Tech Support Team

**evilfantasy** · #21 (**permalink**) **Top** 15th August 2009, 10:20 PM

Can you run ComboFix?

ysb21189 · #22 (**permalink**) **Top** 15th August 2009, 11:16 PM

Running it does nothing. Should I drag the text code into it again?

**evilfantasy** · #23 (**permalink**) **Top** 15th August 2009, 11:22 PM

Delete ComboFix and download it again but be sure to rename it during the download.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link 1
Link 2
Link 3

Rename ComboFix to Combo-Fix before saving it to the desktop.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

ysb21189 · #24 (**permalink**) **Top** 16th August 2009, 12:09 AM

Hey thank you again for sticking with this.

I downloaded combo fix under the name combo-fix and ran it. It said something about rootkit activities and asked me to write down 6 files on paper just in case. Then it rebooted and scanned and deleted the files i wrote down. It gave me a log but then it just showed my background and nothing else so i manually restarted.

Here is the log:

ComboFix 09-08-10.06 - Owner 5/2009 Sat 19:37.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.511.289 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\run.log
c:\windows\system32\drivers\UACxjxtlyurkm.sys
c:\windows\system32\UACebsqhxcxoo.db
c:\windows\system32\UAChciccciwhs.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjdudcglvie.dll
c:\windows\system32\UACuafqkecbkd.dll
c:\windows\system32\UACystfgeyufm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-14 05:14 . 2009-08-14 05:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-08-12 20:26 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-09 04:20 . 2009-08-09 06:07 -------- d-----w- c:\windows\BDOSCAN8
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 01:01 . 2009-07-30 01:01 -------- d-----w- c:\windows\ie8updates
2009-07-29 16:03 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-29 16:03 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-29 03:13 . 2009-07-29 03:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-29 02:14 . 2009-07-29 02:14 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-07-29 02:14 . 2009-07-29 02:14 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-07-29 02:10 . 2009-07-29 02:10 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-07-29 02:03 . 2009-07-29 02:06 -------- dc-h--w- c:\windows\ie8
2009-07-26 16:00 . 2009-07-26 16:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-07-24 23:42 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-24 23:42 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-07-24 23:42 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-24 23:42 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-24 23:42 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-24 23:42 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-24 23:42 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-24 23:42 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-24 23:42 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-24 23:19 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-24 22:39 . 2009-07-24 22:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 22:38 . 2009-07-24 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-24 22:38 . 2009-07-24 22:38 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-24 17:43 . 2009-07-24 19:48 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-07-23 18:46 . 2009-07-23 18:46 -------- d-----w- c:\program files\ulguide
2009-07-23 18:44 . 2009-08-07 16:54 -------- d-----w- c:\program files\utilguides
2009-07-23 18:44 . 2009-07-24 17:31 -------- d-----w- c:\program files\utilpack
2009-07-23 18:43 . 2009-08-13 04:49 -------- d-----w- c:\program files\ulineguide
2009-07-17 18:55 . 2009-07-17 18:55 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-15 22:09 . 2009-05-04 06:23 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-15 07:57 . 2009-01-05 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 05:02 . 2009-08-14 05:02 1366391 ----a-w- c:\windows\system32\xa.tmp
2009-08-14 02:09 . 2006-04-06 22:18 -------- d-----w- c:\program files\Windows Defender
2009-08-13 04:49 . 2008-08-08 21:28 -------- d-----w- c:\program files\infodonkey
2009-08-13 04:25 . 2005-08-18 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-13 04:25 . 2005-05-15 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 04:25 . 2005-05-15 01:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-09 05:24 . 2007-06-18 16:11 -------- d-----w- c:\program files\PandoraTVMini
2009-08-05 09:11 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 18:16 . 2005-03-05 20:14 114589 ----a-w- c:\windows\War3Unin.dat
2009-07-24 22:42 . 2003-10-11 03:09 -------- d-----w- c:\program files\Java
2009-07-24 20:31 . 2008-08-08 21:28 -------- d-----w- c:\program files\sakuracash
