Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » bds small.iuj

Goto page : 1, 2  Next

View previous topic View next topic Go down  Message [Page 1 of 2]

1 bds small.iuj on Mon Mar 29, 2010 8:30 pm

mewt518


Member
Member
Hello. I have just signed up. This site is awesome!

Can someone please help me remove this virus on my xp box? Thanks

2 Re: bds small.iuj on Mon Mar 29, 2010 11:13 pm

DragonMaster Jay


Site Owner
Site Owner
Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

3 Re: bds small.iuj on Tue Apr 06, 2010 10:13 am

mewt518


Member
Member
ComboFix 10-04-05.06 - m3wt 04/06/2010 21:57:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.650 [GMT 8:00]
Running from: c:\documents and settings\m3wt\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1259826051-904142497-1615138427-1000
C:\desktop.ini
c:\documents and settings\m3wt\Application Data\inst.exe
c:\windows\system32\Cache
c:\windows\system32\gfbaksm.dat
c:\windows\system32\gfbaksm.dll
c:\windows\system32\VB6KO.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-03-30 00:08 . 2010-01-13 04:28 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-29 23:57 . 2010-03-29 23:57 84480 ----a-w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab
2010-03-22 13:53 . 2010-04-06 11:46 1075200 ----a-w- c:\windows\explorer.exe
2010-03-21 14:23 . 2010-03-22 14:27 -------- d-----w- c:\documents and settings\m3wt\Application Data\KeePass
2010-03-21 14:19 . 2010-03-21 14:19 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-03-17 13:55 . 2010-03-17 13:55 -------- d-----w- c:\documents and settings\m3wt\Application Data\My Games
2010-03-17 13:46 . 2004-08-22 08:31 5248 ------w- c:\windows\system32\drivers\d347prt.sys
2010-03-17 13:46 . 2004-08-22 08:31 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\program files\D-Tools
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\windows\Downloaded Installations
2010-03-17 13:45 . 2010-03-17 13:45 -------- d-----w- C:\Civ4
2010-03-17 13:06 . 2010-03-17 13:06 -------- d-----w- c:\program files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 23:42 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\m3wt\Application Data\vlc
2010-03-22 14:08 . 2010-02-03 05:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-17 13:07 . 2009-10-17 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\documents and settings\m3wt\Application Data\Blender Foundation
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\program files\Blender Foundation
2010-03-02 14:02 . 2009-10-17 13:55 -------- d-----w- c:\program files\VS Revo Group
2010-03-01 15:50 . 2010-03-01 15:50 -------- d-----w- c:\program files\Google
2010-03-01 12:56 . 2009-12-03 00:28 -------- d-----w- c:\program files\CCleaner
2010-03-01 01:05 . 2009-11-17 13:24 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 08:32 . 2009-10-17 14:10 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-16 05:24 . 2009-10-17 08:13 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-05 02:39 . 2010-02-05 02:39 251376 ----a-w- c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-13 04:19 . 2009-10-17 14:10 3773952 ----a-w- c:\windows\system32\igxpdx32.dll
2010-01-13 04:18 . 2009-10-17 14:10 2685280 ----a-w- c:\windows\system32\igxpdv32.dll
2010-01-13 04:18 . 2009-10-17 14:10 185856 ----a-w- c:\windows\system32\igxpgd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 57344 ----a-w- c:\windows\system32\igxprd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 1730272 ----a-w- c:\windows\system32\drivers\igxpmp32.sys
2010-01-13 04:03 . 2009-10-17 14:10 294912 ----a-w- c:\windows\system32\igldev32.dll
2010-01-13 04:03 . 2009-10-17 14:10 2342912 ----a-w- c:\windows\system32\iglicd32.dll
2010-01-13 03:48 . 2009-10-17 14:10 645632 ----a-w- c:\windows\system32\igfxcfg.exe
2010-01-13 03:46 . 2009-10-17 14:10 134656 ----a-w- c:\windows\system32\igfxtray.exe
2010-01-13 03:46 . 2009-10-17 14:10 166912 ----a-w- c:\windows\system32\hkcmd.exe
2010-01-13 03:46 . 2009-10-17 14:10 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-01-13 03:46 . 2009-10-17 14:10 165888 ----a-w- c:\windows\system32\igfxext.exe
2010-01-13 03:46 . 2009-10-17 14:10 199168 ----a-w- c:\windows\system32\igfxpph.dll
2010-01-13 03:46 . 2009-10-17 14:10 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-01-13 03:46 . 2009-10-17 14:10 135680 ----a-w- c:\windows\system32\igfxpers.exe
2010-01-13 03:46 . 2009-10-17 14:10 51712 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-01-13 03:46 . 2009-10-17 14:10 243712 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-01-13 03:45 . 2009-10-17 14:10 93696 ----a-w- c:\windows\system32\hccutils.dll
2010-01-13 03:45 . 2009-10-17 14:10 5702656 ----a-w- c:\windows\system32\igfxress.dll
2010-01-13 03:45 . 2009-10-17 14:10 205824 ----a-w- c:\windows\system32\igfxdev.dll
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-10 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-09-25 33517568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [2009-01-22 579584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\m3wt\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-10 14:01 135664 ----atw- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 21:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 09:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 11:13 7095344 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 20:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
2009-09-16 19:30 1933381 ----a-w- c:\program files\Software Informer\softinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-11-20 19:29 5262834 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7246:TCP"= 7246:TCP:expnbvm

