Svchost.exe and email exploit troubles... [Closed]

Hmm good eye there! It is infected with something:
http://www.virustotal.com/analisis/10c5df1374e559164f3e2f0b60e51a11

I do run portable apps from a USB stick, and when I had Daemon Tools (several months ago now), it made virtual drive Z but I no longer have it soo…

Honeypots are sounding a bit g33ky but I may be able to make a Windows build by contacting the right folks and getting them to help. Even if it would take forever on my on line Dial-Up connection…

It’s a little bit of progress, like a finger that just touched a tail. Now to figure out how to grab it without getting bitten.

This uniime32.dll is loaded at machine boot time. Virustotal says it is a compressed (using UPX techniques) executable. It’s like a run-in-place zip file, and probably encrypted. There are several different kinds of malware that will do that, and all of them protect their startup code, so just dimply deleting it won’t work. “Vundo” is an example. If we can successfully disable the startup, then cleanup will be fairly simple. Rather, it’s supposed to be simple. I need to do some research on the available techniques and tools, which may take a little while.

Re honeypots. Definitely can be a g33ky thing. Some of the more elaborate setups I’ve read about have folks with corporate backing and get paid to do it. Lucky beggers…

First pass on the research hasn’t been encouraging. Several variants of polymorphic “winlogon notify” malware, ranging from (relatively) easy to remove like Vundo, to zero and reformat like some virut variants. I don’t know enough of which version you’ve got to know which direction to go.

So, are you game for an experiment? What I’m thinking, is to use CFP Defense+ to block the boot load sequence of uniime32 from being executed. It’s the code execution equivalent of the svchost firewall rules, trying to bottle up a process.

To do this, in CFP go to Defense+ → Advanced / Computer Security Policy, and the Add an entry.

The application path is C:\windows\system32\uniime32.dll. Select “Custom Policy”. As a safety measure for testing, for “Access Rights” to allow everything, and “Protection Settings” set to no. That’s taking the defaults. Meaning that everything should still run unchanged. Since this is a boot load thing, you should reboot to see if anything gets unhappy. This malware has some kind of defense code, and if it senses something, it’d be best to have an easy way to back out by just deleting the CFP entry.

If that is working, meaning nothing happened. Then change the Access Rights to everything blocked, and the Protection Settings to yes. Reboot again.

If that worked, then the malware cloaking device just got disabled. Run a Deckards Scan and post the result. There should be some new processes running around.

Does that make sense on what I’m describing?

Yes, I’m game. I’ll go ahead and try it out now.
Mean time here’s the infected dll, if your game (and very cautious), you may be able to decompile it with win32dasm:
http://rapidshare.com/files/117388841/uniime32.dll.html ← Infected file.

Got it. I’ll eyeball it on one of the FreeBSD boxes here.

I’m off an exhausted for one day. I set those Comodo rules and it still is coming up on bootup, but I think it got a little ticked. Upon setting comodo rules and searching for suspicious files through Windows Search, explorer.exe crashed. Not a normal crash mind you, it remained in memory and had CPU power 100%. I managed to open Sysinternals via Ctrl+Alt+Delete and running a command line in. It revealed DEP service with an insane amount of Hardware Interruptions.

I believe it was a buffer overflow, but I could be wrong. I saw tons of ntoskrnl.exe commands directed at explorer.exe. I scanned the ntoskrnl.exe file on virustotal, but it claims not infects.

After running “sfc /scannow” (Windows’s Built in FileChecker), it found numerous “DLL Cache” problems which it replaced with the real ones from my XP CD. The also replaced my VistaTransformationPack 8.1 theme, with good’ol Windows default, but I guess it’s safer anyhow.

Lastly, just 5 minutes ago, Avast caught Win32:SQLSlammer in C:\DOCUME~1\Luke\LOCALS~1\Temp\etherXXXXa01456. I’ve no idea how it got there and I am not sure how it got into temp. Comodo was set to Paranoid, Agressive, mode. Seems it slipped right by… [ at ]_[ at ]

Here’s a page on the worm: http://www.avast.com/eng/win32sqlslammer.html
It says it only infects Microsoft SQL 2000 servers… strange.

Edit: While the buffer overflow took place I was looking at these…

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Luke>netstat -anobv

Active Connections

Proto Local Address Foreign Address State PID
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 1808
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\ole32.dll
[alg.exe]

TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 932
[ashMaiSv.exe]

TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 972
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\kernel32.dll
[ashWebSv.exe]

TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 932
[ashMaiSv.exe]

TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 932
[ashMaiSv.exe]

TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 932
[ashMaiSv.exe]

UDP 0.0.0.0:4500 : 628
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\oakley.DLL
C:\WINDOWS\system32\LSASRV.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[lsass.exe]

UDP 0.0.0.0:500 : 628
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\oakley.DLL
C:\WINDOWS\system32\LSASRV.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[lsass.exe]

UDP 127.0.0.1:1900 : 960
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:123 : 820
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

C:\Documents and Settings\Luke>

And the win.ini had some strange entries like betrieve…

; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo asx=MPEGVideo au=MPEGVideo m1v=MPEGVideo m3u=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wmx=MPEGVideo wpl=MPEGVideo wvx=MPEGVideo m2v=MPEGVideo mod=MPEGVideo [MSUCE] Advanced=0 CodePage=Unicode Font=Arial [RAD Video Tools] LastVersionCheckDate=2008-04-09 Path=C:\Program Files\Intel Play\QX3 Microscope\Samples BinkComp= BinkMix= SmackComp=/l104 SmackMix=/l104 BinkPlay= SmackPlay= BinkConv=/z X=100 Y=100 W=526 H=392 [HookAPI] DLL_PATH=C:\WINDOWS\system32 [Mail] MAPI=1 [Miles Sound Studio] Path=C:\Program Files\Acclaim Entertainment\Re-volt\levels\fspringmorning\wavs X=544 Y=188 W=447 H=395 [Btrieve] Options=/m:64 /p:4096 /t:C:\WINDOWS\TEMP\btrieve.trn [AAPLAY Animation] DualScreen=0 FullScreen= FullInstalled=1 [drawdib] vga.drv 1024x768x32(BGR 0)=1,31,31,23 [Dictionary] EnglishAviDelay=2000 searchwindowsize=10 searchwindowminimal=0 PracticeMode=0 PracticeSound=1 StayOnTop=0 WinPosLeftMain=229 WinPosTopMain=198 WinPosLeftAdd=197 WinPosTopAdd=262 WinPosLeftSearch=197 WinPosTopSearch=209 ClipSearch=1 AddNewWordsToList=1 [Miles Sound Player] Filtered=1 Reverb=0 Rate=22050 Bits=16 Channels=16 ForceDLS=0 DLSFilename= X=100 Y=100 [PARID] ComputerID={AD8DC860-F589-4740-BDF1-04D5C7BA5517}

Well, I need to get some serious zzz… byes for tonight.

Edit: It’s morning here. Now SystemInfo (Start>>All Programs>>Accessories>>System Tools>>System Information) stopped working. It says “Can’t Collect Information - A network error occurred in connecting to Windows Management Instrumentation. Ensure your network connection is working properly.” and the window is blank all for that text… it could be a service that is turned off, or it could be something more serious, dunno.

Last night brought some interesting thought to my interest, suppose it is in defensive mode, has it turned on a Dropper? Technically, it could be a virus downloading viruses to throw us off and/or modified viruses to mess us up. 88)

Also, here’s a professional cleanup article on Virmundo variants: http://www.clickanerd.com/techtips/tips/001-virus-removal.htm
I’ve not ran it yet, but if you think I should let me know.

Edit again, lol: I found svchost (when I temporarily shut off my firewall) to be sending out packets according to Comodo. I also ran WireShark while it was doing it.
List of strange destination IPs:
69.28.155.43:80
207.46.209.126:443

Pcap: http://rapidshare.com/files/117516734/yetanoter.pcap.html

Oh my, you’ve been busy. ;D

It’s going to take a few minutes to digest everything, so I’m posting just my initial thoughts.

That uniime32.dll is still coming up at boot is good to know. It means the removal technique is going to involve some simultaneous deletions done at boot time. The typical tool I’ve encountered for that, is “OTMoveit by OldTimer”, which gets a lot of use in the malware cleanup forums. The question is, what is the thing that has to be moved with it. We don’t know that yet.

DEP did its thing. It kept the malware defense at bay by not allowing a reinfection. ntoskrnl.exe in \system32 is system kernel stuff, probably being used as a messenger with an infected parameter list.

SQLSlammer, probably harmless on your machine, but being used as a payload to send to other machines as the malware gets Internet access. Meaning your box is being used to attack other machines. Not a good thing. But because the SQL stuff doesn’t run on your box, it’s not a hazard to your box, and so the antivirus and buffer overflow defenses on your box don’t trip. It’s just data, harmless as a txt file.

btrieve could be real, used as a data management technique in one of your legit applications.

