Author Topic: Alureon.H rootkit virus TermDD (Read 39856 times)

ishan · « **Reply #30 on:** May 28, 2010, 11:09:55 PM »

+ 2010-05-25 18:03 . 2008-04-14 12:00   666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   666112 c:\windows\ie7\wininet.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   276480 c:\windows\ie7\webcheck.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   851968 c:\windows\ie7\vgx.dll
- 2009-12-14 18:55 . 2008-04-14 12:00   619520 c:\windows\ie7\urlmon.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   619520 c:\windows\ie7\urlmon.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   532480 c:\windows\ie7\mstime.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   146432 c:\windows\ie7\msrating.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   146432 c:\windows\ie7\msls31.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   449024 c:\windows\ie7\mshtmled.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   449024 c:\windows\ie7\mshtmled.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   251904 c:\windows\ie7\iepeers.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   251904 c:\windows\ie7\iepeers.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   323584 c:\windows\ie7\iedkcs32.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   221184 c:\windows\ie7\ieakui.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   216576 c:\windows\ie7\ieaksie.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   143360 c:\windows\ie7\ieakeng.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   143360 c:\windows\ie7\ieakeng.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   205312 c:\windows\ie7\dxtrans.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   205312 c:\windows\ie7\dxtrans.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 18:03 . 2008-04-14 12:00   357888 c:\windows\ie7\dxtmsft.dll
+ 2010-05-25 21:23 . 2010-02-24 13:11   455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-05-26 17:15 . 2009-10-20 16:20   265728 c:\windows\Driver Cache\i386\http.sys
+ 2010-05-25 21:24 . 2008-06-13 11:05   272128 c:\windows\Driver Cache\i386\bthport.sys
+ 2008-04-14 12:00 . 2009-11-21 15:51   471552 c:\windows\AppPatch\aclayers.dll
- 2010-05-03 16:39 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-25 21:23 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2010-05-03 16:39 . 2009-08-13 13:55   1748992 c:\windows\WinSxS\InstallTemp\19236357\GdiPlus.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   1929952 c:\windows\system32\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56   2458112 c:\windows\system32\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1329152 c:\windows\system32\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   8231936 c:\windows\system32\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1117696 c:\windows\system32\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21   1850624 c:\windows\system32\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   1168384 c:\windows\system32\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   8461312 c:\windows\system32\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02   8461312 c:\windows\system32\shell32.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-07-17 16:22   1435648 c:\windows\system32\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11   1291776 c:\windows\system32\quartz.dll
+ 2008-04-14 12:00 . 2010-02-16 14:08   2146304 c:\windows\system32\ntoskrnl.exe
+ 2008-04-14 00:01 . 2010-02-16 13:25   2024448 c:\windows\system32\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05   1372672 c:\windows\system32\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35   1172480 c:\windows\system32\msxml3.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   3599872 c:\windows\system32\mshtml.dll
+ 2007-08-27 20:48 . 2009-08-07 02:23   1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-04-14 12:00 . 2009-05-20 11:56   2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1329152 c:\windows\system32\dllcache\WMSPDMOE.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   8231936 c:\windows\system32\dllcache\wmploc.dll
+ 2008-04-14 12:00 . 2006-10-19 04:47   1117696 c:\windows\system32\dllcache\WMADMOE.dll
+ 2008-04-14 12:00 . 2009-08-14 13:21   1850624 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 12:00 . 2010-03-11 12:38   1168384 c:\windows\system32\dllcache\urlmon.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   8461312 c:\windows\system32\dllcache\shell32.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02   8461312 c:\windows\system32\dllcache\shell32.dll
+ 2007-08-27 20:48 . 2006-11-02 01:31   1669120 c:\windows\system32\dllcache\setup_wm.exe
+ 2008-04-14 12:00 . 2009-07-17 16:22   1435648 c:\windows\system32\dllcache\query.dll
- 2008-04-14 12:00 . 2008-04-14 12:00   1435648 c:\windows\system32\dllcache\query.dll
+ 2008-04-14 12:00 . 2009-11-27 17:11   1291776 c:\windows\system32\dllcache\quartz.dll
+ 2009-02-08 02:02 . 2010-02-16 13:25   2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-04-14 12:00 . 2009-07-31 17:05   1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-04-14 12:00 . 2009-07-31 04:35   1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2007-08-27 20:48 . 2010-01-30 03:31   1315328 c:\windows\system32\dllcache\msoe.dll
+ 2008-04-14 12:00 . 2010-03-11 12:38   3599872 c:\windows\system32\dllcache\mshtml.dll
- 2007-08-27 20:48 . 2008-04-14 12:00   3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2007-08-27 20:48 . 2009-10-23 15:28   3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-05-26 18:27 . 2010-05-26 18:27   1205760 c:\windows\Installer\7a26fe.msi
+ 2010-05-25 18:03 . 2008-04-14 12:00   3066880 c:\windows\ie7\mshtml.dll
- 2010-01-16 16:38 . 2008-04-14 12:00   3066880 c:\windows\ie7\mshtml.dll
+ 2010-05-25 21:20 . 2010-02-17 16:10   2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2010-05-25 21:20 . 2010-02-16 13:25   2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-08 02:02 . 2010-02-16 13:25   2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-05-25 21:20 . 2010-02-16 14:08   2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-04-14 12:00 . 2009-07-14 06:43   10841088 c:\windows\system32\wmp.dll
+ 2008-04-14 12:00 . 2009-07-14 06:43   10841088 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-05-28 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-05-29 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1576)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1636)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-05-28 21:09:46
ComboFix-quarantined-files.txt 2010-05-29 04:09