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/17/2010 9:46 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/17/2010 9:46 PM 5248]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/17/2009 9:24 PM 135336]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [10/17/2009 10:13 PM 874880]
S2 cjxrxe;System Windows;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 ngnlzyesf;Network Manager;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/17/2009 10:00 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/17/2009 10:00 PM 3072]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 4:53 PM 55664]
S3 XDva300;XDva300;\??\c:\windows\system32\XDva300.sys --> c:\windows\system32\XDva300.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ngnlzyesf
cjxrxe
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003Core.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003UA.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mewtopia.tk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\m3wt\Application Data\Mozilla\Firefox\Profiles\q5179200.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mewtopia.tk
FF - plugin: c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)
MSConfigStartUp-doubleTwist - c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 22:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x861B69E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7650fc3
\Driver\ACPI -> ACPI.sys @ 0xf759dcb8
\Driver\atapi -> 0x861b69e0
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
NDIS: Atheros L2 Fast Ethernet 10/100 Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7424ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7431b21
SendHandler -> NDIS.sys @ 0xf740f87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjxrxe]
"ServiceDll"="c:\windows\system32\aizexh.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ngnlzyesf]
"ServiceDll"="c:\windows\system32\aizexh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Cobian Backup 9\cbInterface.exe
.
**************************************************************************
.
Completion time: 2010-04-06 22:10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 14:10

Pre-Run: 29,826,105,344 bytes free
Post-Run: 29,880,864,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 1A885E1FC2B56DCE492CC182D60CC2DF

4 Re: bds small.iuj on Tue Apr 06, 2010 10:27 am

mewt518


Member
Member
anything else I need to do sir/ma'm?

5 Re: bds small.iuj on Tue Apr 06, 2010 12:36 pm

DragonMaster Jay


Site Owner
Site Owner
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    explorer.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

6 Re: bds small.iuj on Tue Apr 06, 2010 7:46 pm

mewt518


Member
Member
here it is:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 07:43 on 07/04/2010 by m3wt (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a--- 1075200 bytes [13:53 22/03/2010] [11:46 06/04/2010] (Unable to calculate MD5)

-=End Of File=-

7 Re: bds small.iuj on Tue Apr 06, 2010 11:58 pm

DragonMaster Jay


Site Owner
Site Owner
Download this file and save it to your Desktop, and do NOT run it.