The Windows Management Instrumentation is a control interface to configuring Windows machines, either by applications, on the keyboard, or other the Internet. I’m getting the sense that the malware is getting defensive, and is going to try to lock you out if it can. Keep the firewall up, as it only takes an eyeblink for a script to run and you loose admin privileges and the ability to boot into safe mode. Easy enough to recover from with an installation CD, but inconvenient. And most folks don’t have the CD’s, or have a clue what to do with it.

ClickANerd looks to have good information. Ccleaner would be good to run, clear out all that \temp stuff.

Combofix would probably be good also, but needs to be used with caution. It’s a good diagnostic tool just by running it, but it has a lot of other capabilities that can cripple your machine, and is a moving target. The comboxfix you get today, is not the one you would get last week, and won’t be the one you get next week. It’s revised constantly by the malware cleanup pros based on what their experience is in the cleanup forums. One of the official sources for combofix is http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe I have no idea what version ClickANerd might be linking too. It’s always best to go straight to the source. If you run Combofix, post the log that it produces. And >>> do not touch the mouse while it is running <<< It’ll freeze on you. And yes that is by design, not a bug.

I haven’t eyeballed the pcap file yet. I will as I get a chance today.

Today is going to be kind of intermittent being online. Home stuff to take care of. Real Life™, as some folks say.

Hello,
I tried to download Combofix from the site you gave, but the download never started… so… I downloaded one from bleepingcomputer, hope this is a good version? :-\

I’ve been busy in RealLife ™ too today lol. So no problem.

Here’s the Combofix log:

ComboFix 08-05-25.3 - Luke 2008-05-25 20:02:04.1 - NTFSx86

Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\explorer.exe.tmp
C:\WINDOWS\system32_000121_.tmp.dll
C:\WINDOWS\system32_004390_.tmp.dll
C:\WINDOWS\system32_004391_.tmp.dll
C:\WINDOWS\system32_004392_.tmp.dll
C:\WINDOWS\system32_004393_.tmp.dll
C:\WINDOWS\system32_004400_.tmp.dll
C:\WINDOWS\system32_004401_.tmp.dll
C:\WINDOWS\system32_004402_.tmp.dll
C:\WINDOWS\system32_004403_.tmp.dll
C:\WINDOWS\system32_004405_.tmp.dll
C:\WINDOWS\system32_004406_.tmp.dll
C:\WINDOWS\system32_004409_.tmp.dll
C:\WINDOWS\system32_004410_.tmp.dll
C:\WINDOWS\system32_004412_.tmp.dll
C:\WINDOWS\system32_004413_.tmp.dll
C:\WINDOWS\system32_004414_.tmp.dll
C:\WINDOWS\system32_004415_.tmp.dll
C:\WINDOWS\system32_004416_.tmp.dll
C:\WINDOWS\system32_004419_.tmp.dll
C:\WINDOWS\system32_004420_.tmp.dll
C:\WINDOWS\system32_004424_.tmp.dll
C:\WINDOWS\system32_004425_.tmp.dll
C:\WINDOWS\system32_004427_.tmp.dll
C:\WINDOWS\system32_004430_.tmp.dll
C:\WINDOWS\system32_004432_.tmp.dll
C:\WINDOWS\system32_004433_.tmp.dll
C:\WINDOWS\system32_004434_.tmp.dll
C:\WINDOWS\system32_004435_.tmp.dll
C:\WINDOWS\system32_004436_.tmp.dll
C:\WINDOWS\system32_004439_.tmp.dll
C:\WINDOWS\system32_004440_.tmp.dll
C:\WINDOWS\system32_004441_.tmp.dll
C:\WINDOWS\system32_004442_.tmp.dll
C:\WINDOWS\system32_004443_.tmp.dll
C:\WINDOWS\system32_004448_.tmp.dll
C:\WINDOWS\system32_004450_.tmp.dll
C:\WINDOWS\system32_004451_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-24 22:56 . 2004-08-04 07:00 68,608 --a–c— C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-24 17:09 . 2008-05-24 19:28 d-------- C:\cygwin
2008-05-24 15:59 . 2008-05-24 15:59 98 --a------ C:\index.ini
2008-05-24 15:54 . 2008-05-24 15:54 d-------- C:\Program Files\a-squared HiJackFree
2008-05-24 13:11 . 2008-05-24 13:11 d-------- C:\Program Files\PrevxCSI
2008-05-24 13:11 . 2008-05-24 14:12 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-24 13:11 . 2008-05-24 13:11 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-05-24 13:06 . 2008-05-24 13:06 d-------- C:\Deckard
2008-05-23 23:10 . 2008-05-24 21:28 d-------- C:\Program Files\Deep System Explorer
2008-05-20 16:10 . 2008-05-20 16:10 d-------- C:\Program Files\Alwil Software
2008-05-20 16:07 . 2008-05-20 16:07 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 22:08 . 2008-05-19 22:08 d-------- C:\Documents and Settings\Luke\Application Data\Wireshark
2008-05-19 21:55 . 2008-05-19 21:57 d-------- C:\Program Files\Wireshark
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\Luke\Application Data\SUPERAntiSpyware.com
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 22:04 . 2008-05-18 22:32 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-05-18 22:04 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-05-18 22:04 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-05-18 22:04 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-05-18 22:04 . 2008-05-25 20:00 7,903 --a------ C:\WINDOWS\BOC426.INI
2008-05-18 19:37 . 2008-05-18 19:37 163 --a------ C:\WINDOWS\ieprxmon.ini
2008-05-18 19:35 . 2008-05-18 19:35 d-------- C:\Program Files\Internet Explorer Proxy Monitor
2008-05-18 11:39 . 2008-05-18 11:39 d-------- C:\Program Files\TypeFaster
2008-05-18 10:37 . 2008-05-18 10:41 d-------- C:\Program Files\Robot Battle
2008-05-17 17:08 . 2008-05-17 17:08 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-17 17:08 . 2008-05-17 17:08 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-17 17:08 . 2008-05-17 17:08 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-17 16:50 . 2008-05-17 16:50 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 23:20 . 2008-05-17 10:41 d-------- C:\Program Files\Hamachi(3)
2008-05-15 21:06 . 2008-05-17 10:41 d-------- C:\Program Files\LithUnwrap
2008-05-15 15:30 . 2008-05-14 17:43 573,494 --a------ C:\Documents and Settings\Luke\md3toase.exe
2008-05-15 14:16 . 2008-05-17 10:41 d-------- C:\Documents and Settings\Luke\Application Data\Anvil Studio
2008-05-15 14:13 . 2008-05-17 10:41 d-------- C:\Program Files\Anvil Studio
2008-05-14 17:37 . 2008-05-17 13:26 d-------- C:\gmax
2008-05-13 15:12 . 2008-05-13 15:12 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer Pro
2008-05-13 15:12 . 2008-05-13 15:20 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\WINDOWS\system32\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\Documents and Settings\Luke\Application Data\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 704,793 --a------ C:\WINDOWS\unins000.exe
2008-05-11 12:23 . 2008-05-11 12:23 3,703 --a------ C:\WINDOWS\unins000.dat
2008-05-08 15:07 . 2008-05-08 15:11 d-------- C:\Program Files\DreMule
2008-05-02 23:15 . 2008-05-02 23:15 d-------- C:\Program Files\RayViewer 1.07
2008-05-02 15:36 . 2008-05-02 15:36 d-------- C:\Program Files\Pixelformer
2008-05-02 09:31 . 2008-05-17 10:42 d-------- C:\Documents and Settings\Luke\Application Data\AVGTOOLBAR
2008-04-29 19:57 . 2008-04-29 19:57 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-26 18:59 . 2008-04-26 18:59 d-------- C:\Program Files\Drempels

