GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Unknown malware

2 posters

descriptionUnknown malware EmptyUnknown malware10th August 2009, 12:01 am

more_horiz
I tryed alot of guides before posting here, this is a sort of last resort, my currently installed version of malwarebyte's anti malware wouldn't run, then the pc got from bad to worse and when I rebooted it started freezing for no eason, after several tries, it started not even loading windows on reboot, just a black screen and a moveable black cursor. At this point i started in safemode with networking and tryed getting help, nothing would work, not renaming mbam.exe or anything, the new version download would not run either. I tryed making hijack this work, to no success, even after renaming. At this point, besides posting here, I have no idea what to do. I am posting this while running in safemode with net working. The malware seems to be still working, redirecting the gogle searches to other pages with weird url: web-analitycs.google.something. I have no idea what to do, I would like help please.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 12:35 am

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 12:45 am

more_horiz
It didnt work at first, like I told you, but I searched around the site and found a olution, I had to switch my firefox preferences to alays ask me where to download, and change the name of hijackthis as I saved it to make it work after download, here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:39 PM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Maxim\Desktop\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [OfficeKB] C:\PROGRA~1\OfficeKB\OfficeKB.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Apprentice\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Maxim\LOCALS~1\Temp\b.exe
O4 - Startup: Flip.lnk = C:\Program Files\Belkin\Flip\flip.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7498 bytes

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 1:39 am

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Maxim\LOCALS~1\Temp\b.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 2:21 am

more_horiz
I did what you told me, tho I changed the name of mbam for something else upon saving it. When I ran the installer it took few seconds to reach "finishing installing" then it remain at this for a really long period of time (~15 minutes) after that I checked both boxes like asked and clicked okay and the setup window went blank and remained like that for a log period of time. After that, it dissapeared. The application did not run, and running it manually does not work, nothing happens. What could I do?

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 2:58 pm

more_horiz
Bump, just in case.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 5:43 pm

more_horiz
After a couple million tries, I managed to get anti malware to work, the first quick scan was done with an outdated version and removed some 208 infections and asked to reboot, after I updated the anti malware and ran a quick scan again, it reoved another 5 infections and here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2591
Windows 5.1.2600 Service Pack 3

8/10/2009 1:35:02 PM
mbam-log-2009-08-10 (13-34-59).txt

Scan type: Quick Scan
Objects scanned: 94238
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Maxim\Local Settings\Temp\a.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Maxim\Local Settings\Temp\b.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

It doesn't seem to have solved the problem so far, what should I do? Thank you in advance.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 6:37 pm

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Unknown malware CF_download_FF

    Unknown malware CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Unknown malware Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Unknown malware Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 7:01 pm

more_horiz
ComboFix 09-08-10.01 - Maxim 08/10/2009 14:49.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3333 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?
c:\windows\system32\drivers\UACrwnrkixtpd.sys
c:\windows\system32\UACcsptoklwkb.dat
c:\windows\system32\UAChdkfuakvay.dll
c:\windows\system32\UACndkflaslxw.db
c:\windows\system32\UACnulwbcnkvu.dll
c:\windows\system32\UACsejisqdmxk.dll
c:\windows\system32\UACtknthyaymp.dll
c:\windows\system32\UACxfugmjnjqn.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_SYSTEMNTMI
-------\Legacy_pnwjcule
-------\Legacy_zcvz
-------\Service_pnwjcule
-------\Service_zcvz