===========

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    killall::

    FCopy::
    C:\documents and settings\m3wt\desktop\explorer.exe | C:\windows\explorer.exe

    reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

8 Re: bds small.iuj on Wed Apr 07, 2010 4:15 am

mewt518


Member
Member
ComboFix 10-04-06.01 - m3wt 04/07/2010 15:59:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.651 [GMT 8:00]
Running from: c:\documents and settings\m3wt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\m3wt\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - explorer.exe: deleted 26 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1259826051-904142497-1615138427-1000

.
--------------- FCopy ---------------

c:\documents and settings\m3wt\desktop\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-06 23:40 . 2009-08-06 11:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-30 00:08 . 2010-01-13 04:28 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab
2010-03-22 13:53 . 2010-04-07 07:51 1033216 ----a-w- c:\windows\explorer.exe
2010-03-21 14:23 . 2010-03-22 14:27 -------- d-----w- c:\documents and settings\m3wt\Application Data\KeePass
2010-03-21 14:19 . 2010-03-21 14:19 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-03-17 13:55 . 2010-03-17 13:55 -------- d-----w- c:\documents and settings\m3wt\Application Data\My Games
2010-03-17 13:46 . 2004-08-22 08:31 5248 ------w- c:\windows\system32\drivers\d347prt.sys
2010-03-17 13:46 . 2004-08-22 08:31 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\program files\D-Tools
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\windows\Downloaded Installations
2010-03-17 13:45 . 2010-03-17 13:45 -------- d-----w- C:\Civ4
2010-03-17 13:06 . 2010-03-17 13:06 -------- d-----w- c:\program files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 23:57 . 2010-03-29 23:57 84480 ----a-w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-22 23:42 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\m3wt\Application Data\vlc
2010-03-22 14:08 . 2010-02-03 05:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-17 13:07 . 2009-10-17 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\documents and settings\m3wt\Application Data\Blender Foundation
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\program files\Blender Foundation
2010-03-02 14:02 . 2009-10-17 13:55 -------- d-----w- c:\program files\VS Revo Group
2010-03-01 15:50 . 2010-03-01 15:50 -------- d-----w- c:\program files\Google
2010-03-01 12:56 . 2009-12-03 00:28 -------- d-----w- c:\program files\CCleaner
2010-03-01 01:05 . 2009-11-17 13:24 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 08:32 . 2009-10-17 14:10 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-16 05:24 . 2009-10-17 08:13 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-05 02:39 . 2010-02-05 02:39 251376 ----a-w- c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-13 04:19 . 2009-10-17 14:10 3773952 ----a-w- c:\windows\system32\igxpdx32.dll
2010-01-13 04:18 . 2009-10-17 14:10 2685280 ----a-w- c:\windows\system32\igxpdv32.dll
2010-01-13 04:18 . 2009-10-17 14:10 185856 ----a-w- c:\windows\system32\igxpgd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 57344 ----a-w- c:\windows\system32\igxprd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 1730272 ----a-w- c:\windows\system32\drivers\igxpmp32.sys
2010-01-13 04:03 . 2009-10-17 14:10 294912 ----a-w- c:\windows\system32\igldev32.dll
2010-01-13 04:03 . 2009-10-17 14:10 2342912 ----a-w- c:\windows\system32\iglicd32.dll
2010-01-13 03:48 . 2009-10-17 14:10 645632 ----a-w- c:\windows\system32\igfxcfg.exe
2010-01-13 03:46 . 2009-10-17 14:10 134656 ----a-w- c:\windows\system32\igfxtray.exe
2010-01-13 03:46 . 2009-10-17 14:10 166912 ----a-w- c:\windows\system32\hkcmd.exe
2010-01-13 03:46 . 2009-10-17 14:10 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-01-13 03:46 . 2009-10-17 14:10 165888 ----a-w- c:\windows\system32\igfxext.exe
2010-01-13 03:46 . 2009-10-17 14:10 199168 ----a-w- c:\windows\system32\igfxpph.dll
2010-01-13 03:46 . 2009-10-17 14:10 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-01-13 03:46 . 2009-10-17 14:10 135680 ----a-w- c:\windows\system32\igfxpers.exe
2010-01-13 03:46 . 2009-10-17 14:10 51712 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-01-13 03:46 . 2009-10-17 14:10 243712 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-01-13 03:45 . 2009-10-17 14:10 93696 ----a-w- c:\windows\system32\hccutils.dll
2010-01-13 03:45 . 2009-10-17 14:10 5702656 ----a-w- c:\windows\system32\igfxress.dll
2010-01-13 03:45 . 2009-10-17 14:10 205824 ----a-w- c:\windows\system32\igfxdev.dll
.