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 01:00 --------- d-----w C:\Program Files\CallWave
2008-05-25 16:29 --------- d-----w C:\Documents and Settings\Luke\Application Data.purple
2008-05-25 04:50 --------- d-----w C:\Program Files\ViStart
2008-05-24 17:30 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-24 04:27 --------- d-----w C:\Program Files\Net Tools
2008-05-24 03:41 --------- d-----w C:\Program Files\e-Sword
2008-05-23 22:30 --------- d-----w C:\Documents and Settings\Luke\Application Data\gtk-2.0
2008-05-21 19:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Xfire
2008-05-20 02:56 --------- d-----w C:\Program Files\WinPcap
2008-05-19 03:04 --------- d-----w C:\Program Files\COMODO
2008-05-18 16:12 --------- d-----w C:\Program Files\Dictionary
2008-05-17 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-05-17 22:08 --------- d-----w C:\Documents and Settings\Luke\Application Data\Comodo
2008-05-17 21:41 --------- d-----w C:\Program Files\eMule
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\Hamachi
2008-05-17 15:41 --------- d-----w C:\Program Files\Xfire
2008-05-17 04:00 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-13 21:50 --------- d-----w C:\Program Files\TrueTransparency
2008-05-13 19:41 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-05-12 21:23 --------- d-----w C:\Program Files\GameSpy Arcade
2008-05-12 19:38 --------- d-----w C:\Program Files\ePSXe160
2008-05-09 21:05 --------- d-----w C:\Program Files\ZModeler
2008-05-07 20:31 --------- d-----w C:\Program Files\Thoosje Sidebar V2.3
2008-05-03 17:43 --------- d-----w C:\Documents and Settings\Luke\Application Data\FileZilla
2008-04-29 15:28 --------- d-----w C:\Program Files\NT Registry Tweaker
2008-04-26 18:18 --------- d-----w C:\Documents and Settings\Luke\Application Data\flightgear.org
2008-04-25 18:45 --------- d-----w C:\Program Files\FlightGear
2008-04-22 19:34 90 ----a-w C:\Program Files\ndkoptions.txt
2008-04-21 21:00 --------- d-----w C:\Program Files\Kyodai
2008-04-19 15:12 --------- d-----w C:\Program Files\Dydelf
2008-04-17 21:33 --------- d-----w C:\Documents and Settings\Luke\Application Data\Subversion
2008-04-17 16:59 --------- d-----w C:\Program Files\Dolphin
2008-04-17 04:56 --------- d-----w C:\Program Files\RootQuest
2008-04-17 02:00 --------- d-----w C:\Documents and Settings\Luke\Application Data\Atari
2008-04-17 01:59 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-04-17 01:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Leadertech
2008-04-17 01:57 --------- d-----w C:\Program Files\Atari
2008-04-16 19:56 --------- d-----w C:\Program Files\Paint.NET
2008-04-16 04:06 --------- d-----w C:\Documents and Settings\Luke\Application Data\fltk.org
2008-04-15 22:52 --------- d-----w C:\Program Files\Pidgin
2008-04-13 03:35 --------- d-----w C:\Program Files\Maxis
2008-04-13 03:00 --------- d-----w C:\Program Files\FRONTIER GROOVE
2008-04-12 03:55 --------- d-----w C:\Program Files\PSXMemTool
2008-04-09 20:24 --------- d-----w C:\Program Files\RingThree
2008-04-09 00:37 --------- d-----w C:\Program Files\Sherlock Software
2008-04-09 00:33 --------- d-----w C:\Program Files\PF.Magic
2008-04-08 20:06 --------- d-----w C:\Program Files\FTD.COM
2008-04-08 20:05 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-04-07 19:27 --------- d-----w C:\Program Files\ScreenSaver.com
2008-04-07 18:50 --------- d-----w C:\Program Files\Kids 4 Truth International
2008-04-07 18:19 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 03:31 --------- d-----w C:\Program Files\Howie
2008-04-06 01:42 --------- d-----w C:\Program Files\iLReco the LEO IRC interface
2008-04-05 23:59 --------- d-----w C:\Program Files\AdiIRC
2008-04-04 21:13 --------- d-----w C:\Program Files\Deebot
2008-03-31 22:07 --------- d-----w C:\Program Files\Desktop Activity Recorder
2008-03-31 19:41 --------- d-----w C:\Program Files\ViRC
2008-03-28 19:02 --------- d-----w C:\Documents and Settings\Luke\Application Data\KVIrc
2008-03-28 01:38 --------- d-----w C:\Program Files\KVIrc
2008-03-27 21:50 --------- d-----w C:\Documents and Settings\Luke\Application Data\Winamp
2008-03-27 21:25 --------- d-----w C:\Program Files\Winamp
2008-03-27 20:02 --------- d-----w C:\Program Files\Acclaim Entertainment
2008-03-26 20:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-20 15:41 49,152 ----a-w C:\WINDOWS\system32\SysTrayDll.dll
2008-03-13 16:21 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-04 01:01 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-04 01:01 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-03-04 01:01 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-03-04 01:01 142,848 ------w C:\WINDOWS\system32\IESetting.dll
2008-03-04 00:53 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2008-03-04 00:52 41,984 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-03-04 00:52 17,920 ----a-w C:\WINDOWS\system32\corpol.dll
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\admparse.dll
2008-03-04 00:50 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-03-04 00:50 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-03-04 00:50 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-12-19 01:39 1,069,184 ----a-w C:\Documents and Settings\Luke\ivcon.exe
2007-11-25 19:46 40 ----a-w C:\Documents and Settings\Luke\language.dat
2007-11-09 00:58 1,396,736 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-13 22:38 241,664 ----a-w C:\Documents and Settings\Luke\sniffit.exe
2002-07-29 19:40 155,648 ----a-w C:\Documents and Settings\Luke\ase2prm.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvshade.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvcolor.exe
2002-04-12 16:29 28,672 ----a-w C:\Documents and Settings\Luke\findump.exe
2002-04-12 16:29 28,160 ----a-w C:\Documents and Settings\Luke\rvweird.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvtrans.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvmark.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvcenter.exe
2000-02-16 16:03 14,552 ----a-w C:\Documents and Settings\Luke\RV-DBLSD.EXE
2000-01-17 16:50 31,365 ----a-w C:\Documents and Settings\Luke\RV-SIZER.EXE
1999-12-15 22:00 19,311 ----a-w C:\Documents and Settings\Luke\RV-REMAP.EXE
1999-11-25 18:21 40,960 ----a-w C:\Documents and Settings\Luke\PRM2NCP.EXE
1997-06-09 11:27 36,864 ----a-w C:\Documents and Settings\Luke\TMD2LWO.EXE
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\VIRepair\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\VIRepair\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\VITrans\ntoskrnl.exe

2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\system32\VIRepair\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 07:00 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-04-01 16:16 5562368]
“COMODO Firewall Pro”=“C:\Program Files\COMODO\Firewall\cfp.exe” [2008-05-17 17:08 1572608]
“BOC-426”=“C:\PROGRA~1\Comodo\CBOClean\BOC426.exe” [2008-04-10 11:08 351480]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 18:19 79224]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-14 18:00:46 546816]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-10-29 20:03:49 416768]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-11-01 19:55:04 19968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2007-10-28 23:01:58 1590352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“UIHost”=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uniime32]
uniime32.dll 2004-05-14 13:01 10752 C:\WINDOWS\system32\uniime32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.I420”= i420vfw.dll
“msacm.l3fhg”= mp3fhg.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263”= i263_32.drv
“VIDC.YV12”= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm
“msacm.divxa32”= divxa32.acm
“msvideo3”= STVqx3tg.dll
“vidc.mpng”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“vidc.mvjp”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“vidc.444p”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“VIDC.XFR1”= xfcodec.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
–a------ 2004-09-20 01:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
–a------ 2007-11-23 22:24 249856 C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2005-04-01 16:16 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2007-10-29 21:21 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-08-17 05:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-10-29 14:49 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
–a------ 2007-11-20 13:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Maya5PLEHelpServer”=3 (0x3)
“WZCSVC”=2 (0x2)
“SCardSvr”=3 (0x3)
“aspnet_state”=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“True Transparency”=C:\Program Files\TrueTransparency\TrueTransparency.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
“nwiz”=nwiz.exe /install
“SoundMan”=SOUNDMAN.EXE
“WinFast Schedule”=C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\eMule\emule.exe”=
“C:\Program Files\Pidgin\pidgin.exe”=
“C:\Program Files\K’NEX\game.exe”=
“C:\Program Files\Hasbro\Boggle\Boggle.exe”=
“C:\WINDOWS\system32\dplaysvr.exe”=
“C:\Program Files\Xfire\xfire.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Program Files\CallWave\IAM.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“1317:TCP”= 1317:TCP:messenger

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5c39b5dd-85d0-11dc-a05d-ac4146196c01}]
\Shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{eab94e0c-8595-11dc-a19d-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

Newly Created Service - CATCHME
.

---

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:04:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

---

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASFWHide]
“ImagePath”=“??\C:\DOCUME~1\Luke\LOCALS~1\Temp\ASFWHide”
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
→ C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
→ C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-25 20:06:12
ComboFix-quarantined-files.txt 2008-05-26 01:06:09

Pre-Run: 259,059,949,568 bytes free
Post-Run: 259,030,667,264 bytes free

342 — E O F — 2008-03-31 04:04:00

Quarantine log:

2004-08-04 07:00 101888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004392_.tmp.dll.vir 2004-08-04 07:00 108032 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004405_.tmp.dll.vir 2004-08-04 07:00 111104 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004439_.tmp.dll.vir 2004-08-04 07:00 1257984 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004403_.tmp.dll.vir 2004-08-04 07:00 129536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004427_.tmp.dll.vir 2004-08-04 07:00 132096 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004390_.tmp.dll.vir 2004-08-04 07:00 13824 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004434_.tmp.dll.vir 2004-08-04 07:00 138240 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004440_.tmp.dll.vir 2004-08-04 07:00 1422336 --a------ C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.tmp.vir 2004-08-04 07:00 144384 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004436_.tmp.dll.vir 2004-08-04 07:00 144896 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004406_.tmp.dll.vir 2004-08-04 07:00 146432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004391_.tmp.dll.vir 2004-08-04 07:00 1835904 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004393_.tmp.dll.vir 2004-08-04 07:00 22040 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004401_.tmp.dll.vir 2004-08-04 07:00 236544 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004416_.tmp.dll.vir 2004-08-04 07:00 249270 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004433_.tmp.dll.vir 2004-08-04 07:00 276992 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004442_.tmp.dll.vir 2004-08-04 07:00 2804224 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_000121_.tmp.dll.vir 2004-08-04 07:00 32768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004441_.tmp.dll.vir 2004-08-04 07:00 3385856 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004450_.tmp.dll.vir 2004-08-04 07:00 341504 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004432_.tmp.dll.vir 2004-08-04 07:00 34304 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004419_.tmp.dll.vir 2004-08-04 07:00 382464 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004451_.tmp.dll.vir 2004-08-04 07:00 415744 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004409_.tmp.dll.vir 2004-08-04 07:00 50688 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004402_.tmp.dll.vir 2004-08-04 07:00 553472 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004420_.tmp.dll.vir 2004-08-04 07:00 58880 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004412_.tmp.dll.vir 2004-08-04 07:00 611328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004443_.tmp.dll.vir 2004-08-04 07:00 61440 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004413_.tmp.dll.vir 2004-08-04 07:00 616960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004448_.tmp.dll.vir 2004-08-04 07:00 64000 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004410_.tmp.dll.vir 2004-08-04 07:00 708096 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004425_.tmp.dll.vir 2004-08-04 07:00 721920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004430_.tmp.dll.vir 2004-08-04 07:00 8192 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004424_.tmp.dll.vir 2004-08-04 07:00 840192 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004414_.tmp.dll.vir 2004-08-04 07:00 89088 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004415_.tmp.dll.vir 2004-08-04 07:00 96768 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004400_.tmp.dll.vir 2004-08-04 07:00 983552 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\_004435_.tmp.dll.vir 2008-05-25 20:04 54 --a------ C:\Qoobox\Quarantine\catchme.log

Several things are odd, first off the explorer.exe.tmp, and the other temp files. Then that creepy dll again, followed by CATCHME service. I’m guessing CATCHME comes with Combofix? Or… so I hope.

Combofix did a bunch of stuff. And, yes, bleepingcomputer is another of the good official sites. It’s going to take me a little while to work thru the log, and see what happened. First impression is the malware got a good chunk of rug pulled out from under it. Those x.tmp.dll are not good things, and they got pulled.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uniime32] uniime32.dll 2004-05-14 13:01 10752 C:\WINDOWS\system32\uniime32.dll

That registry entry would be a reason why CFP was having a problem containing it. It likely got loaded before CFP did, as the registry said to load. Now we know it’s there.

"vidc.mpng"= C:\Program Files\t[ at ]b\0.958\686\tabdec.dll "vidc.mvjp"= C:\Program Files\t[ at ]b\0.958\686\tabdec.dll "vidc.444p"= C:\Program Files\t[ at ]b\0.958\686\tabdec.dll

Any idea what this tabdec.dll is, or what the t@b directory is (I suspect that’s just an ‘at’ sign)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1317:TCP"= 1317:TCP:messenger

Is messenger on port 1317 something you would expect? I don’t know enough to know if this is typical or not. But something asking for an open firewall port strikes me as being odd.

And, yes, the gmer rootkit analysis has the catchme service, and it is part of combofix.

Can you post another Deckard scan log, and what your CFP firewall and D+ logs are showing, if anything?

Looks like running Combofix was a good thing to do.

End of the day here. Back tomorrow at the usual 1800 GMT.

t@b zs4 is a free movie creator with a lot of advanced features like Adobe After Effect and other pricey programs. So yah I know what it is.

I don’t even use Windows Messenger and I used “shoot the messenger” from Steve Gibson ages ago. ???

Ok, I’m off too very soon, it’s getting late. I’ll post those logs in a bit…

Great to hear ComboFix nuked some stuff, I can tell (unless it’s lying dormant) my system is running a little smoother.
So far no svchost’s getting past Comodo that I can see…

Here’s the logs:

Deckard's System Scanner v20071014.68 Run by Luke on 2008-05-25 22:26:02 Computer is in Normal Mode. --------------------------------------------------------------------------------

– HijackThis (run as Luke.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:33 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Luke\Desktop\Computer Problem\dss.exe
C:\DOCUME~1\Luke\Desktop\COMPUT~1\Luke.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.141.214.20:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1292428093-1060284298-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘?’)
O4 - HKUS\S-1-5-21-1292428093-1060284298-839522115-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User ‘?’)
O4 - S-1-5-21-1292428093-1060284298-839522115-1004 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User ‘?’)
O4 - S-1-5-21-1292428093-1060284298-839522115-1004 Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe (User ‘?’)
O4 - S-1-5-21-1292428093-1060284298-839522115-1004 Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User ‘?’)
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193630486466
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uniime32 - C:\WINDOWS\SYSTEM32\uniime32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

–
End of file - 7154 bytes

– Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 20:42:52 0 dr-h----- C:\Documents and Settings\Luke\Recent
2008-05-25 20:01:03 68096 --a------ C:\WINDOWS\zip.exe
2008-05-25 20:01:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-25 20:01:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-25 20:01:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-25 20:01:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-25 20:01:03 98816 --a------ C:\WINDOWS\sed.exe
2008-05-25 20:01:03 80412 --a------ C:\WINDOWS\grep.exe
2008-05-25 20:01:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-24 17:09:06 0 d-------- C:\cygwin
2008-05-24 15:54:28 0 d-------- C:\Program Files\a-squared HiJackFree
2008-05-24 13:11:18 17408 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; Prevx; Prevx CSI>
2008-05-24 13:11:18 0 d-------- C:\Program Files\PrevxCSI
2008-05-24 13:11:15 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-23 23:10:15 0 d-------- C:\Program Files\Deep System Explorer
2008-05-20 16:10:47 0 d-------- C:\Program Files\Alwil Software
2008-05-20 16:07:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 22:08:57 0 d-------- C:\Documents and Settings\Luke\Application Data\Wireshark
2008-05-19 21:55:44 0 d-------- C:\Program Files\Wireshark
2008-05-18 22:56:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 22:56:18 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 22:56:18 0 d-------- C:\Documents and Settings\Luke\Application Data\SUPERAntiSpyware.com
2008-05-18 22:56:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 22:04:24 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-05-18 19:35:52 0 d-------- C:\Program Files\Internet Explorer Proxy Monitor
2008-05-18 11:39:36 0 d-------- C:\Program Files\TypeFaster
2008-05-18 10:37:13 0 d-------- C:\Program Files\Robot Battle
2008-05-17 16:50:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 23:20:43 0 d-------- C:\Program Files\Hamachi(3)
2008-05-16 23:20:00 10485760 --a------ C:\Documents and Settings\Luke\ntuser.dat
2008-05-15 21:06:34 0 d-------- C:\Program Files\LithUnwrap
2008-05-15 15:30:40 573494 --a------ C:\Documents and Settings\Luke\md3toase.exe
2008-05-15 14:16:11 0 d-------- C:\Documents and Settings\Luke\Application Data\Anvil Studio
2008-05-15 14:13:26 0 d-------- C:\Program Files\Anvil Studio
2008-05-14 17:37:01 0 d-------- C:\gmax
2008-05-13 15:12:20 0 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer
2008-05-13 15:12:20 0 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer Pro
2008-05-11 12:23:53 0 d-------- C:\Documents and Settings\Luke\Application Data\FFSJ
2008-05-11 12:23:32 704793 --a------ C:\WINDOWS\unins000.exe <Not Verified; ; Inno Setup>
2008-05-11 12:23:32 3703 --a------ C:\WINDOWS\unins000.dat
2008-05-11 12:23:32 0 d-------- C:\WINDOWS\system32\FFSJ
2008-05-08 15:07:43 0 d-------- C:\Program Files\DreMule
2008-05-02 23:15:16 0 d-------- C:\Program Files\RayViewer 1.07
2008-05-02 15:36:47 0 d-------- C:\Program Files\Pixelformer
2008-05-02 09:31:18 0 d-------- C:\Documents and Settings\Luke\Application Data\AVGTOOLBAR
2008-04-26 18:59:21 0 d-------- C:\Program Files\Drempels
2008-04-25 17:26:07 0 d-------- C:\Program Files\NT Registry Tweaker
2008-04-25 13:45:54 0 d-------- C:\Documents and Settings\Luke\Application Data\flightgear.org
2008-04-25 13:44:30 0 d-------- C:\Program Files\FlightGear

