaillevel"=dword:00000000
"snd_channels"=dword:00000003
"usegamma"=dword:00000000
"chatmacro0"="No"
"chatmacro1"="I'm ready to kick butt!"
"chatmacro2"="I'm OK."
"chatmacro3"="I'm not looking too good!"
"chatmacro4"="Help!"
"chatmacro5"="You suck!"
"chatmacro6"="Next time, scumbag..."
"chatmacro7"="Come here!"
"chatmacro8"="I'll take care of it."
"chatmacro9"="Yes"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxjvnqiidl.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Hp\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-04 20:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 01:10:27
ComboFix2.txt 2009-02-05 00:20:05
Pre-Run: 34,054,430,720 bytes free
Post-Run: 34,052,333,568 bytes free
363 --- E O F --- 2008-07-08 22:03:01