------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-07 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-04-06_14.04.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-04-06 14:03 . 2010-04-06 14:03 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
+ 2010-04-07 08:05 . 2010-04-07 08:05 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 2006-01-13 01:52 . 2009-08-06 11:24 44768 c:\windows\system32\wups2.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 35552 c:\windows\system32\wups.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-04-06 23:39 . 2009-08-06 11:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-04-06 23:39 . 2009-08-06 11:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2006-01-13 01:49 . 2009-08-06 11:24 96480 c:\windows\system32\cdm.dll
+ 2006-01-13 01:53 . 2009-08-06 11:24 209632 c:\windows\system32\wuweb.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 327896 c:\windows\system32\wucltui.dll
+ 2009-10-17 13:40 . 2009-08-06 11:23 575704 c:\windows\system32\wuapi.dll
- 2006-01-13 01:39 . 2010-04-06 14:06 539842 c:\windows\system32\perfh009.dat
+ 2006-01-13 01:39 . 2010-04-07 08:02 539842 c:\windows\system32\perfh009.dat
- 2006-01-13 01:39 . 2010-04-06 14:06 106766 c:\windows\system32\perfc009.dat
+ 2006-01-13 01:39 . 2010-04-07 08:02 106766 c:\windows\system32\perfc009.dat
+ 2006-01-13 01:55 . 2009-08-06 11:23 215920 c:\windows\system32\muweb.dll
+ 2009-10-19 03:38 . 2010-04-07 08:05 223186 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-10-17 13:40 . 2009-08-06 11:23 1929952 c:\windows\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-10 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-09-25 33517568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [2009-01-22 579584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\m3wt\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 09:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-10 14:01 135664 ----atw- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 21:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 09:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 11:13 7095344 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 20:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
2009-09-16 19:30 1933381 ----a-w- c:\program files\Software Informer\softinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-11-20 19:29 5262834 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7246:TCP"= 7246:TCP:expnbvm

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/17/2010 9:46 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/17/2010 9:46 PM 5248]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/17/2009 9:24 PM 135336]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [10/17/2009 10:13 PM 874880]
S2 cjxrxe;System Windows;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 ngnlzyesf;Network Manager;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/17/2009 10:00 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/17/2009 10:00 PM 3072]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 4:53 PM 55664]
S3 XDva300;XDva300;\??\c:\windows\system32\XDva300.sys --> c:\windows\system32\XDva300.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ngnlzyesf
cjxrxe
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003Core.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003UA.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mewtopia.tk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\m3wt\Application Data\Mozilla\Firefox\Profiles\q5179200.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mewtopia.tk
FF - plugin: c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 16:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86189F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7650fc3
\Driver\ACPI -> ACPI.sys @ 0xf759dcb8
\Driver\atapi -> 0x86189f00
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
NDIS: Atheros L2 Fast Ethernet 10/100 Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7424ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7431b21
SendHandler -> NDIS.sys @ 0xf740f87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjxrxe]
"ServiceDll"="c:\windows\system32\aizexh.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ngnlzyesf]
"ServiceDll"="c:\windows\system32\aizexh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Cobian Backup 9\cbInterface.exe
.
**************************************************************************
.
Completion time: 2010-04-07 16:13:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 08:13
ComboFix2.txt 2010-04-06 14:10

Pre-Run: 31,684,460,544 bytes free
Post-Run: 31,655,030,784 bytes free

- - End Of File - - 2476DD9A8F6C65C37768A9AB858553B6

9 Re: bds small.iuj on Wed Apr 07, 2010 4:16 am

mewt518


Member
Member
Looks like the virus has been removed. I dont see my antivirus popping like crazy. can you please confirm sir?