– Find3M Report ---------------------------------------------------------------

2008-05-25 20:44:34 0 d-------- C:\Program Files\CallWave
2008-05-25 11:29:15 0 d-------- C:\Documents and Settings\Luke\Application Data.purple
2008-05-24 23:50:10 0 d-------- C:\Program Files\ViStart
2008-05-24 12:30:16 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-23 23:27:47 0 d-------- C:\Program Files\Net Tools
2008-05-23 22:41:19 0 d-------- C:\Program Files\e-Sword
2008-05-23 17:30:56 0 d-------- C:\Documents and Settings\Luke\Application Data\gtk-2.0
2008-05-21 14:59:49 0 d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-05-19 21:56:34 0 d-------- C:\Program Files\WinPcap
2008-05-18 22:56:07 0 d-------- C:\Program Files\Common Files
2008-05-18 22:04:17 0 d-------- C:\Program Files\COMODO
2008-05-18 11:12:46 0 d-------- C:\Program Files\Dictionary
2008-05-17 17:08:44 0 d-------- C:\Documents and Settings\Luke\Application Data\Comodo
2008-05-17 16:41:04 0 d-------- C:\Program Files\eMule
2008-05-17 10:42:01 0 d-------- C:\Documents and Settings\Luke\Application Data\Hamachi
2008-05-17 10:41:56 0 d-------- C:\Program Files\Xfire
2008-05-13 16:50:39 0 d-------- C:\Program Files\TrueTransparency
2008-05-13 14:41:43 0 d–h----- C:\Program Files\InstallShield Installation Information
2008-05-12 16:23:41 0 d-------- C:\Program Files\GameSpy Arcade
2008-05-12 14:38:28 0 d-------- C:\Program Files\ePSXe160
2008-05-09 16:05:03 0 d-------- C:\Program Files\ZModeler
2008-05-07 15:31:59 0 d-------- C:\Program Files\Thoosje Sidebar V2.3
2008-05-03 12:43:29 0 d-------- C:\Documents and Settings\Luke\Application Data\FileZilla
2008-04-22 14:34:25 90 --a------ C:\Program Files\ndkoptions.txt
2008-04-21 16:00:52 0 d-------- C:\Program Files\Kyodai
2008-04-19 10:12:30 0 d-------- C:\Program Files\Dydelf
2008-04-17 16:33:43 0 d-------- C:\Documents and Settings\Luke\Application Data\Subversion
2008-04-17 11:59:06 0 d-------- C:\Program Files\Dolphin
2008-04-16 23:56:51 0 d-------- C:\Program Files\RootQuest
2008-04-16 23:22:05 0 d-------- C:\Program Files\Windows NT
2008-04-16 23:22:04 0 d-------- C:\Program Files\Movie Maker
2008-04-16 23:22:03 0 d-------- C:\Program Files\Messenger
2008-04-16 21:00:10 0 d-------- C:\Documents and Settings\Luke\Application Data\Atari
2008-04-16 20:59:41 0 d-------- C:\Documents and Settings\Luke\Application Data\Leadertech
2008-04-16 20:59:38 0 d-------- C:\Program Files\Common Files\PocketSoft
2008-04-16 20:57:11 0 d-------- C:\Program Files\Atari
2008-04-16 14:57:40 0 d-------- C:\Documents and Settings\Luke\Application Data\Mozilla
2008-04-16 14:56:15 0 d-------- C:\Program Files\Paint.NET
2008-04-15 23:06:32 0 d-------- C:\Documents and Settings\Luke\Application Data\fltk.org
2008-04-15 17:52:17 0 d-------- C:\Program Files\Pidgin
2008-04-12 22:35:50 0 d-------- C:\Program Files\Maxis
2008-04-12 22:00:38 0 d-------- C:\Program Files\FRONTIER GROOVE
2008-04-11 22:55:53 0 d-------- C:\Program Files\PSXMemTool
2008-04-09 15:24:35 0 d-------- C:\Program Files\RingThree
2008-04-08 19:37:36 0 d-------- C:\Program Files\Sherlock Software
2008-04-08 19:34:39 26 --a------ C:\WINDOWS\winstart.bat
2008-04-08 19:34:39 122 --a------ C:\WINDOWS\tmpdelis.bat
2008-04-08 19:34:39 123 --a------ C:\WINDOWS\tmpcpyis.bat
2008-04-08 19:34:35 275 --a------ C:\WINDOWS\EReg104.dat
2008-04-08 19:33:24 0 d-------- C:\Program Files\PF.Magic
2008-04-08 15:06:06 0 d-------- C:\Program Files\FTD.COM
2008-04-08 15:05:06 796672 --a------ C:\WINDOWS\GPInstall.exe <Not Verified; Qsc; GP-Install>
2008-04-07 14:27:21 0 d-------- C:\Program Files\ScreenSaver.com
2008-04-07 13:50:32 0 d-------- C:\Program Files\Kids 4 Truth International
2008-04-05 22:31:49 0 d-------- C:\Program Files\Howie
2008-04-05 20:42:38 0 d-------- C:\Program Files\iLReco the LEO IRC interface
2008-04-05 18:59:06 0 d-------- C:\Program Files\AdiIRC
2008-04-04 16:13:04 0 d-------- C:\Program Files\Deebot
2008-03-31 17:07:47 0 d-------- C:\Program Files\Desktop Activity Recorder
2008-03-31 14:41:40 0 d-------- C:\Program Files\ViRC
2008-03-28 14:02:54 0 d-------- C:\Documents and Settings\Luke\Application Data\KVIrc
2008-03-27 20:38:30 0 d-------- C:\Program Files\KVIrc
2008-03-27 16:50:35 0 d-------- C:\Documents and Settings\Luke\Application Data\Winamp
2008-03-27 16:25:47 0 d-------- C:\Program Files\Winamp
2008-03-27 15:02:04 0 d-------- C:\Program Files\Acclaim Entertainment
2008-03-26 15:16:56 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-20 10:41:16 49152 --a------ C:\WINDOWS\system32\SysTrayDll.dll <Not Verified; EsiaHost; SysTrayDll>
2008-03-13 11:21:50 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-03-03 22:28:49 681 --a------ C:\WINDOWS\mozver.dat

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [04/01/2005 04:16 PM]
“COMODO Firewall Pro”=“C:\Program Files\COMODO\Firewall\cfp.exe” [05/17/2008 05:08 PM]
“BOC-426”=“C:\PROGRA~1\Comodo\CBOClean\BOC426.exe” [04/10/2008 11:08 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [05/15/2008 06:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 07:00 AM]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [02/29/2008 04:03 PM]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [3/14/2008 6:00:46 PM]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [10/29/2007 8:03:49 PM]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [11/1/2007 7:55:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [10/28/2007 11:01:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)
“HideLegacyLogonScripts”=0 (0x0)
“HideLogoffScripts”=0 (0x0)
“RunLogonScriptSync”=1 (0x1)
“RunStartupScriptSync”=0 (0x0)
“HideStartupScripts”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“HideLegacyLogonScripts”=0 (0x0)
“HideLogoffScripts”=0 (0x0)
“RunLogonScriptSync”=1 (0x1)
“RunStartupScriptSync”=0 (0x0)
“HideStartupScripts”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoRemoteRecursiveEvents”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoSetTaskbar”=0 (0x0)
“NoNetworkConnections”=0 (0x0)
“ClearRecentDocsOnExit”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uniime32]
uniime32.dll 05/14/2004 01:01 PM 10752 C:\WINDOWS\system32\uniime32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
“C:\Program Files\lg_fwupdate\fwupdate.exe” blrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
“C:\Program Files\Java\jre1.6.0\bin\jusched.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Maya5PLEHelpServer”=3 (0x3)
“WZCSVC”=2 (0x2)
“SCardSvr”=3 (0x3)
“aspnet_state”=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“True Transparency”=C:\Program Files\TrueTransparency\TrueTransparency.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
“nwiz”=nwiz.exe /install
“SoundMan”=SOUNDMAN.EXE
“WinFast Schedule”=C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5c39b5dd-85d0-11dc-a05d-ac4146196c01}]
AutoRun\command- H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{eab94e0c-8595-11dc-a19d-806d6172696f}]
AutoRun\command- E:\start.exe

– End of Deckard’s System Scanner: finished at 2008-05-25 22:26:59 ------------

And Comodo:
http://rapidshare.com/files/117648864/cfplogdb.sdb.html

At the moment I have firewall disabled to check several things. First to see if anything access and secondly because Custom Policy is messed up and blocking me from all sites… :-X

(:CLP) So far so good though. ;D

Edit: Not sure where D+ log is… also I think I got Custom Policy working on my Firewall again I turned it back on.
I still have this strange feeling the virus could be lurking somewhere waiting for another method of attack…
But now that those files are quarantined, who should I send them too? Some elite anti-malware lab? 8)

Ok, just when we thought the worst was over…

Now there are two svchost’s at one time and only a blip. But if you cach it you can see it sending information to 255.255.255.255 crazy IP… I didn’t manage to catch the port this time because it only last for a few seconds. :o
There was one other IP too umm I believe it was 219.255.255.255…

LOL, I googled for botnet removal and best I can tell no one knows…
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1068906,00.html Best site so far, but pretty vague. I’d like to get a hold of BotSniffer from Georgia Tech, it sounds like it can do something:
http://www.malwarehelp.org/blog/malware/security-new-botsniffer-better-able-to-detect-foul-stench-of-botnets-2008.html

grue155 - You have my utmost respect. Very kind thing your doing!

This might be a useful tool to use.
Not sure if this helps - I’ve used Unlocker Assistant for over a year now to help me with deleting programs\or files that just don’t want to go away.