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 18:31 . 2009-08-10 18:31 61440 ----a-w- c:\windows\system32\drivers\kdvegt.sys
2009-08-10 18:22 . 2009-08-10 18:22 61440 ----a-w- c:\windows\system32\drivers\zfibn.sys
2009-08-10 00:44 . 2009-08-10 00:44 -------- d-----w- c:\program files\Trend Micro
2009-08-09 23:11 . 2009-08-09 23:11 -------- d--h--w- c:\windows\PIF
2009-08-09 22:46 . 2009-08-09 22:46 -------- d-----w- C:\1ddc18167fe8f93cba4482ec9264
2009-08-09 22:35 . 2009-08-09 22:35 -------- d-----w- c:\program files\AVG
2009-08-09 22:35 . 2009-08-09 22:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-09 22:29 . 2009-08-09 22:29 -------- d-----w- c:\documents and settings\Maxim\Application Data\AVG8
2009-08-09 22:02 . 2009-08-09 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 21:59 . 2009-08-09 21:59 -------- d-----w- c:\documents and settings\All Users\Malwarebytes' Anti-Malware
2009-08-09 21:53 . 2009-08-09 21:53 -------- d-----w- c:\documents and settings\Maxim\Malwarebytes' Anti-Malware
2009-08-09 21:50 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 21:50 . 2009-08-09 21:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-09 21:50 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 21:42 . 2009-08-09 21:42 -------- d-----w- c:\program files\VS Revo Group
2009-08-09 20:36 . 2009-08-09 20:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-09 19:11 . 2009-06-05 17:23 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 03:09 . 2009-08-07 03:50 -------- d-----w- c:\documents and settings\Maxim\RAN
2009-07-26 05:11 . 2009-07-26 20:56 -------- d-----w- c:\documents and settings\Maxim\Starship.Troopers.2.2004.STV.DVDRip.XviD
2009-07-13 19:24 . 2009-07-17 15:46 -------- d-----w- c:\documents and settings\Maxim\Renzu
2009-07-13 15:13 . 2009-07-13 21:14 -------- d-----w- c:\documents and settings\Maxim\Bible Black Complete
2009-07-12 19:35 . 2009-07-12 19:35 326479 ----a-w- C:\722h.exe
2009-07-12 16:51 . 2009-07-12 19:27 326511 ----a-w- C:\72h.exe
2009-07-12 12:18 . 2009-07-12 13:51 326507 ----a-w- C:\23d2s2327h.exe
2009-07-12 12:13 . 2009-07-12 12:14 326507 ----a-w- C:\23ds2327h.exe
2009-07-12 12:12 . 2009-07-12 12:12 326511 ----a-w- C:\3ds2327h.exe
2009-07-12 12:08 . 2009-07-12 12:08 326511 ----a-w- C:\3ds327h.exe
2009-07-12 12:07 . 2009-07-12 12:07 326507 ----a-w- C:\3ds27h.exe
2009-07-11 22:50 . 2009-07-11 22:50 326511 ----a-w- C:\3222227h.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 18:57 . 2008-03-03 02:24 -------- d-----w- c:\documents and settings\Maxim\Application Data\OpenOffice.org2
2009-08-10 18:31 . 2009-08-10 18:31 286 ----a-w- c:\program files\qjhnfze.txt
2009-08-10 17:28 . 2007-07-03 06:04 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-10 02:01 . 2008-06-28 20:17 -------- d-----w- c:\program files\Electronic Arts
2009-08-09 23:29 . 2007-06-23 06:10 -------- d-----w- c:\program files\Belkin
2009-08-09 23:18 . 2009-03-13 21:59 -------- d-----w- c:\program files\Atari
2009-08-09 23:02 . 2007-12-04 03:04 -------- d-----w- c:\program files\Apprentice
2009-08-09 18:23 . 2007-08-19 21:42 -------- d-----w- c:\program files\Java
2009-08-09 05:36 . 2008-02-11 04:29 -------- d-----w- c:\documents and settings\Maxim\Application Data\uTorrent
2009-08-03 19:45 . 2007-10-21 21:38 -------- d-----w- c:\program files\Warcraft III
2009-07-25 09:23 . 2009-04-29 19:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-11 13:58 . 2009-07-11 13:58 326507 ----a-w- C:\32227h.exe
2009-07-11 13:46 . 2009-07-11 12:14 326507 ----a-w- C:\3227h.exe
2009-07-11 00:04 . 2009-07-10 18:26 326479 ----a-w- C:\327h.exe
2009-07-10 15:55 . 2009-07-10 15:50 326507 ----a-w- C:\2o322re.exe
2009-07-10 14:46 . 2009-07-10 14:46 326501 ----a-w- C:\2vo2te.exe
2009-07-10 14:39 . 2009-07-10 14:39 326505 ----a-w- C:\2vote.exe
2009-07-10 14:35 . 2009-07-10 14:35 326505 ----a-w- C:\vote.exe
2009-07-09 14:12 . 2007-06-26 05:43 -------- d-----w- c:\program files\DivX
2009-07-09 14:11 . 2009-05-11 18:45 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-03 18:33 . 2009-07-03 18:33 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-03 18:33 . 2009-07-03 18:33 262144 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-03 18:30 . 2009-07-03 18:30 -------- d-----w- c:\program files\Futuremark
2009-07-03 18:30 . 2007-06-21 05:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 17:15 . 2007-06-23 05:09 15664 ----a-w- c:\documents and settings\Maxim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\Maxim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-14 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-22 185896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-10-21 29696]