10 Re: bds small.iuj on Wed Apr 07, 2010 9:34 am

DragonMaster Jay


Site Owner
Site Owner
No, cannot confirm. You have a severe infection on the system.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Back up all important data on the machine.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:

    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for potential identity theft caused by the infections.


=======================

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    filelook::
    c:\windows\system32\drivers\tcpip.sys

    registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnsc"=-

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nlsf"=-

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7246:TCP"=-

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjxrxe]
    "ServiceDll"=-

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ngnlzyesf]
    "ServiceDll"=-

    File::
    c:\windows\system32\aizexh.dll
    c:\windows\system32\msnsc.exe

    netsvc::
    ngnlzyesf
    cjxrxe
    ServiceDll

    MBR::

    rootkit::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

11 Re: bds small.iuj on Wed Apr 07, 2010 9:58 am

mewt518


Member
Member
wow really? how did you know that can you tell me? well, I have triple boot in my system but I rarely used my XP os now. I have to tell you though that my personal email has been compromised. For some reason folks from craigslist have started to email me asking for some sexual favors. lol. When I checked my sent messages turned out someone is using my email. Anyway, I've changed my email password and like I said, I rarely my use my xp now. I use windows 7 and linux often. Also, my passwords and bank accounts are on my other computer. I will post the last log in a few minutes.

12 Re: bds small.iuj on Wed Apr 07, 2010 10:24 am

DragonMaster Jay


Site Owner
Site Owner
There has been one backdoor trojan on your computer, which steals information, and there was a trojan spy as well. Both have a technique for stealing your information.

The trojan spy has been on your computer for over three years, by the way.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

13 Re: bds small.iuj on Wed Apr 07, 2010 10:38 am

mewt518


Member
Member
here you go sir.. I hope you bring good news this time lol



ComboFix 10-04-06.04 - m3wt 04/07/2010 22:18:47.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.649 [GMT 8:00]
Running from: c:\documents and settings\m3wt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\m3wt\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\aizexh.dll"
"c:\windows\system32\msnsc.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1259826051-904142497-1615138427-1000
c:\windows\system32\msnsc.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 12:13 . 2010-04-07 12:13 -------- d-----w- c:\documents and settings\m3wt\Application Data\Avira
2010-04-06 23:40 . 2009-08-06 11:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-30 00:08 . 2010-01-13 04:28 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-29 23:57 . 2010-03-29 23:57 -------- d-----w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab
2010-03-22 13:53 . 2010-04-07 07:51 1033216 ----a-w- c:\windows\explorer.exe
2010-03-21 14:23 . 2010-03-22 14:27 -------- d-----w- c:\documents and settings\m3wt\Application Data\KeePass
2010-03-21 14:19 . 2010-03-21 14:19 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-03-17 13:55 . 2010-03-17 13:55 -------- d-----w- c:\documents and settings\m3wt\Application Data\My Games
2010-03-17 13:46 . 2004-08-22 08:31 5248 ------w- c:\windows\system32\drivers\d347prt.sys
2010-03-17 13:46 . 2004-08-22 08:31 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\program files\D-Tools
2010-03-17 13:46 . 2010-03-17 13:46 -------- d-----w- c:\windows\Downloaded Installations
2010-03-17 13:45 . 2010-03-17 13:45 -------- d-----w- C:\Civ4
2010-03-17 13:06 . 2010-03-17 13:06 -------- d-----w- c:\program files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 23:57 . 2010-03-29 23:57 84480 ----a-w- c:\documents and settings\m3wt\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-22 23:42 . 2009-10-17 12:31 -------- d-----w- c:\documents and settings\m3wt\Application Data\vlc
2010-03-22 14:08 . 2010-02-03 05:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-17 13:07 . 2009-10-17 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\documents and settings\m3wt\Application Data\Blender Foundation
2010-03-02 15:37 . 2010-03-02 15:37 -------- d-----w- c:\program files\Blender Foundation
2010-03-02 14:02 . 2009-10-17 13:55 -------- d-----w- c:\program files\VS Revo Group
2010-03-01 15:50 . 2010-03-01 15:50 -------- d-----w- c:\program files\Google
2010-03-01 12:56 . 2009-12-03 00:28 -------- d-----w- c:\program files\CCleaner
2010-03-01 01:05 . 2009-11-17 13:24 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 08:32 . 2009-10-17 14:10 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-16 05:24 . 2009-10-17 08:13 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-05 02:39 . 2010-02-05 02:39 251376 ----a-w- c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-13 04:19 . 2009-10-17 14:10 3773952 ----a-w- c:\windows\system32\igxpdx32.dll
2010-01-13 04:18 . 2009-10-17 14:10 2685280 ----a-w- c:\windows\system32\igxpdv32.dll
2010-01-13 04:18 . 2009-10-17 14:10 185856 ----a-w- c:\windows\system32\igxpgd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 57344 ----a-w- c:\windows\system32\igxprd32.dll
2010-01-13 04:18 . 2009-10-17 14:10 1730272 ----a-w- c:\windows\system32\drivers\igxpmp32.sys
2010-01-13 04:03 . 2009-10-17 14:10 294912 ----a-w- c:\windows\system32\igldev32.dll
2010-01-13 04:03 . 2009-10-17 14:10 2342912 ----a-w- c:\windows\system32\iglicd32.dll
2010-01-13 03:48 . 2009-10-17 14:10 645632 ----a-w- c:\windows\system32\igfxcfg.exe
2010-01-13 03:46 . 2009-10-17 14:10 134656 ----a-w- c:\windows\system32\igfxtray.exe
2010-01-13 03:46 . 2009-10-17 14:10 166912 ----a-w- c:\windows\system32\hkcmd.exe
2010-01-13 03:46 . 2009-10-17 14:10 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-01-13 03:46 . 2009-10-17 14:10 165888 ----a-w- c:\windows\system32\igfxext.exe
2010-01-13 03:46 . 2009-10-17 14:10 199168 ----a-w- c:\windows\system32\igfxpph.dll
2010-01-13 03:46 . 2009-10-17 14:10 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-01-13 03:46 . 2009-10-17 14:10 135680 ----a-w- c:\windows\system32\igfxpers.exe
2010-01-13 03:46 . 2009-10-17 14:10 51712 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-01-13 03:46 . 2009-10-17 14:10 243712 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-01-13 03:45 . 2009-10-17 14:10 93696 ----a-w- c:\windows\system32\hccutils.dll
2010-01-13 03:45 . 2009-10-17 14:10 5702656 ----a-w- c:\windows\system32\igfxress.dll
2010-01-13 03:45 . 2009-10-17 14:10 205824 ----a-w- c:\windows\system32\igfxdev.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\tcpip.sys ---
Company: Microsoft Corporation
File Description: TCP/IP Protocol Driver
File Version: 5.1.2600.2688 (xpsp.050531-1521)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: tcpip.sys
File size: 360448
Created time: 2006-01-13 02:03
Modified time: 2006-01-13 02:03
MD5: 2A4818AEA80ACD2C95D7D92D2F3155F8
SHA1: E95B8B3162DF8E63932B11450A7B50D6A5047664