Pre-Run: 15,756,505,088 bytes free
Post-Run: 15,779,717,120 bytes free

- - End Of File - - 1766E50B15D541D51CA549C6AFD2E8E6
x

SuperDave · « **Reply #31 on:** May 30, 2010, 11:49:36 AM »

Download and save HelpAsst_mebroot_fix.exe to your desktop.
Double-click to run the tool
Please download MBR.EXE by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.

Code: [Select]

@echo off
cd\
cd windows
cd system32
mbr.exe -t
start mbr.log

Next, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.

ishan · « **Reply #32 on:** May 31, 2010, 11:33:33 AM »

Quote from: SuperDave on May 30, 2010, 11:49:36 AM

Download and save HelpAsst_mebroot_fix.exe to your desktop.
Double-click to run the tool

=> I ran tool, however it seem to stuck at 'checking mbr', but I think it was supposed to do just that, so I waited for a few minutes and then continued with next steps.

Please download MBR.EXE by GMER. Save the file in the C:\windows\system32\ folder.
Click Start --> Run type in mbr.exe -f and click OK.
Reboot. (IMPORTANT!)
Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
Code: [Select]
@echo off cd\ cd windows cd system32 mbr.exe -t start mbr.logNext, select File --> Save As, change file type to All Files
(*.*), and save it as fixme.bat in your c:\ folder.
Open your c:\folder and double-click on fixme.bat. A logfile will open
(C:\windows\system32\mbr.log). Please paste the contents in your next
reply.

=> Followed rest of the steps exactly as you mentioned and uploading output in next reply. So when my machine was being rebooted,HelpAsst_mebroot_fix.exe was still running.

ishan · « **Reply #33 on:** May 31, 2010, 11:33:56 AM »

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

SuperDave · « **Reply #34 on:** May 31, 2010, 05:22:31 PM »

Ok. Let's try this again.

Please download and save HelpAsst_mebroot_fix.exe

Double click to run the tool.
When complete, run mbr -f then reboot.

After reboot, provide the log.

ishan · « **Reply #35 on:** May 31, 2010, 07:42:12 PM »

here is what I found at c:\ as HelpAsst.txt

C:\Documents and Settings\iraval\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Mon 05/31/2010 at 18:36:39.92

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

SuperDave · « **Reply #36 on:** June 01, 2010, 10:05:32 AM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\dllcache\isignup.exe
c:\windows\system32\emptyregdb.dat
c:\windows\system32\drivers\rciwwjn.sys

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

===============================

P2P - I see you have P2P software installed on your machine. (Vuze, Azureus) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

===================================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

Folder::

c:\documents and settings\HelpAssistant

DDS::
Trusted Zone: capitalone.com\servicing
Trusted Zone: intuit.com\ttlc
Trusted Zone: ultimatix.net\ipmsapp
Trusted Zone: ultimatix.net\www
uInternet Settings,ProxyServer = http=127.0.0.1:5555

DirLook::
C:\WINXP

File::
c:\windows\inf\COMD6.tmp
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

ishan · « **Reply #37 on:** June 01, 2010, 11:35:48 AM »

Hi,

C:\WINDOWS is Windows Installation directory. WINXP is the one when I tried to do a fresh install on same drive when I got this virus back then.

You still mean CFScript to look into C:\WINXP or shall I change it to C:\WINDOWS?