c:\documents and settings\Maxim\Start Menu\Programs\Startup\
Flip.lnk - c:\program files\Belkin\Flip\flip.exe [2006-8-22 385024]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-24 442368]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/1/2008 10:47 AM 24652]
S2 fmpqvxxg;fmpqvxxg;c:\windows\system32\drivers\yfhjax.sys --> c:\windows\system32\drivers\yfhjax.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 3:16 PM 22821]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\docume~1\Maxim\APPLIC~1\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\Maxim\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2016)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Belkin\Nostromo\nost_FSH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-10 15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 19:00

Pre-Run: 41,180,155,904 bytes free
Post-Run: 42,429,214,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

227 --- E O F --- 2009-07-30 07:00

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 8:56 pm

more_horiz
Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\drivers\kdvegt.sys
c:\windows\system32\drivers\zfibn.sys
C:\722h.exe
C:\72h.exe
C:\23d2s2327h.exe
C:\23ds2327h.exe
C:\3ds2327h.exe
C:\3ds327h.exe
C:\3ds27h.exe
C:\3222227h.exe
c:\program files\qjhnfze.txt
C:\32227h.exe
C:\3227h.exe
C:\327h.exe
C:\2o322re.exe
C:\2vo2te.exe
C:\2vote.exe
C:\vote.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

Driver::
fmpqvxxg


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Unknown malware Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 9:15 pm

more_horiz
ComboFix 09-08-10.01 - Maxim 08/10/2009 17:07.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2999 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt

FILE ::
"C:\23d2s2327h.exe"
"C:\23ds2327h.exe"
"C:\2o322re.exe"
"C:\2vo2te.exe"
"C:\2vote.exe"
"C:\3222227h.exe"
"C:\32227h.exe"
"C:\3227h.exe"
"C:\327h.exe"
"C:\3ds2327h.exe"
"C:\3ds27h.exe"
"C:\3ds327h.exe"
"C:\722h.exe"
"C:\72h.exe"
"c:\program files\qjhnfze.txt"
"C:\vote.exe"
"c:\windows\system32\drivers\kdvegt.sys"
"c:\windows\system32\drivers\zfibn.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FMPQVXXG
-------\Service_fmpqvxxg