------- Sigcheck -------

[-] 2006-01-13 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-07 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-04-06_14.04.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-07 14:26 . 2010-04-07 14:26 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2006-01-13 01:52 . 2009-08-06 11:24 44768 c:\windows\system32\wups2.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 35552 c:\windows\system32\wups.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-04-06 23:39 . 2009-08-06 11:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-04-06 23:39 . 2009-08-06 11:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2006-01-13 01:49 . 2009-08-06 11:24 96480 c:\windows\system32\cdm.dll
+ 2006-01-13 01:53 . 2009-08-06 11:24 209632 c:\windows\system32\wuweb.dll
+ 2009-10-17 13:40 . 2009-08-06 11:24 327896 c:\windows\system32\wucltui.dll
+ 2009-10-17 13:40 . 2009-08-06 11:23 575704 c:\windows\system32\wuapi.dll
- 2006-01-13 01:39 . 2010-04-06 14:06 539842 c:\windows\system32\perfh009.dat
+ 2006-01-13 01:39 . 2010-04-07 14:21 539842 c:\windows\system32\perfh009.dat
- 2006-01-13 01:39 . 2010-04-06 14:06 106766 c:\windows\system32\perfc009.dat
+ 2006-01-13 01:39 . 2010-04-07 14:21 106766 c:\windows\system32\perfc009.dat
+ 2006-01-13 01:55 . 2009-08-06 11:23 215920 c:\windows\system32\muweb.dll
+ 2009-10-19 03:38 . 2010-04-07 14:28 223183 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-10-17 13:40 . 2009-08-06 11:23 1929952 c:\windows\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-10 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-09-25 33517568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-17 149280]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [2009-01-22 579584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\m3wt\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m3wt^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\m3wt\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 09:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-10 14:01 135664 ----atw- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 21:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 09:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2005-12-14 11:13 7095344 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 20:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
2009-09-16 19:30 1933381 ----a-w- c:\program files\Software Informer\softinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-11-20 19:29 5262834 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\m3wt\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/17/2010 9:46 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/17/2010 9:46 PM 5248]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/17/2009 9:24 PM 135336]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [10/17/2009 10:13 PM 874880]
S2 cjxrxe;System Windows;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 ngnlzyesf;Network Manager;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/17/2009 10:00 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/17/2009 10:00 PM 3072]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 4:53 PM 55664]
S3 XDva300;XDva300;\??\c:\windows\system32\XDva300.sys --> c:\windows\system32\XDva300.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003Core.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1425521274-839522115-1003UA.job
- c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-10 14:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mewtopia.tk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\m3wt\Application Data\Mozilla\Firefox\Profiles\q5179200.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mewtopia.tk
FF - plugin: c:\documents and settings\m3wt\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\m3wt\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 22:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x861F5A48]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7650fc3
\Driver\ACPI -> ACPI.sys @ 0xf759dcb8
\Driver\atapi -> 0x861f5a48
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057c799
SecurityProcedure -> ntoskrnl.exe @ 0x805de473
NDIS: Atheros L2 Fast Ethernet 10/100 Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7424ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7431b21
SendHandler -> NDIS.sys @ 0xf740f87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cjxrxe]
"ServiceDll"="c:\windows\system32\aizexh.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ngnlzyesf]
"ServiceDll"="c:\windows\system32\aizexh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(640)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Cobian Backup 9\cbInterface.exe
.
**************************************************************************
.
Completion time: 2010-04-07 22:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 14:34
ComboFix2.txt 2010-04-07 08:13
ComboFix3.txt 2010-04-06 14:10

Pre-Run: 31,656,927,232 bytes free
Post-Run: 31,630,200,832 bytes free

- - End Of File - - 9F8F2BD1049F2BDBF1F5885424DDC338

14 Re: bds small.iuj on Wed Apr 07, 2010 11:35 am

DragonMaster Jay


Site Owner
Site Owner
Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

15 Re: bds small.iuj on Wed Apr 07, 2010 11:49 am

mewt518


Member
Member
posting the mbr.exe log..


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 2]

Goto page : 1, 2  Next

SecuraGeek Forums » Malware/Threat Removal » bds small.iuj

Permissions in this forum:
You cannot reply to topics in this forum