SuperDave · « **Reply #38 on:** June 01, 2010, 12:27:21 PM »

Ok. Just erase this "DirLook::
C:\WINXP" from the script and run it.

ishan · « **Reply #39 on:** June 01, 2010, 10:57:37 PM »

1. http://virusscan.jotti.org/en/scanresult/d2d746eddfe458aae51e89ba5dbcbf156f574143/00071ebd72d1a0023c0818fa1d70ee808e64785a
2. http://virusscan.jotti.org/en/scanresult/7ce79c0b5ae9de9678fc5f3830e3bd983fe7352e
3. c:\windows\system32\drivers\rciwwjn.sys - it says file is empty, 0 bytes.

I going to run combofix and will let you know the results.

ishan · « **Reply #40 on:** June 01, 2010, 11:33:38 PM »

ComboFix 10-06-01.01 - iraval 06/01/2010 22:05:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

FILE ::
"c:\windows\inf\COMD6.tmp"
"c:\windows\inf\COME3.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp

----- BITS: Possible infected sites -----

hxxp://CASANSMS1:80
hxxp://dendapvmexcas1.cricketcommunications.com
.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-05-31 22:44 . 2010-05-31 22:47   --------   d-----w-   c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40   --------   d-----w-   c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24   66   ----a-w-   C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22   77312   ----a-w-   c:\windows\system32\mbr.exe
2010-05-28 05:11 . 2010-05-28 05:11   --------   d-----w-   C:\HelpAsst_backup
2010-05-27 00:13 . 2010-05-27 00:13   --------   d-----w-   c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   8704   -c----w-   c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   48128   -c----w-   c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38   459264   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38   268288   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38   52224   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38   63488   -c----w-   c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38   380928   -c----w-   c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18   13824   -c----w-   c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33   2452872   -c----w-   c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38   6067200   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13   --------   d-----w-   c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00   221696   -c--a-w-   c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00   13463552   -c--a-w-   c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05   --------   d-----w-   c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12   --------   d-----w-   c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02   --------   d-----w-   c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56   --------   d-----w-   c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30   --------   d-----w-   c:\documents and settings\iraval\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 05:24 . 2009-11-17 07:50   --------   d-----w-   c:\program files\BSEMktWatch
2010-06-01 16:10 . 2009-11-17 01:50   --------   d-----w-   c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-01 01:24 . 2010-03-20 20:59   --------   d-----w-   c:\documents and settings\iraval\Application Data\vlc
2010-05-29 21:32 . 2010-05-29 21:32   117427   ----a-w-   c:\documents and settings\iraval\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-05-27 00:14 . 2010-05-27 00:14   503808   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14   499712   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14   348160   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13   61440   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13   12800   ----a-w-   c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2007-08-28 20:08   --------   d-----w-   c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52   --------   d-----w-   c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47   24924   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30   --------   d-----w-   c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59   --------   d-----w-   c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08   1663   ----a-w-   c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54   95194   ----a-w-   c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29   --------   d-----w-   c:\program files\Vuze
2010-05-21 21:14 . 2010-01-16 07:10   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-20 13:48 . 2009-11-17 07:50   --------   d-----w-   c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-06 03:40 . 2010-05-06 03:40   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:06 . 2010-03-20 23:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42   --------   d-----w-   c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46   --------   d-----w-   c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56   --------   d-----w-   c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58   --------   d-----w-   c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:45 . 2010-05-01 18:45   --------   d-----w-   c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 18:42 . 2010-01-22 12:58   71776   ----a-w-   c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59   255472   ----a-w-   c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29   894184   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02   --------   d-----w-   c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20   --------   d-----w-   c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53   --------   d-----w-   c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-03-28 02:06 . 2007-08-27 22:09   71776   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00   430080   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-02 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-02 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1584)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1640)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(8472)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\VirtuaWin\modules\WinList.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-01 22:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 05:30
ComboFix2.txt 2010-05-29 04:09

Pre-Run: 23,002,599,424 bytes free
Post-Run: 23,039,139,840 bytes free

- - End Of File - - C42645F1074F29D1AA6E845ECA0E92C5

SuperDave · « **Reply #41 on:** June 02, 2010, 10:32:38 AM »

Just one more script to run, please. It's been so long, how's your computer running?

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::

C:\fixme.bat (delete)
C:\HelpAsst_backup
c:\windows\inf\COM12F.tmp

Folder::

C:\HelpAsst_backup
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

ishan · « **Reply #42 on:** June 02, 2010, 11:43:51 AM »

I have not had any problems after second combo fix run, I think. But I am not too sure. It is not slow or it does not redirect anymore. I did run several full scans, no issues were encountered.