2009-07-17 18:55 . 2003-11-06 00:04 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:36 . 2009-01-05 02:24 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-01-05 02:24 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 14:08 . 2003-10-11 03:06 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 07:54 . 2009-07-09 07:54 128000 ----a-w- c:\windows\system32\UtilDownLauncher.dll
2009-07-03 17:09 . 2005-04-27 14:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 17:48 . 2009-07-01 17:48 -------- d-----w- c:\program files\Coupons
2009-06-25 08:44 . 2003-11-06 00:06 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2003-11-06 00:06 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2003-11-06 00:05 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2003-11-05 23:26 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-11-05 23:24 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-11-05 23:24 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-22 11:34 . 2003-10-11 02:22 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-11-06 00:05 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-11-05 23:26 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2003-10-11 02:22 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-11-06 00:04 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2003-11-05 23:26 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2003-11-06 00:06 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2003-05-30 23:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 18:58 . 2008-08-09 18:53 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-19 05:36 . 2009-06-12 20:43 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-12 20:43 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-12 20:43 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-12 20:43 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-12 20:43 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-12 20:43 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-12 20:43 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-12 20:43 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_04.57.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 23:36 . 2009-08-15 23:36 16384 c:\windows\temp\Perflib_Perfdata_5d4.dat
+ 2003-10-11 02:33 . 2009-08-15 19:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-10-11 02:33 . 2009-08-07 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-10-11 02:33 . 2009-08-15 19:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-10-11 02:33 . 2009-08-07 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-10-11 02:33 . 2009-08-15 19:31 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2003-10-11 02:33 . 2009-08-07 16:54 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-08-14 05:14 . 2009-08-15 19:31 245760 c:\windows\system32\config\systemprofile\IETldCach e\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-05-26 1003520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-15 39408]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-08-19 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-11 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-15 139264]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86 \3\hpztsb08.exe" [2003-03-12 172032]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScI nst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT \TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TIN TSETP.EXE" [2002-08-29 455168]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2001-07-09 155648]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-15 19520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-02-10 1420560]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"VX6000"="c:\windows\vVX6000.exe" [2006-06-29 994096]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-15 40960]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-3-7 113664]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-7-15 1073152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\bryan\\Warcraft III\\Frozen Throne.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\bryan\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\p3aodsvr.exe"=
"c:\\WINDOWS\\system32\\p3bvsvr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\소리바다\\SORIBADA\\SORIBADA.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\BugsSvr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\bryan\\torrentz\\utorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\FSCAgent.exe"=
"c:\\WINDOWS\\system32\\ClubBox.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\soomyung0817@hotma il.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"c:\\WINDOWS\\system32\\P3MelonSvr.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Documents and Settings\\Owner\\My Documents\\bryan\\당나귀\\donkeyp2p\\donkeyp2p.exe"=
"c:\\WINDOWS\\system32\\nowdownloader.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\PandoraTVMini\\MiniStream.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\bryan\\´c³ª±I\\donkeyp2p\\donkeyp2p.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:warcraft
"29101:TCP"= 29101:TCP:파일전송 데몬
"6348:TCP"= 6348:TCP:Limewire
"6348:UDP"= 6348:UDP:Limewire

R1 LIKECDN2;LIKECDN2;c:\windows\system32\drivers\LIKE CDN2.sys [3/7/2004 7:12 PM 20972]
R2 XSPACEWG;XSPACEWG;c:\windows\system32\drivers\XSpa ceWg.sys [3/7/2004 7:12 PM 3503]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\Owner\Desktop\pigeon\SASDIFSV.SYS --> c:\documents and settings\Owner\Desktop\pigeon\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\Owner\Desktop\pigeon\SASKUTIL.sys --> c:\documents and settings\Owner\Desktop\pigeon\SASKUTIL.sys [?]
S2 IMJPMIG8.3;IMJPMIG8.3;"c:\windows\System32\IMJPMIG 8_3.exe" -service --> c:\windows\System32\IMJPMIG8_3.exe [?]
S3 cdrm9;cdrm9;\??\c:\windows\System32\kauz.sys --> c:\windows\System32\kauz.sys [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwus bdnt.sys [3/14/2004 12:24 AM 10368]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;\??\c:\documents and settings\Owner\Desktop\pigeon\SASENUM.SYS --> c:\documents and settings\Owner\Desktop\pigeon\SASENUM.SYS [?]
S3 scgsk;SCGSK Driver Service;c:\windows\system32\drivers\scgsk.sys [10/28/2004 6:21 PM 6656]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/2006 7:56 PM 2383152]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2/10/2006 4:27 PM 45840]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2006-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-02-10 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://us10.hpwis.com/
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: teri.org
DPF: 799BB2EC-572A-42A9-84AD-112806F4F551
DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} - hxxp://www.netmarble.net/game/nmstarter/NMStarter16.cab
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab
DPF: {24960521-7F51-4743-9D83-906B16D188E5} - hxxp://download.archlord.com/archlord/arch_relay/ArchlordDownloader0623.cab
DPF: {2AE5077E-2BCD-4B77-9D19-237C882BD6AF} - hxxp://www.monario.com/ActiveX/monariofiledownload.cab
DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} - hxxp://player.bugs.co.kr/install/BugsInstall.cab
DPF: {35B93CED-4B24-4FA7-B143-B4F5BBBA9F7A} - hxxp://gamepatch.bugs.co.kr/BugsPatcher.cab
DPF: {36A4B20A-2B75-4101-86CE-F9B03CA4B91C} - hxxp://bgweb.clubbox.co.kr/bin/DownStarter.cab
DPF: {48ED5A74-A5A6-4EDE-AAC5-42D697FC3F19} - hxxp://www.cyberoro.com/download/cyber.cab
DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} - hxxp://www.cyberoro.com/download/OroCheck.cab
DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} - hxxp://cafe.naver.com/common/activex/nbgm.cab
DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} - hxxp://img.pandora.tv/pan_img/liveupdate/SVPorsche.cab
DPF: {68B5B09E-9CB4-4E93-A75B-44DD4362120C} - hxxp://comic.daum.net/download/new/ToonsXContentsPlug.cab
DPF: {710E4921-F77C-4D42-8EC4-4DFDEE52508F} - hxxp://210.90.46.53/activeX/ictPrintX.cab
DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} - hxxp://activexdown.paran.com/paranactivex/data/imweb.cab
DPF: {7C564BC7-73BD-4750-A90A-8FF2D8C8C64B} - hxxp://www.cabal.co.kr/Include/SysInfo.cab
DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} - hxxp://player.bugs.co.kr/install/mv/p3bvset.cab
DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} - hxxp://download.netmarble.com/NMChatX/NMTransX.cab
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/cab9/dmcc2.cab
DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} - hxxp://ahnlabdownload.nefficient.co.kr/plugin/myfirewall/myfirewall20.cab
DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} - hxxp://player.bugs.co.kr/install/XTools.cab
DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} - hxxp://player.bugs.co.kr/install/bugsLoader20040811.cab
DPF: {B2AEC562-9C98-459D-A596-6850EB2CE623} - hxxp://www.omi.co.kr/search/chart_package/comparison4.CAB
DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} - hxxp://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} - hxxp://cdn.hangame.com/hangame/messenger/hani/webmsg/HanWebMsg.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - hxxp://player.bugs.co.kr/install/bugsLoader20041018.cab
DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} - hxxp://www.melon.com/cab/P3Melon.cab
DPF: {C415C83B-3FE3-4AAA-ABD0-53D812D25593} - hxxp://www.joycity.com/_app/JCUpdaterAX.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxp://plugin.inicis.com/wallet60/INIwallet60.cab
DPF: {DF7E9E9B-A7D8-4B2C-82E0-AC630D9594A5} - hxxp://www.jceports.com/_app/cab/JSUpdaterAx.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
DPF: {E8FC4708-B43C-4B2D-8D3F-A5D583D822F4} - hxxp://gamedown.paran.com/cab/ParanOnDemandX.cab
DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} - hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\51ippmes.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-15 19:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{46D387E 9-41FC-4F71-A7C3-B0BEB3568F00}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\IMEKR70.IME
.
Completion time: 2009-08-15 19:54
ComboFix-quarantined-files.txt 2009-08-15 23:54
ComboFix2.txt 2009-08-14 02:23
ComboFix3.txt 2009-08-13 05:04