The 255.255.255.255 isn’t dangerous. It’s a special reserved address used by DHCP in the process of getting an IP address assigned to your machine when your connect to the Internet. It doesn’t route past your ISP.

Of course, that’s assuming this isn’t the malware trying to set up a VPN, and that DHCP server is on the other end of that tunnel. Wireshark can tell you, and so can doing an ‘ipconfig /all’ and seeing if there is an adapter for a tunnel.

The 219.255.255.255 is the very last address for a block assigned to some ISP in South Korea. That’s a little on the unusual side, as very last addresses are usually broadcast and router reserved, meaning you never see them on the Internet.

I’m just starting up my day, and haven’t worked thru the logs yet. The CFP binary log file contains all the firewall and D+ logs, so it’s all there. Thank you…

As a first pass, on those quarantined files, I’d suggest running them thru VirusTotal. If it gets identified, it’s a known, and submitting it somewhere isn’t useful. Unknowns are useful. Comodo has a malware submission method I’ve seen referenced but haven’t used. I need to check on that. Avast has one for its users, as do most (all?) of the antivirus vendors.

@kyle142 - Thank you for the comment, and the pointer. I haven’t used that before, and I’ll check into it.

On to the dayjob…

I agree, thanks for helping me grue155.
I’ve used unlocker once before, but it is only used for files that you can’t delete? If I recall correctly.

Also, I have 2 more pcap files for you. The first one I decided to use Snort for while disabling my firewall, it shows more registry ads being sent.
http://rapidshare.com/files/117780096/Copy_of_snort.log.1211819268.pcap.html

The second I put firewall into Custom Policy mode and ran WireShark. You can actually see what happened (I think) as to why my computer came under attack a few minutes ago.
http://rapidshare.com/files/117780700/NetBiosAttack.pcap.html
After the thing couldn’t get out of my Computer (via custom policy), it decided to send me NetBios packets. What’s strange is that nothing was access the internet according to Comodo, yet it was able to send and receive these packets.

After I got the NetBios, rasautou.exe starting running and blocked my ISP via closing ports. It will stop if I stop telling it to redial. So a little trick I did too keep it from connecting and sending and blocking ports was to disconnect my phone line and leave it try to redial why I ran some tests on the exe. Here’s all I was able to get:

System\CurrentControlSet\Services\Netbios\Linkage
rasautou.exe
Kernel32
\WindowsShell.Manifest
comctl32.dll
VS_VERSION_INFO
StringFileInfo
CompanyName
Microsoft Corporation
FileDescription
Remote Access Dialer
FileVersion
5.1.2600.0 (xpclient.010817-1148)
InternalName
rasdlui.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
rasdlui.exe
ProductName
Microsoft
Windows
Operating System
ProductVersion
VarFileInfo
Translation
!This program cannot be run in DOS mode.
dab
2Richb
.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RASAPI32.dll
RASDLG.dll
SHLWAPI.dll
TAPI32.dll
WS2_32.dll
FVu
GetSystemProcessInfo: VirtualAlloc failed (status=0x%x)
rasautou: multibyte string conversion failed
rasautou: LocalAlloc failed
rasautou: wide-character string conversion failed
rasautou: LocalAlloc failed
rasautou: Allocation failed.  Exiting
rasautou: %S: Function cannot be loaded from AutoDial DLL %S
rasdlui: %s: AutoDial DLL cannot be loaded (dwErr=%d)
RegGetValueA: LocalAlloc failed
NetworkConnected: network (%s, %d) is up
NetworkConnected: ignoring %s
NetworkConnected: NtOpenFile on %s failed (status=0x%x)
_NdisWan
\Device\NwlnkNb
NetworkConnected: LocalAlloc failed
NetworkConnected: RegGetValueA(bind) failed
bind
NetworkConnected: RegGetValueA(LanaMap) failed
LanaMap
NetworkConnected: RegKeyOpenEx failed (dwError=%d)
There are %d Autodial addresses:
LocalAlloc failed
RasEnumAutodialAddresses failed (dwErr=%d)
Enumerating AutoDial addresses...
Checking netcard bindings...
AcsInitialize: WSAStartup failed (dwErr=%d)
Usage: rasautou [-f phonebook] [-d dll -p proc] [-a address] [-e entry] [-s]
CreateActCtxW
ReleaseActCtx
ActivateActCtx
DeactivateActCtx
GetSystemWindowsDirectoryW
rasautou.pdb
SUVW
UVj
SUj
SVWj
SVW3
YYj
PWW
PSW
WtU
UUj
t$ UU
WSj
t$ UU
SUV3
WtX
VVVVj
t$(VV
VVSUj
t$(VV
QQV
PWj
ShX
YYuz
QQSW
YYv
YYr
Phh
QQSV
;NPt
9NDt
YYt
SVW3
PtE
t&It
ENtu
9Nti
$NtT
IuC
8MZu
SVW
printf
_wcsicmp
exit
wcscpy
sprintf
strstr
_stricmp
_c_exit
_exit
_XcptFilter
_cexit
__winitenv
__wgetmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
_controlfp
_except_handler3
RegQueryValueExA
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetModuleHandleW
GetLastError
ExpandEnvironmentStringsW
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
GetProcAddress
LoadLibraryW
ProcessIdToSessionId
GetCurrentProcessId
GetModuleHandleA
KERNEL32.dll
NtQuerySystemInformation
DbgPrint
NtClose
NtOpenFile
RtlInitUnicodeString
ntdll.dll
RasGetAutodialAddressW
RasGetAutodialParamW
RasEnumAutodialAddressesW
RASAPI32.dll
RasPhonebookDlgW
RasDialDlgW
RasAutodialQueryDlgW
RASDLG.dll
StrCatW
SHLWAPI.dll
lineShutdown
lineGetTranslateCapsW
lineInitialize
TAPI32.dll
USER32.dll
WS2_32.dll
GetWindowsDirectoryW
GetModuleFileNameW
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="x86"
name="Microsoft.Windows.Ras.Rasautou"
type="win32"
<description>Remote Access Dialer</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
language="*"
</dependentAssembly>
</dependency>
</assembly>

These are the commands which it is capable of running according to ProcessExplorer.

Lastly, is it normal to have rasphone.pbk in C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk? It also has C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader folder which seems suspicious…

Meanwhile I’ll keep running suspicious files through virustotal… and I’ll try not to post any more logs until you get caught up, lol.

Edit: You know something about this packet I keep sending out… I think it is sending to others for some unkown reason. The packet says “CRITICAL ERROR MESSAGE - REGISTRY DAMAGED AND OR CORRUPTED… To Fix this problem: Open Internet Explorer and type www. registrycleanerxp.com once you load the webpage, close this window. After you install the cleaner program you will not receive anymore reminders or popups like this… VISIT www. registrycleanerxp.com IMMEDIATLY!” Strange? very… especially if you google it. A lot of people on forums and Yahoo Answers are receiving the popups. >:( I’ve never even heard of their registry cleaner, scammers.

Edit Again: I believe SuperAntiSpyware just became infected. I’ve scanned my PC before with no problems, but now Avast is saying SuperAntiSpyware.exe is infected with Win32:Trojan-gen {Other}. Either it’s a false positive or the file really has become corrupted by this thing, I’ve gone ahead and quarantined it for now.

The inbound Netbios traffic that you’re seeing is just the normal junk on the Internet these days. It’s what gives unprotected machines a survival expectancy of about 30 seconds. There are compromised machines out on the 'net that just walk IP address space, sending this junk on just the possible chance of catching a Windows box with it’s patches down. It’s amusing from an network administrator perspective, to see this stuff walking across space trying to send packets to machines that have been offline for days to years. It’s annoying too, as it takes bandwidth, and is like this constant background hum you just can’t get rid of.

I’ve eyeballed your CFP Firewall and D+ logs. There was no unexpected traffic from svchost.exe, but there was a whole bunch of stuff from Friday night that looks like p2p traffic, all inbound to your machine on TCP port 8206, and went on for an hour or so. The D+ log shows several mode changes (paranoid to training, and back), and that BOClean is really busy trying to talk to cfp. I don’t know if that’s normal or not. Both rasautou.exe and defrag.exe both log as trying to somehow re-exec themselves, but no clear reason as to why.

Re SuperAntiSpyware… if it is a false positive by Avast, it’ll get cleared real quick. Try an update from Avast, and retest at intervals. If it’s still tagged by the end of the day, then off to Virustotal for a second opinion.

In the Comboxfix report, these entries are unusual:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\eMule\emule.exe”=
“C:\Program Files\Pidgin\pidgin.exe”=
“C:\Program Files\K’NEX\game.exe”=
“C:\Program Files\Hasbro\Boggle\Boggle.exe”=
“C:\WINDOWS\system32\dplaysvr.exe”=
“C:\Program Files\Xfire\xfire.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Program Files\CallWave\IAM.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“1317:TCP”= 1317:TCP:messenger

I’m beginning to believe this is some version of Vundo malware. There is a VundoFix available, and a cleanup procedure. I want to crosscheck a few things, before going that route, but I think that’s going to be the next step.