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 18:31 . 2009-08-10 21:07 61440 ----a-w- c:\windows\system32\drivers\kdvegt.sys
2009-08-10 18:22 . 2009-08-10 21:07 61440 ----a-w- c:\windows\system32\drivers\zfibn.sys
2009-08-10 00:44 . 2009-08-10 00:44 -------- d-----w- c:\program files\Trend Micro
2009-08-09 23:11 . 2009-08-09 23:11 -------- d--h--w- c:\windows\PIF
2009-08-09 22:46 . 2009-08-09 22:46 -------- d-----w- C:\1ddc18167fe8f93cba4482ec9264
2009-08-09 22:35 . 2009-08-09 22:35 -------- d-----w- c:\program files\AVG
2009-08-09 22:35 . 2009-08-09 22:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-09 22:29 . 2009-08-09 22:29 -------- d-----w- c:\documents and settings\Maxim\Application Data\AVG8
2009-08-09 22:02 . 2009-08-09 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 21:59 . 2009-08-09 21:59 -------- d-----w- c:\documents and settings\All Users\Malwarebytes' Anti-Malware
2009-08-09 21:53 . 2009-08-09 21:53 -------- d-----w- c:\documents and settings\Maxim\Malwarebytes' Anti-Malware
2009-08-09 21:50 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 21:50 . 2009-08-09 21:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-09 21:50 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 21:42 . 2009-08-09 21:42 -------- d-----w- c:\program files\VS Revo Group
2009-08-09 20:36 . 2009-08-09 20:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-09 19:11 . 2009-06-05 17:23 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-07 03:09 . 2009-08-07 03:50 -------- d-----w- c:\documents and settings\Maxim\RAN
2009-07-26 05:11 . 2009-07-26 20:56 -------- d-----w- c:\documents and settings\Maxim\Starship.Troopers.2.2004.STV.DVDRip.XviD
2009-07-13 19:24 . 2009-07-17 15:46 -------- d-----w- c:\documents and settings\Maxim\Renzu
2009-07-13 15:13 . 2009-07-13 21:14 -------- d-----w- c:\documents and settings\Maxim\Bible Black Complete
2009-07-12 19:35 . 2009-08-10 21:06 326479 ----a-w- C:\722h.exe
2009-07-12 16:51 . 2009-08-10 21:06 326511 ----a-w- C:\72h.exe
2009-07-12 12:18 . 2009-08-10 21:06 326507 ----a-w- C:\23d2s2327h.exe
2009-07-12 12:13 . 2009-08-10 21:06 326507 ----a-w- C:\23ds2327h.exe
2009-07-12 12:12 . 2009-08-10 21:06 326511 ----a-w- C:\3ds2327h.exe
2009-07-12 12:08 . 2009-08-10 21:06 326511 ----a-w- C:\3ds327h.exe
2009-07-12 12:07 . 2009-08-10 21:06 326507 ----a-w- C:\3ds27h.exe
2009-07-11 22:50 . 2009-08-10 21:06 326511 ----a-w- C:\3222227h.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 21:12 . 2008-03-03 02:24 -------- d-----w- c:\documents and settings\Maxim\Application Data\OpenOffice.org2
2009-08-10 21:07 . 2009-07-10 14:35 326505 ----a-w- C:\vote.exe
2009-08-10 21:06 . 2009-07-10 18:26 326479 ----a-w- C:\327h.exe
2009-08-10 21:06 . 2009-07-11 13:58 326507 ----a-w- C:\32227h.exe
2009-08-10 21:06 . 2009-07-11 12:14 326507 ----a-w- C:\3227h.exe
2009-08-10 21:06 . 2009-07-10 15:50 326507 ----a-w- C:\2o322re.exe
2009-08-10 21:06 . 2009-07-10 14:46 326501 ----a-w- C:\2vo2te.exe
2009-08-10 21:06 . 2009-07-10 14:39 326505 ----a-w- C:\2vote.exe
2009-08-10 18:31 . 2009-08-10 18:31 286 ----a-w- c:\program files\qjhnfze.txt
2009-08-10 17:28 . 2007-07-03 06:04 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-08-10 02:01 . 2008-06-28 20:17 -------- d-----w- c:\program files\Electronic Arts
2009-08-09 23:29 . 2007-06-23 06:10 -------- d-----w- c:\program files\Belkin
2009-08-09 23:18 . 2009-03-13 21:59 -------- d-----w- c:\program files\Atari
2009-08-09 23:02 . 2007-12-04 03:04 -------- d-----w- c:\program files\Apprentice
2009-08-09 18:23 . 2007-08-19 21:42 -------- d-----w- c:\program files\Java
2009-08-09 05:36 . 2008-02-11 04:29 -------- d-----w- c:\documents and settings\Maxim\Application Data\uTorrent
2009-08-03 19:45 . 2007-10-21 21:38 -------- d-----w- c:\program files\Warcraft III
2009-07-25 09:23 . 2009-04-29 19:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 14:12 . 2007-06-26 05:43 -------- d-----w- c:\program files\DivX
2009-07-09 14:11 . 2009-05-11 18:45 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-03 18:33 . 2009-07-03 18:33 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-03 18:33 . 2009-07-03 18:33 262144 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-03 18:30 . 2009-07-03 18:30 -------- d-----w- c:\program files\Futuremark
2009-07-03 18:30 . 2007-06-21 05:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 17:15 . 2007-06-23 05:09 15664 ----a-w- c:\documents and settings\Maxim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_18.57.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 21:12 . 2009-08-10 21:12 16384 c:\windows\temp\Perflib_Perfdata_410.dat
+ 2009-08-10 21:10 . 2009-08-10 21:10 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 18:56 . 2009-08-10 18:56 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 21:10 . 2009-08-10 21:10 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-10 18:56 . 2009-08-10 18:56 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 21:10 . 2009-08-10 21:10 233472 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-10 18:56 . 2009-08-10 18:56 233472 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 21:10 . 2009-08-10 21:10 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 18:56 . 2009-08-10 18:56 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 18:56 . 2009-08-10 18:56 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 21:10 . 2009-08-10 21:10 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 21:10 . 2009-08-10 21:10 4919296 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-10 18:56 . 2009-08-10 18:56 4919296 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 9:15 pm