Pre-Run: 71,297,183,744 bytes free
Post-Run: 71,286,448,128 bytes free

347 --- E O F --- 2009-08-13 04:17

**evilfantasy** · #25 (**permalink**) **Top** 16th August 2009, 03:30 PM

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

ysb21189 · #26 (**permalink**) **Top** 16th August 2009, 09:14 PM

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 17:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBAC8A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A27000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7E84000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8bb9764

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8bb9750

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8bb9755

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8bb975f

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf8bb975a

==EOF==

**evilfantasy** · #27 (**permalink**) **Top** 17th August 2009, 01:07 AM

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\drivers\LIKE  CDN2.sys

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply

----------

Also scan this file and post the link to it back here.

Code:

c:\windows\System32\kauz.sys

ysb21189 · #28 (**permalink**) **Top** 17th August 2009, 03:41 AM

It wouldn't let me paste the link so i used the browse and found the file. I didn't really know how to copy the log and keep the form.

File LIKECDN2.sys received on 2009.08.17 03:47:01 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.17 -
AhnLab-V3 5.0.0.2 2009.08.15 -
AntiVir 7.9.1.1 2009.08.14 -
Antiy-AVL 2.0.3.7 2009.08.14 -
Authentium 5.1.2.4 2009.08.16 -
Avast 4.8.1335.0 2009.08.17 -
AVG 8.5.0.406 2009.08.17 -
BitDefender 7.2 2009.08.17 -
CAT-QuickHeal 10.00 2009.08.16 -
ClamAV 0.94.1 2009.08.17 -
Comodo 1995 2009.08.17 -
DrWeb 5.0.0.12182 2009.08.17 -
eSafe 7.0.17.0 2009.08.16 -
eTrust-Vet 31.6.6678 2009.08.14 -
F-Prot 4.4.4.56 2009.08.16 -
F-Secure 8.0.14470.0 2009.08.17 -
Fortinet 3.120.0.0 2009.08.17 -
GData 19 2009.08.17 -
Ikarus T3.1.1.64.0 2009.08.17 -
Jiangmin 11.0.800 2009.08.16 -
K7AntiVirus 7.10.819 2009.08.14 -
Kaspersky 7.0.0.125 2009.08.17 -
McAfee 5711 2009.08.16 -
McAfee+Artemis 5711 2009.08.16 -
McAfee-GW-Edition 6.8.5 2009.08.16 -
Microsoft 1.4903 2009.08.16 -
NOD32 4340 2009.08.16 -
Norman 6.01.09 2009.08.14 -
nProtect 2009.1.8.0 2009.08.16 -
Panda 10.0.0.14 2009.08.16 -
PCTools 4.4.2.0 2009.08.16 -
Prevx 3.0 2009.08.17 -
Rising 21.42.62.00 2009.08.16 -
Sophos 4.44.0 2009.08.17 -
Sunbelt 3.2.1858.2 2009.08.16 -
Symantec 1.4.4.12 2009.08.17 -
TheHacker 6.3.4.3.383 2009.08.13 -
TrendMicro 8.950.0.1094 2009.08.14 -
VBA32 3.12.10.9 2009.08.17 -
ViRobot 2009.8.14.1885 2009.08.14 -
VirusBuster 4.6.5.0 2009.08.16 -
Additional information
File size: 20972 bytes
MD5...: 748ed7a327dc151e46e4eed30a1663f3
SHA1..: 6b8da7ac846a03df012ad1aa0706624cb2490f23
SHA256: 975db86e330812c232d2ff679132006ba6bb37ca3c8eab08c8 620d4f9d6b289d
ssdeep: 384:aKYG6+Z4x1oQzAbt0RDKzB88YwYYA/12h+ByqNOR/VUY6hwj9jFxBw:aAg1o
QzcslYwyqcR/Vt6UjFxBw

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4d0
timedatestamp.....: 0x3baa9115 (Fri Sep 21 01:00:05 2001)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2c0 0x3b99 0x3ba0 6.71 f681ffa6c810f177444de219a1568e84
.rdata 0x3e60 0xb9 0xc0 2.80 ece5b87295f3cb1b1542a36305416b01
.data 0x3f20 0x4cc 0x4e0 5.36 03b0b0b2a04d2a411635b4767a4e30e2
INIT 0x4400 0x270 0x280 4.85 9e45fea8ae05ea6906b59137aff2b10d
.rsrc 0x4680 0x410 0x420 3.34 a41a01b10e01c00fd2799996f804e60a
.reloc 0x4aa0 0x11e 0x120 4.04 2177d064a2f9bd97276b25e73526e5e0

( 2 imports )
> SCSIPORT.SYS: ScsiPortNotification, ScsiPortCompleteRequest, ScsiPortInitialize
> ntoskrnl.exe: MmGetPhysicalAddress, MmBuildMdlForNonPagedPool, PsGetVersion, IoAllocateMdl, MmAllocateContiguousMemory, ExFreePool, ZwClose, IoCreateSynchronizationEvent, RtlInitUnicodeString, ExQueueWorkItem, ExAllocatePoolWithTag, KeSetEvent, KeResetEvent, RtlFreeUnicodeString, ZwCreateFile, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwReadFile

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set

ysb21189 · #29 (**permalink**) **Top** 17th August 2009, 03:47 AM

The second file, there is no exact kauz.sys file under system32. There is a kauzdelegate.dll, kauzsvr.dll, and a kauzhooksvr.dll.

**evilfantasy** · #30 (**permalink**) **Top** 17th August 2009, 02:20 PM

Scan kauzdelegate.dll please.

ysb21189 · #31 (**permalink**) **Top** 17th August 2009, 07:01 PM

File kauzdelegate.dll received on 2009.08.17 19:10:25 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.17 -
AhnLab-V3 5.0.0.2 2009.08.17 -
AntiVir 7.9.1.1 2009.08.17 -
Antiy-AVL 2.0.3.7 2009.08.17 -
Authentium 5.1.2.4 2009.08.17 -
Avast 4.8.1335.0 2009.08.17 -
AVG 8.5.0.406 2009.08.17 -
BitDefender 7.2 2009.08.17 -
CAT-QuickHeal 10.00 2009.08.17 -
ClamAV 0.94.1 2009.08.17 -
Comodo 2003 2009.08.17 -
DrWeb 5.0.0.12182 2009.08.17 -
eSafe 7.0.17.0 2009.08.17 -
eTrust-Vet 31.6.6681 2009.08.17 -
F-Prot 4.4.4.56 2009.08.16 -
F-Secure 8.0.14470.0 2009.08.17 -
Fortinet 3.120.0.0 2009.08.17 -
GData 19 2009.08.17 -
Ikarus T3.1.1.68.0 2009.08.17 -
Jiangmin 11.0.800 2009.08.17 -
K7AntiVirus 7.10.820 2009.08.17 -
Kaspersky 7.0.0.125 2009.08.17 -
McAfee 5712 2009.08.17 -
McAfee+Artemis 5712 2009.08.17 -
McAfee-GW-Edition 6.8.5 2009.08.17 -
Microsoft 1.4903 2009.08.17 -
NOD32 4343 2009.08.17 -
Norman 6.01.09 2009.08.17 -
nProtect 2009.1.8.0 2009.08.17 -
Panda 10.0.0.14 2009.08.17 -
PCTools 4.4.2.0 2009.08.17 -
Prevx 3.0 2009.08.17 -
Rising 21.43.04.00 2009.08.17 -
Sophos 4.44.0 2009.08.17 -
Sunbelt 3.2.1858.2 2009.08.17 -
Symantec 1.4.4.12 2009.08.17 -
TheHacker 6.3.4.3.383 2009.08.13 -
TrendMicro 8.950.0.1094 2009.08.17 -
VBA32 3.12.10.9 2009.08.17 -
ViRobot 2009.8.17.1887 2009.08.17 -
VirusBuster 4.6.5.0 2009.08.17 -
Additional information
File size: 71280 bytes
MD5...: 8f3aa65db2c064369321e179191b9578
SHA1..: aef12076505051c9b65f0ceeaac3ec7080a6f5c1
SHA256: 1c9b81cacad1f2aa964758adf2f404d74a032729d2da264394 8297ce42fa56b9
ssdeep: 1536:tAsuV4ukcgzF4ZNBs0sq2WSy+ea6+melEZV7B3X8Mw:QV azF4V7B3X8Mw

PEiD..: -
TrID..: File type identification
DirectShow filter (94.5%)
Win32 Dynamic Link Library (generic) (3.5%)
Generic Win/DOS Executable (0.9%)
DOS Executable Generic (0.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3d60
timedatestamp.....: 0x3fbc8e4d (Thu Nov 20 09:50:05 2003)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x436e 0x4400 6.13 c1f3a775dd9a5a7424925f59358774ed
.orpc 0x6000 0x818a 0x8200 4.00 c0de66df1b78e46124df80a726a0d88b
.rdata 0xf000 0x28d9 0x2a00 4.97 8a4953d6d370a9c232206400afc26ebb
.data 0x12000 0x388 0x400 3.18 b456758b86410cebfaab53c437d6f21a
.CRT 0x13000 0x1c 0x200 0.35 19b0282da180d6b069f14d70a8a0336a
.rsrc 0x14000 0x510 0x600 2.95 e1e1758d6ff11b666401d48256103acf
.reloc 0x15000 0x1542 0x1600 6.12 f74a61e638c8e0ec94ca7c16001614d2

( 3 imports )
> KERNEL32.dll: GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetModuleFileNameA, TlsAlloc, GetModuleFileNameW, GetVersionExA, TlsGetValue, TlsSetValue, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, InterlockedDecrement, OutputDebugStringA, OutputDebugStringW
> ADVAPI32.dll: RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegDeleteKeyW, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
> ole32.dll: CoTaskMemFree, CoTaskMemAlloc, CoGetStandardMarshal, CoCreateFreeThreadedMarshaler, CoGetMarshalSizeMax, CoReleaseMarshalData, CoCreateInstance, CoMarshalInterface, CoGetPSClsid, CoGetClassObject, StringFromGUID2, CoUnmarshalInterface

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

PDFiD.: -
RDS...: NSRL Reference Data Set

**evilfantasy** · #32 (**permalink**) **Top** 17th August 2009, 07:27 PM

You can delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\Combo-Fix-quarantined-files.txt

----------

Run CCleaner.

----------

Please scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

ysb21189 · #33 (**permalink**) **Top** 19th August 2009, 06:55 AM

Ok, here is the activescan log. I won't be able to access the computer for a couple of weeks but I will get back to you as soon as possible.