Edit: VundoFix is available at http://vundofix.atribune.org/

Indeed suspicious…
Ok I ran VundoFix in search mode. It said it found nothing.

However, just before I posted this Nuclear bomb shelter warning noise from Avast sounds Win32:SQLSlammer was detected again in Temp. And again I dunno how it’s getting in there since I’ve been using CCleaner to wipe out temp… and Comodo Firewall is full on sooo… :o Also, I can’t quarantine because it says file is in use. So Avast deleted it instead.

Foo… I’m starting to run out of ideas, and research isn’t giving me anything useful (which probably means I’m not asking the right kind of questions).

That the SQL thing is showing up again, says that there is something running around in the background. Try this: in CFP, click Firewall → Advanced / Attack Detection Settings, the Miscellaneous tab. At the very bottom, mark the checkbox for “Monitor other NDIS protocols”. If the malware is (now) running its own TCP stack, then CFP wouldn’t normally see the traffic. This might catch it. The only other way to be sure, is to get some other firewall physically between your machine and your Internet connection. That could be a PC running ICS, or a NAT/router setup, or something. On a dialup, it’d probably be a PC running Windows ICS and then your PC would be a client to that PC.

Unless the research turns up something, there look to be three options remaining.

One is to forward the problem on to one of the other malware cleaning forums as in the PM I sent. They know more than I do.

Second, is to get outside the box to do the scans. This is a variant of booting from a CD in a known safe working environment, and running the scan, analysis, and cleanup tools there. The typical environment is BartPE, described at BartPE - Wikipedia. I’ve never had cause to use that one. If you want to try this, build the CD on a known clean machine.

Third, is per your earlier semi-suggestion, physically pull the disk drive, and find somebody who can do the analysis and cleanup. If your ISP is local (not regional or national, e.g. Earthlink or AOL), they may do the work themselves or tell you who they farm such work out to. At worst, take the disk to one of the big-box stores and hope you get a competent tech/geek to look at the problem. Be sure to record your disk serial number so you get your disk back.

I’ll keep digging to see what the research might turn up. Run Combofix again, and see if it turns up anything new. I’m suspecting that it will. That may give some additional insight as to what this thing is.

I set those settings. Meanwhile I’m downloading TrendSecure’s RUBotted from here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

Also, this article may be of interest explaining how a security expert found a Yahoo worm and reverse engineered it with some tools (some of which we’ve already done and some not): Yahoo | Mail, Weather, Search, Politics, News, Finance, Sports & Videos

If worse comes to worse I may give it to my ISP/repair shop. Only thing is I doubt they’d know what to do…

Here’s another ComboFix log like you asked for:

ComboFix 08-05-25.3 - Luke 2008-05-27 13:06:11.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1625 [GMT -5:00] Running from: C:\Documents and Settings\Luke\Desktop\Computer Problem\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 23:00 . 2008-05-26 23:00 d-------- C:\Program Files\Trend Micro
2008-05-26 23:00 . 2008-05-26 23:00 d-------- C:\Documents and Settings\Luke\Application Data\InstallShield
2008-05-26 22:59 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-05-26 17:42 . 2008-05-26 17:42 d-------- C:\Program Files\winMd5Sum
2008-05-26 16:40 . 2008-05-26 16:40 d-------- C:\VundoFix Backups
2008-05-26 11:10 . 2008-05-26 11:10 d-------- C:\Snort
2008-05-24 22:56 . 2004-08-04 07:00 68,608 --a–c— C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-24 17:09 . 2008-05-24 19:28 d-------- C:\cygwin
2008-05-24 15:59 . 2008-05-24 15:59 98 --a------ C:\index.ini
2008-05-24 15:54 . 2008-05-24 15:54 d-------- C:\Program Files\a-squared HiJackFree
2008-05-24 13:11 . 2008-05-24 13:11 d-------- C:\Program Files\PrevxCSI
2008-05-24 13:11 . 2008-05-26 13:00 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-24 13:11 . 2008-05-24 13:11 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-05-24 13:06 . 2008-05-24 13:06 d-------- C:\Deckard
2008-05-23 23:10 . 2008-05-24 21:28 d-------- C:\Program Files\Deep System Explorer
2008-05-20 16:10 . 2008-05-20 16:10 d-------- C:\Program Files\Alwil Software
2008-05-20 16:07 . 2008-05-20 16:07 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 22:08 . 2008-05-19 22:08 d-------- C:\Documents and Settings\Luke\Application Data\Wireshark
2008-05-19 21:55 . 2008-05-19 21:57 d-------- C:\Program Files\Wireshark
2008-05-18 22:56 . 2008-05-26 14:03 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\Luke\Application Data\SUPERAntiSpyware.com
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 22:04 . 2008-05-18 22:32 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-05-18 22:04 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-05-18 22:04 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-05-18 22:04 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-05-18 22:04 . 2008-05-27 13:05 8,353 --a------ C:\WINDOWS\BOC426.INI
2008-05-18 19:37 . 2008-05-18 19:37 163 --a------ C:\WINDOWS\ieprxmon.ini
2008-05-18 19:35 . 2008-05-18 19:35 d-------- C:\Program Files\Internet Explorer Proxy Monitor
2008-05-18 11:39 . 2008-05-18 11:39 d-------- C:\Program Files\TypeFaster
2008-05-18 10:37 . 2008-05-18 10:41 d-------- C:\Program Files\Robot Battle
2008-05-17 17:08 . 2008-05-17 17:08 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-17 17:08 . 2008-05-17 17:08 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-17 17:08 . 2008-05-17 17:08 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-17 16:50 . 2008-05-17 16:50 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 23:20 . 2008-05-17 10:41 d-------- C:\Program Files\Hamachi(3)
2008-05-15 21:06 . 2008-05-17 10:41 d-------- C:\Program Files\LithUnwrap
2008-05-15 15:30 . 2008-05-14 17:43 573,494 --a------ C:\Documents and Settings\Luke\md3toase.exe
2008-05-15 14:16 . 2008-05-17 10:41 d-------- C:\Documents and Settings\Luke\Application Data\Anvil Studio
2008-05-15 14:13 . 2008-05-17 10:41 d-------- C:\Program Files\Anvil Studio
2008-05-14 17:37 . 2008-05-17 13:26 d-------- C:\gmax
2008-05-13 15:12 . 2008-05-13 15:12 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer Pro
2008-05-13 15:12 . 2008-05-13 15:20 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\WINDOWS\system32\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\Documents and Settings\Luke\Application Data\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 704,793 --a------ C:\WINDOWS\unins000.exe
2008-05-11 12:23 . 2008-05-11 12:23 3,703 --a------ C:\WINDOWS\unins000.dat
2008-05-08 15:07 . 2008-05-08 15:11 d-------- C:\Program Files\DreMule
2008-05-02 23:15 . 2008-05-02 23:15 d-------- C:\Program Files\RayViewer 1.07
2008-05-02 15:36 . 2008-05-02 15:36 d-------- C:\Program Files\Pixelformer
2008-05-02 09:31 . 2008-05-17 10:42 d-------- C:\Documents and Settings\Luke\Application Data\AVGTOOLBAR
2008-04-29 19:57 . 2008-04-29 19:57 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 18:04 --------- d-----w C:\Program Files\CallWave
2008-05-27 04:00 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-05-27 03:35 --------- d-----w C:\Documents and Settings\Luke\Application Data.purple
2008-05-26 18:01 --------- d-----w C:\Program Files\Google
2008-05-25 04:50 --------- d-----w C:\Program Files\ViStart
2008-05-24 17:30 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-24 04:27 --------- d-----w C:\Program Files\Net Tools
2008-05-24 03:41 --------- d-----w C:\Program Files\e-Sword
2008-05-23 22:30 --------- d-----w C:\Documents and Settings\Luke\Application Data\gtk-2.0
2008-05-21 19:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Xfire
2008-05-20 02:56 --------- d-----w C:\Program Files\WinPcap
2008-05-19 03:04 --------- d-----w C:\Program Files\COMODO
2008-05-18 16:12 --------- d-----w C:\Program Files\Dictionary
2008-05-17 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-05-17 22:08 --------- d-----w C:\Documents and Settings\Luke\Application Data\Comodo
2008-05-17 21:41 --------- d-----w C:\Program Files\eMule
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\Hamachi
2008-05-17 15:41 --------- d-----w C:\Program Files\Xfire
2008-05-17 04:00 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-13 21:50 --------- d-----w C:\Program Files\TrueTransparency
2008-05-12 21:23 --------- d-----w C:\Program Files\GameSpy Arcade
2008-05-12 19:38 --------- d-----w C:\Program Files\ePSXe160
2008-05-09 21:05 --------- d-----w C:\Program Files\ZModeler
2008-05-07 20:31 --------- d-----w C:\Program Files\Thoosje Sidebar V2.3
2008-05-03 17:43 --------- d-----w C:\Documents and Settings\Luke\Application Data\FileZilla
2008-04-29 15:28 --------- d-----w C:\Program Files\NT Registry Tweaker
2008-04-26 23:59 --------- d-----w C:\Program Files\Drempels
2008-04-26 18:18 --------- d-----w C:\Documents and Settings\Luke\Application Data\flightgear.org
2008-04-25 18:45 --------- d-----w C:\Program Files\FlightGear
2008-04-22 19:34 90 ----a-w C:\Program Files\ndkoptions.txt
2008-04-21 21:00 --------- d-----w C:\Program Files\Kyodai
2008-04-19 15:12 --------- d-----w C:\Program Files\Dydelf
2008-04-17 21:33 --------- d-----w C:\Documents and Settings\Luke\Application Data\Subversion
2008-04-17 16:59 --------- d-----w C:\Program Files\Dolphin
2008-04-17 04:56 --------- d-----w C:\Program Files\RootQuest
2008-04-17 02:00 --------- d-----w C:\Documents and Settings\Luke\Application Data\Atari
2008-04-17 01:59 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-04-17 01:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Leadertech
2008-04-17 01:57 --------- d-----w C:\Program Files\Atari
2008-04-16 19:56 --------- d-----w C:\Program Files\Paint.NET
2008-04-16 04:06 --------- d-----w C:\Documents and Settings\Luke\Application Data\fltk.org
2008-04-15 22:52 --------- d-----w C:\Program Files\Pidgin
2008-04-13 03:35 --------- d-----w C:\Program Files\Maxis
2008-04-13 03:00 --------- d-----w C:\Program Files\FRONTIER GROOVE
2008-04-12 03:55 --------- d-----w C:\Program Files\PSXMemTool
2008-04-09 20:24 --------- d-----w C:\Program Files\RingThree
2008-04-09 00:37 --------- d-----w C:\Program Files\Sherlock Software
2008-04-09 00:33 --------- d-----w C:\Program Files\PF.Magic
2008-04-08 20:06 --------- d-----w C:\Program Files\FTD.COM
2008-04-08 20:05 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-04-07 19:27 --------- d-----w C:\Program Files\ScreenSaver.com
2008-04-07 18:50 --------- d-----w C:\Program Files\Kids 4 Truth International
2008-04-07 18:19 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 03:31 --------- d-----w C:\Program Files\Howie
2008-04-06 01:42 --------- d-----w C:\Program Files\iLReco the LEO IRC interface
2008-04-05 23:59 --------- d-----w C:\Program Files\AdiIRC
2008-04-04 21:13 --------- d-----w C:\Program Files\Deebot
2008-03-31 22:07 --------- d-----w C:\Program Files\Desktop Activity Recorder
2008-03-31 19:41 --------- d-----w C:\Program Files\ViRC
2008-03-28 19:02 --------- d-----w C:\Documents and Settings\Luke\Application Data\KVIrc
2008-03-28 01:38 --------- d-----w C:\Program Files\KVIrc
2008-03-27 21:50 --------- d-----w C:\Documents and Settings\Luke\Application Data\Winamp
2008-03-27 21:25 --------- d-----w C:\Program Files\Winamp
2008-03-27 20:02 --------- d-----w C:\Program Files\Acclaim Entertainment
2008-03-20 15:41 49,152 ----a-w C:\WINDOWS\system32\SysTrayDll.dll
2008-03-13 16:21 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-04 01:01 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-04 01:01 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-03-04 01:01 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-03-04 01:01 142,848 ------w C:\WINDOWS\system32\IESetting.dll
2008-03-04 00:53 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2008-03-04 00:52 41,984 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-03-04 00:52 17,920 ----a-w C:\WINDOWS\system32\corpol.dll
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-03-04 00:51 69,120 ----a-w C:\WINDOWS\system32\admparse.dll
2008-03-04 00:50 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-03-04 00:50 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-03-04 00:50 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-12-19 01:39 1,069,184 ----a-w C:\Documents and Settings\Luke\ivcon.exe
2007-11-25 19:46 40 ----a-w C:\Documents and Settings\Luke\language.dat
2007-11-09 00:58 1,396,736 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-13 22:38 241,664 ----a-w C:\Documents and Settings\Luke\sniffit.exe
2002-07-29 19:40 155,648 ----a-w C:\Documents and Settings\Luke\ase2prm.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvshade.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvcolor.exe
2002-04-12 16:29 28,672 ----a-w C:\Documents and Settings\Luke\findump.exe
2002-04-12 16:29 28,160 ----a-w C:\Documents and Settings\Luke\rvweird.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvtrans.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvmark.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvcenter.exe
2000-02-16 16:03 14,552 ----a-w C:\Documents and Settings\Luke\RV-DBLSD.EXE
2000-01-17 16:50 31,365 ----a-w C:\Documents and Settings\Luke\RV-SIZER.EXE
1999-12-15 22:00 19,311 ----a-w C:\Documents and Settings\Luke\RV-REMAP.EXE
1999-11-25 18:21 40,960 ----a-w C:\Documents and Settings\Luke\PRM2NCP.EXE
1997-06-09 11:27 36,864 ----a-w C:\Documents and Settings\Luke\TMD2LWO.EXE
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\VIRepair\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\VIRepair\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\VITrans\ntoskrnl.exe

2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\system32\VIRepair\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-25_20.05.59.65 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-05-26 00:59:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-05-27 18:03:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
• 2008-05-27 18:04:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_584.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 07:00 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-04-01 16:16 5562368]
“COMODO Firewall Pro”=“C:\Program Files\COMODO\Firewall\cfp.exe” [2008-05-17 17:08 1572608]
“BOC-426”=“C:\PROGRA~1\Comodo\CBOClean\BOC426.exe” [2008-04-10 11:08 351480]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 18:19 79224]
“TMRUBottedTray”=“C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe” [2007-12-19 00:18 288088]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-14 18:00:46 546816]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-10-29 20:03:49 416768]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-11-01 19:55:04 19968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2007-10-28 23:01:58 1590352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“UIHost”=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uniime32]
uniime32.dll 2004-05-14 13:01 10752 C:\WINDOWS\system32\uniime32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.I420”= i420vfw.dll
“msacm.l3fhg”= mp3fhg.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263”= i263_32.drv
“VIDC.YV12”= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm
“msacm.divxa32”= divxa32.acm
“msvideo3”= STVqx3tg.dll
“vidc.mpng”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“vidc.mvjp”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“vidc.444p”= C:\Program Files\t@b[u]0[/u].958\686\tabdec.dll
“VIDC.XFR1”= xfcodec.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
–a------ 2004-09-20 01:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
–a------ 2007-11-23 22:24 249856 C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2005-04-01 16:16 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2007-10-29 21:21 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-08-17 05:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-10-29 14:49 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
–a------ 2007-11-20 13:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Maya5PLEHelpServer”=3 (0x3)
“WZCSVC”=2 (0x2)
“SCardSvr”=3 (0x3)
“aspnet_state”=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“True Transparency”=C:\Program Files\TrueTransparency\TrueTransparency.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
“nwiz”=nwiz.exe /install
“SoundMan”=SOUNDMAN.EXE
“WinFast Schedule”=C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\eMule\emule.exe”=
“C:\Program Files\Pidgin\pidgin.exe”=
“C:\Program Files\K’NEX\game.exe”=
“C:\Program Files\Hasbro\Boggle\Boggle.exe”=
“C:\WINDOWS\system32\dplaysvr.exe”=
“C:\Program Files\Xfire\xfire.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Program Files\CallWave\IAM.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“1317:TCP”= 1317:TCP:messenger

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-05-24 13:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-17 17:08]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-17 17:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 CSIScanner;CSIScanner;“C:\Program Files\PrevxCSI\prevxcsi.exe” /service []
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 17:36]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 08:28]
R3 STVqx3;Intel Play QX3 Microscope;C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 14:04]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys []
S2 RUBotted;Trend Micro RUBotted Service;“C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe” [2007-12-19 00:18]
S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]
S4 Maya5PLEHelpServer;Alias Maya 5.0 PLE Help Server;“C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe” -s “C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf” []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5c39b5dd-85d0-11dc-a05d-ac4146196c01}]
\Shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{eab94e0c-8595-11dc-a19d-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

.

---

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 13:08:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

---

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASFWHide]
“ImagePath”=“??\C:\DOCUME~1\Luke\LOCALS~1\Temp\ASFWHide”
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
→ C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
→ C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-27 13:10:21
ComboFix-quarantined-files.txt 2008-05-27 18:10:16
ComboFix2.txt 2008-05-26 01:06:13

Pre-Run: 259,261,153,280 bytes free
Post-Run: 259,248,238,592 bytes free

335 — E O F — 2008-03-31 04:04:00

I’m following a long with the malware hacking pdf for now. I think I may be able to unpack the UPX file and view the source. If possible we can get a better understanding on what it infects and how to repair it. (:NRD)

RUBotted, of course, turned up nothing. But it says it’s monitoring my network for changes so we will wait and see. Also, I was unable to install it the first time I tried (I was online) it said unable to finish “process terminated”, once I got offline I was able to install it. My guess is the guy on the tunnel didn’t want me to have it.
* Gaming4JC goes to decompile the upx packed dll…