I'll run combofix with new script and revert.

Thanks!

ishan · « **Reply #43 on:** June 03, 2010, 06:16:32 AM »

ComboFix 10-06-02.02 - iraval 06/02/2010 21:58:19.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1192 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

FILE ::
"C:\fixme.bat (delete)"
"C:\HelpAsst_backup"
"c:\windows\inf\COM12F.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\HelpAsst_backup
c:\helpasst_backup\DomainGOPList.reg
c:\helpasst_backup\S-1-5-21-1737608194-1000615609-2549537844-1005.reg
c:\helpasst_backup\StandardGOPList.reg
c:\helpasst_backup\termsrv32.dll
c:\windows\inf\COM12F.tmp

----- BITS: Possible infected sites -----

hxxp://CASANSMS1:80
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-05-31 22:44 . 2010-05-31 22:47   --------   d-----w-   c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40   --------   d-----w-   c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24   66   ----a-w-   C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22   77312   ----a-w-   c:\windows\system32\mbr.exe
2010-05-27 00:13 . 2010-05-27 00:13   --------   d-----w-   c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20   265728   -c----w-   c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   8704   -c----w-   c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07   48128   -c----w-   c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38   459264   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38   268288   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38   52224   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38   63488   -c----w-   c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38   380928   -c----w-   c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18   13824   -c----w-   c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33   2452872   -c----w-   c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38   6067200   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13   --------   d-----w-   c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00   221696   -c--a-w-   c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00   13463552   -c--a-w-   c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05   --------   d-----w-   c:\program files\ESET
2010-05-18 15:02 . 2009-09-07 21:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12   --------   d-----w-   c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13   --------   d-----w-   c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02   --------   d-----w-   c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56   --------   d-----w-   c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30   --------   d-----w-   c:\documents and settings\iraval\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 12:11 . 2009-11-17 07:50   --------   d-----w-   c:\program files\BSEMktWatch
2010-06-03 12:09 . 2009-11-17 01:50   --------   d-----w-   c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-03 03:13 . 2009-10-20 17:11   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-06-01 17:37 . 2010-01-16 07:10   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-06-01 01:24 . 2010-03-20 20:59   --------   d-----w-   c:\documents and settings\iraval\Application Data\vlc
2010-05-27 00:13 . 2007-08-28 20:08   --------   d-----w-   c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52   --------   d-----w-   c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47   24924   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30   --------   d-----w-   c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59   --------   d-----w-   c:\program files\CCleaner
2010-05-25 08:20 . 2007-08-27 21:54   95194   ----a-w-   c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29   --------   d-----w-   c:\program files\Vuze
2010-05-20 13:48 . 2009-11-17 07:50   --------   d-----w-   c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43   --------   d-----w-   c:\program files\Common Files\Apple
2010-05-04 03:06 . 2010-03-20 23:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42   --------   d-----w-   c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46   --------   d-----w-   c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56   --------   d-----w-   c:\program files\Microsoft Office Communicator
2010-04-29 22:39 . 2010-03-20 23:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-17 19:53 . 2009-12-06 01:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43   41472   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43   3003680   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-04-15 16:18 . 2010-04-14 03:02   --------   d-----w-   c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20   --------   d-----w-   c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53   --------   d-----w-   c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-03-17 15:51 . 2009-08-18 16:08   82696   ----a-w-   c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00   430080   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16   282112   ----a-w-   c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14   135664   ----atw-   c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30   160752   ----a-w-   c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39   5244216   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]

2010-06-03 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]

2010-06-03 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 05:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\SSRPMGINA.dll

- - - - - - - > 'lsass.exe'(1276)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(9540)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\VirtuaWin\modules\WinList.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-03 05:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 12:18
ComboFix2.txt 2010-06-02 05:30
ComboFix3.txt 2010-05-29 04:09

Pre-Run: 22,852,235,264 bytes free
Post-Run: 22,858,293,248 bytes free

- - End Of File - - 63CE8C5ED79CF5504A7E3067565FE9AF

SuperDave · « **Reply #44 on:** June 03, 2010, 07:55:39 AM »

Ok. That looks good. Let's try this and post the log, if any.

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Computer Hope Forum

News:

Author Topic: Alureon.H rootkit virus TermDD (Read 39856 times)

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

ishan

Re: Alureon.H rootkit virus TermDD

SuperDave

Re: Alureon.H rootkit virus TermDD