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-08-19 02:52:45
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 5
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
Avira AntiVir PersonalEdition 8.0.1.30 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00032745 adware/sahagent Adware No 0 Yes No c:\windows\downloaded program files\setup4002b.ini
00035328 Application/KillApp.A HackTools No 0 Yes No C:\hp\bin\Terminator.exe
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\living\insurance.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\living\home.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\living\find a job.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\auctions.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\books.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\computers.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\discount.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\flowers.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\golf.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\jewelry.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\movies.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\music.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\online store.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\perfume.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop\sleepwear.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\technology\adware remover.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\technology\anti-virus.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\technology\pc cleaner.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\technology\tech & gadgets.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\living\find a degree.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\technology
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\going places\car rentals.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\going places\hotel deals.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\going places\luggage.lnk
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\fun & games
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\going places
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\living
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\shop
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{8940e50 5-72c6-44de-be85-1d746780efbf}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{830d3aed-2fa9-454f-b266-d931862bbf34}
00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{8940e505-72c6-44de-be85-1d746780efbf}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}
00039209 adware/virtualbouncer Adware No 0 Yes No hkey_local_machine\software\classes\swrt01.rt
00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\swrt01.rt
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}
00039209 adware/virtualbouncer Adware No 0 Yes皜 No HKEY_CLASSES_ROOT\Interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{a986f4db-792e-4571-8974-0bb6e024766f}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{bccab53d-0895-40c3-a942-a03538ce227a}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{49db48ff-02b5-4645-b676-94a4df1aa026}
00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5e594162-60a9-487d-84b8-dbdd716cb862}
00046435 adware/isearch Adware No 0 Yes No hkey_local_machine\software\system updater
00046435 adware/isearch Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\ legacy_delprot
00046435 adware/isearch Adware No 0 Yes No hkey_local_machine\system\controlset002\enum\root\ legacy_delprot
00046435 adware/isearch Adware No 0 Yes No c:\windows\deskbar.ini
00047863 adware/ieplugin Adware No 0 Yes No c:\windows\kwv2.dat
00101741 adware/ist.sidefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\curr entversion\app management\arpcache\sidefind
00472802 Adware/Beginto Adware No 0 No No C:\Documents and Settings\Owner\My Documents\bryan\divx\DivXInstaller.exe[²ÜÇ\GoogleToolbarFirefox.msi][unk_0020][xpi][components/googletoolbar.dll]
02235691 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\Downloaded Program Files\HGStart9USA.exe
02457190 Trj/Alureon.BB Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP201\A0016536.dll
02537438 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP201\A0016534.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP201\A0016552.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP201\A0016537.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP201\A0016535.dll
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location ×]
;================================================= ================================================== ================================================== ==============================
No C:\Documents and Settings\Owner\My Documents\bryan\당나귀\donkeyp2p\p2p_donkey_virus.exe ×]
No C:\Documents and Settings\Owner\My Documents\Program_Backup\ALZip52.exe ×]
No C:\Program Files\AIM\Sysfiles\AIMWDInstall.exe ×]
No C:\WINDOWS\Downloaded Program Files\HGPlugin9USA.dll ×]
No C:\WINDOWS\system32\ALZZip.BIN ×]
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description ×]
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

ysb21189 · #34 (**permalink**) **Top** 19th August 2009, 06:58 AM

The columns broke so I attached the text file as well.

ysb21189 · #35 (**permalink**) **Top** 19th August 2009, 07:00 AM

Sorry one last thing. While it was running the activescan, avira alerted me that "TR/TDss.amwo" (a trojan) was blocked. It was located in "system volume info: restore"

thanks

**evilfantasy** · #36 (**permalink**) **Top** 19th August 2009, 04:56 PM

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Please download, update and run a-squared Free edition

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to somewhere convenient, such as your desktop
* Add the report as an attachment in your next post.