more_horiz
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\Maxim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-14 133104]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-22 185896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-10-21 29696]

c:\documents and settings\Maxim\Start Menu\Programs\Startup\
Flip.lnk - c:\program files\Belkin\Flip\flip.exe [2006-8-22 385024]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-24 442368]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/1/2008 10:47 AM 24652]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 3:16 PM 22821]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\docume~1\Maxim\APPLIC~1\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\Maxim\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 17:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Belkin\Nostromo\nost_FSH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-10 17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 21:15
ComboFix2.txt 2009-08-10 19:00

Pre-Run: 42,396,798,976 bytes free
Post-Run: 42,343,940,096 bytes free

240 --- E O F --- 2009-07-30 07:00

descriptionUnknown malware EmptyRe: Unknown malware10th August 2009, 9:32 pm

more_horiz
Hello.

Half of that worked, half of it didn't.

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    C:\*.exe


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 2:28 am

more_horiz
========== FILES ==========
C:\23d2s2327h.exe moved successfully.
C:\23ds2327h.exe moved successfully.
C:\2o322re.exe moved successfully.
C:\2vo2te.exe moved successfully.
C:\2vote.exe moved successfully.
C:\3222227h.exe moved successfully.
C:\32227h.exe moved successfully.
C:\3227h.exe moved successfully.
C:\327h.exe moved successfully.
C:\3ds2327h.exe moved successfully.
C:\3ds27h.exe moved successfully.
C:\3ds327h.exe moved successfully.
C:\722h.exe moved successfully.
C:\72h.exe moved successfully.
C:\vote.exe moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 08102009_222748

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 1:52 pm

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Unknown malware CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 1:56 pm

more_horiz
It said Combofix was uninstalled with success and the relink problem is gone, but the black screen problem is still around.
What am I supposed to do with OTmover and the moved files?

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 1:57 pm

more_horiz
Delete the C:\_OTM folder now.
The screen problem could be a hardware fault.

Installed any new hardware lately?
How old is the graphics card you currently have in the machine now?

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 1:59 pm

more_horiz
Deleted. No new hardware, the graphic card is about 3 years old, but was already old technology back then, it'S a Geforce 256Mb a 6800 I think...

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 2:07 pm

more_horiz
Wow, that's old now. LMBO or ROFL

I would advise you to open topic in the hardware section, best thing to do is buy a new and better graphics card, see if that helps.

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 2:25 pm

more_horiz
Ok, thanks for the help, but could it also be a problem in the default settings to load windows that I might have accidentally touched while going into safe mode?

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 3:49 pm

more_horiz
Unlikely, the settings don't get altered, but the resolution does.

descriptionUnknown malware EmptyRe: Unknown malware11th August 2009, 3:51 pm

more_horiz
Thank you or the help, donation intended for next paycheck.

descriptionUnknown malware EmptyRe: Unknown malware

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum