Help with Win32:Small-CHC [Trj] and Win32:Rootkit-gen[Rtk] [Solved] [C

what is the file path of what avast is detecting ?

Thanks for the fast reply. I tried Combofix and I think it worked. I'll be observing for now.

Please close this topic for now. Thanks again.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

can you post the combofix log, it should be at C:\combofix.txt

ComboFix 10-04-06.04 - aa 04/08/2010 9:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.645 [GMT 8:00]
Running from: c:\documents and settings\aa\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100407-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2779494031-9196210004-215584154-3583
c:\recycler\S-1-5-21-3158445059-8871722560-310857851-1447
c:\recycler\S-1-5-21-6542851269-1262420183-241111904-2895
c:\windows\cidrive32.exe
c:\windows\system32\53.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-08 00:01 . 2008-04-13 16:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-08 00:01 . 2008-04-13 16:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-08 00:01 . 2008-04-13 16:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-08 00:01 . 2008-04-13 16:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-08 00:00 . 2008-04-13 16:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-08 00:00 . 2010-04-08 00:00 110592 ----a-w- c:\windows\ndll.exe
2010-04-07 23:59 . 2010-04-07 23:59 15360 ----a-w- c:\windows\system32\booyaka.exe
2010-04-07 08:06 . 2010-04-08 00:46 22528 ----a-w- c:\documents and settings\Administrator.BEAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2010-04-07 08:06 . 2010-04-08 00:46 6144 ----a-w- c:\documents and settings\Administrator.BEAU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2010-04-07 08:05 . 2010-04-07 08:05 -------- d-----w- c:\documents and settings\Administrator.BEAU\Application Data\SUPERAntiSpyware.com
2010-04-07 03:40 . 2010-04-07 03:40 52224 ----a-w- c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-07 03:40 . 2010-04-07 03:40 117760 ----a-w- c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 02:04 . 2010-04-07 03:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-07 00:31 . 2010-04-07 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2010-04-07 00:31 . 2010-04-07 02:50 -------- d-----w- c:\documents and settings\aa\Application Data\Systweak
2010-04-06 12:02 . 2010-04-06 12:02 -------- d-----w- c:\documents and settings\Administrator.BEAU\Application Data\Malwarebytes
2010-04-06 11:28 . 2010-04-08 00:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 11:28 . 2010-04-08 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-06 10:54 . 2010-04-06 10:56 -------- d-----w- c:\program files\Unlocker
2010-04-06 09:57 . 2010-04-06 10:00 -------- d-----w- c:\program files\InstallShield
2010-04-06 09:48 . 2010-04-06 09:48 -------- d-----w- c:\documents and settings\aa\Games
2010-04-05 08:28 . 2010-04-05 08:28 0 ----a-w- c:\documents and settings\aa\jagex__preferences3.dat
2010-04-03 06:53 . 2010-04-03 07:25 -------- d-----w- c:\program files\DoremiSoft
2010-04-03 06:29 . 2010-04-03 06:29 -------- d-----w- c:\documents and settings\aa\Application Data\ImTOO Software Studio
2010-04-01 14:02 . 2010-04-01 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-31 08:08 . 2010-03-31 08:08 -------- d-sh--w- c:\windows\ftpcache
2010-03-31 08:07 . 2010-03-31 08:07 -------- d-----w- c:\windows\system32\URTTEMP
2010-03-31 08:05 . 2010-03-31 12:49 -------- d-----w- c:\windows\PAC207
2010-03-31 08:05 . 2010-03-31 08:05 -------- d-----w- c:\windows\Downloaded Installations
2010-03-31 06:23 . 2010-03-31 06:23 -------- d-----w- c:\documents and settings\aa\Application Data\BSD
2010-03-31 06:23 . 2010-03-31 08:00 -------- d-----w- c:\program files\Common Files\BSD
2010-03-31 06:22 . 2010-03-31 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BSD
2010-03-31 06:22 . 2010-02-21 11:17 1571328 ----a-w- c:\windows\bsdsetup.dll
2010-03-25 00:40 . 2010-04-07 10:31 -------- d-----w- c:\documents and settings\aa\Local Settings\Application Data\AskToolbar
2010-03-24 01:25 . 2010-04-07 03:37 6144 ----a-w- c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2010-03-24 01:25 . 2010-04-07 03:37 22528 ----a-w- c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2010-03-24 01:25 . 2010-03-24 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-24 01:24 . 2010-04-08 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 01:24 . 2010-03-24 01:24 -------- d-----w- c:\documents and settings\aa\Application Data\SUPERAntiSpyware.com
2010-03-24 01:12 . 2010-03-24 01:12 -------- d-----w- c:\program files\Trend Micro
2010-03-18 08:48 . 2010-03-18 08:48 96 ---ha-w- c:\windows\system32\HsInfo.dat
2010-03-18 01:36 . 2010-03-20 01:56 -------- d-----w- c:\documents and settings\aa\Application Data\DMCache
2010-03-16 23:48 . 2010-03-16 23:48 -------- d-----w- c:\documents and settings\aa\Application Data\XRay Engine
2010-03-14 22:52 . 2010-03-14 23:15 -------- d-----w- C:\BDS
2010-03-14 05:09 . 2010-03-14 05:09 -------- d-----w- c:\program files\SopCast
2010-03-14 05:09 . 2010-03-14 05:09 -------- d-----w- c:\program files\Ask.com
2010-03-14 00:42 . 2010-03-14 00:42 -------- d-----w- c:\program files\SyQic Yoonic Engine - PLDT Watchpad
2010-03-14 00:36 . 2010-03-14 00:50 -------- d-----w- c:\documents and settings\aa\Local Settings\Application Data\Deployment
2010-03-10 12:29 . 2010-03-10 12:29 -------- d-----w- c:\documents and settings\aa\Local Settings\Application Data\Help
2010-03-10 12:22 . 2010-03-10 12:22 -------- d-----w- c:\program files\Common Files\Bcgsoft
2010-03-10 02:20 . 2010-03-10 02:20 -------- d-----w- c:\documents and settings\aa\Local Settings\Application Data\HPR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 00:49 . 2009-09-21 06:37 -------- d-----w- c:\documents and settings\aa\Application Data\uTorrent
2010-04-07 13:47 . 2010-03-07 13:03 -------- d-----w- c:\program files\Cheat Engine
2010-04-07 13:36 . 2010-02-14 14:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2010-04-07 10:30 . 2010-01-03 11:47 -------- d-----w- c:\program files\Google
2010-04-07 02:51 . 2009-10-02 07:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-06 08:35 . 2010-03-08 00:58 -------- d-----w- c:\program files\EASEUS
2010-04-06 07:30 . 2009-11-05 02:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 07:13 . 2010-01-04 10:12 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 06:13 . 2009-11-03 09:43 -------- d-----w- c:\documents and settings\aa\Application Data\teamspeak2
2010-04-05 08:31 . 2010-01-16 12:43 69 ----a-w- c:\documents and settings\aa\jagex_runescape_preferences2.dat
2010-04-05 08:28 . 2010-01-16 12:41 41 ----a-w- c:\documents and settings\aa\jagex_runescape_preferences.dat
2010-03-31 13:05 . 2010-03-02 10:50 -------- d-----w- c:\documents and settings\aa\Application Data\Moyea
2010-03-31 08:06 . 2009-09-18 05:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 16:46 . 2009-11-05 02:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-11-05 02:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 03:12 . 2009-10-26 02:46 -------- d-----w- c:\documents and settings\aa\Application Data\U3
2010-03-24 01:17 . 2009-11-09 07:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-18 07:11 . 2010-02-17 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-03-16 22:35 . 2009-09-22 14:49 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-12 01:51 . 2009-09-18 10:52 -------- d-----w- c:\documents and settings\aa\Application Data\Red Alert 3
2010-03-10 16:14 . 2009-09-21 06:37 -------- d-----w- c:\program files\uTorrent
2010-03-10 12:31 . 2009-09-18 06:53 70896 ----a-w- c:\documents and settings\aa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 14:41 . 2009-11-09 07:31 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-05 14:26 . 2009-10-29 02:50 -------- d-----w- c:\documents and settings\aa\Application Data\runic games
2010-03-05 14:26 . 2009-11-10 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2010-03-05 05:03 . 2010-02-10 01:07 25 ----a-w- c:\windows\popcinfot.dat
2010-03-03 01:42 . 2010-03-03 01:42 532 ----a-w- c:\windows\eReg.dat
2010-03-02 10:49 . 2010-03-02 10:43 -------- d-----w- c:\documents and settings\aa\Application Data\GetRightToGo
2010-03-02 10:49 . 2010-03-02 10:49 -------- d-----w- c:\program files\Moyea
2010-03-02 01:38 . 2010-03-02 01:29 16 --sha-w- c:\documents and settings\aa\Application Data\BDL+D\MANGAGAMER.COM\95B64FD1-DF2D-47C9-B5DE-E5146D205EDA\____.sys
2010-03-02 01:29 . 2010-03-02 01:29 -------- d-----w- c:\documents and settings\aa\Application Data\BDL+D
2010-02-25 03:46 . 2010-02-25 03:46 -------- d-----w- c:\program files\iOrgSoft
2010-02-22 14:02 . 2010-02-22 14:02 -------- d-----w- c:\program files\AviSynth 2.5
2010-02-22 14:02 . 2010-02-22 14:02 -------- d-----w- c:\program files\eRightSoft
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-02-22 10:20 . 2010-02-22 10:20 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-22 10:20 . 2010-02-22 10:20 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-02-22 10:20 . 2010-02-22 10:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-02-22 10:20 . 2010-02-22 10:20 -------- d-----w- c:\program files\Common Files\Real
2010-02-22 10:20 . 2010-02-22 10:20 -------- d-----w- c:\program files\Real
2010-02-22 10:20 . 2010-02-22 10:20 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-22 10:20 . 2006-07-11 10:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-22 09:51 . 2010-02-22 09:51 -------- d-----w- c:\documents and settings\aa\Application Data\GRETECH
2010-02-22 09:45 . 2010-02-22 09:45 -------- d-----w- c:\program files\GRETECH
2010-02-20 01:38 . 2009-09-18 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-17 09:19 . 2009-11-26 02:49 -------- d-----w- c:\program files\Pando Networks
2010-02-15 11:27 . 2010-02-15 11:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\MathWorks
2010-02-14 15:07 . 2010-02-14 15:07 -------- d-----w- c:\documents and settings\aa\Application Data\Ahead
2010-02-14 07:00 . 2010-02-14 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2010-02-14 06:53 . 2010-02-06 06:07 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-02-14 06:52 . 2010-02-14 06:52 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-02-13 13:24 . 2010-02-13 10:20 -------- d-----w- c:\documents and settings\aa\Application Data\SolidDocuments
2010-02-13 13:19 . 2010-02-13 13:19 -------- d-----w- c:\program files\SolidDocuments
2010-02-13 13:19 . 2010-02-13 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SolidDocuments
2010-02-10 10:45 . 2010-02-10 10:43 -------- d-----w- c:\documents and settings\aa\Application Data\Charles
2010-02-10 00:27 . 2010-02-10 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-02-08 13:40 . 2009-09-18 05:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-07 08:39 . 2010-02-07 08:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\MathWorks
2010-02-07 04:11 . 2010-02-06 11:25 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-28 01:35 . 2010-01-28 01:35 503808 ----a-w- c:\documents and settings\aa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-28f12acd-n\msvcp71.dll
2010-01-28 01:35 . 2010-01-28 01:35 499712 ----a-w- c:\documents and settings\aa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-28f12acd-n\jmc.dll
2010-01-28 01:35 . 2010-01-28 01:35 348160 ----a-w- c:\documents and settings\aa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-28f12acd-n\msvcr71.dll
2010-01-28 01:34 . 2010-01-28 01:34 61440 ----a-w- c:\documents and settings\aa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-449d9c47-n\decora-sse.dll
2010-01-28 01:34 . 2010-01-28 01:34 12800 ----a-w- c:\documents and settings\aa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-449d9c47-n\decora-d3d.dll
2010-01-26 23:54 . 2010-01-26 23:52 5 ----a-w- c:\windows\system32\SySatm.dat
2010-01-12 04:03 . 2010-02-06 10:17 1081344 ----a-w- c:\windows\system32\SET68.tmp
2010-01-12 04:03 . 2010-02-06 10:17 6359168 ----a-w- c:\windows\system32\SET65.tmp
2010-01-12 04:03 . 2010-02-06 10:17 2283526 ----a-w- c:\windows\system32\nvdata.bin
2006-05-03 10:06 . 2010-02-22 14:02 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-02-22 14:02 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-02-22 14:02 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-07_13.57.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-08 01:02 . 2010-04-08 01:02 16384 c:\windows\TEMP\Perflib_Perfdata_5ec.dat
+ 2010-04-08 01:02 . 2010-04-08 01:02 16384 c:\windows\TEMP\Perflib_Perfdata_150.dat
+ 2008-04-14 06:10 . 2008-04-14 06:10 11392 c:\windows\system32\dllcache\sfloppy.sys
+ 2008-04-14 00:01 . 2008-04-14 11:51 35840 c:\windows\system32\dllcache\processr.sys
+ 2001-08-17 13:48 . 2001-08-23 10:00 12160 c:\windows\system32\dllcache\mouhid.sys
+ 2008-04-14 00:30 . 2008-04-14 11:51 30080 c:\windows\system32\dllcache\modem.sys
+ 2008-04-14 06:15 . 2008-04-14 06:15 10368 c:\windows\system32\dllcache\hidusb.sys
+ 2008-04-14 06:10 . 2008-04-14 06:10 20480 c:\windows\system32\dllcache\flpydisk.sys
+ 2008-04-14 06:10 . 2008-04-14 06:10 27392 c:\windows\system32\dllcache\fdc.sys
+ 2001-08-17 13:52 . 2001-08-23 10:00 18688 c:\windows\system32\dllcache\cdaudio.sys
+ 2009-09-18 05:50 . 2010-04-07 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-18 05:50 . 2009-09-18 05:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-18 05:50 . 2009-09-18 05:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-18 05:50 . 2010-04-07 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-07 23:58 . 2010-04-07 23:48 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-18 05:50 . 2009-09-18 05:55 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 08:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-10 319792]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-24 11:13 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^Documents and Settings^aa^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\aa\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 07:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 17:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-11-05 13:34 741376 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 07:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
2006-10-17 01:20 398944 ----a-w- c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-11-26 06:54 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 11:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 14:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2007-02-26 02:40 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-02-17 09:21 2937528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 11:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 13:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-11-26 06:54 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 01:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-22 10:20 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MyWebSearch Email Plugin"=c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"SysTrayApp"=%ProgramFiles%\IDT\WDM\sttray.exe
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe" /m=2 /w /h
"MyWebSearch Email Plugin"=c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"d:\\Program Files\\Electronic Arts\\Command & Conquer 3\\Blns.main\\Binaries\\Borderlands.exe"=
"f:\\Program Files\\Electronic Arts\\Red Alert 3\\bitComposer\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"f:\\Program Files\\Electronic Arts\\Red Alert 3\\bitComposer\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"f:\\MATLAB7\\bin\\win32\\MATLAB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"57026:TCP"= 57026:TCP:Pando Media Booster
"57026:UDP"= 57026:UDP:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/18/2009 2:50 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/19/2008 11:34 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 11:34 PM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/18/2009 2:50 PM 20560]
R2 SCPDFReadSpool;SolidConverterPDFReadSpool;c:\windows\Installer\MSI1D5.tmp [2/13/2010 9:20 PM 189696]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [10/30/2009 3:28 PM 1021256]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [9/18/2009 2:00 PM 37376]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 7:24 AM 10064]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/25/2009 2:04 PM 691696]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 7:47 PM 135664]
S2 nayxgygia;Shell Security;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 7:42 PM 14336]
S3 ALIENZDRVR;ALIENZDRVR;\??\c:\documents and settings\aa\Desktop\OpenFirst + Re 8.0 Update\Alienz32.sys --> c:\documents and settings\aa\Desktop\OpenFirst + Re 8.0 Update\Alienz32.sys [?]
S3 BCASPROT;Advanced System Protector;\??\c:\program files\Systweak\Advanced System Protector\sasprot32.sys --> c:\program files\Systweak\Advanced System Protector\sasprot32.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Matlab\Matlab\Matlab\GameGuard\dump_wmimmc.sys --> c:\program files\Matlab\Matlab\Matlab\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\sasenum.sys [8/19/2008 11:34 PM 12872]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
nayxgygia
.
Contents of the 'Scheduled Tasks' folder

2009-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-04-08 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 07:35]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 11:47]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 11:47]

2010-04-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1202660629-776561741-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 10:38]

2010-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1202660629-776561741-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 10:38]

2010-04-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 08:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15003&l=dis
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.operation7.com.ph/
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\m5l07omz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=en_US&q=
FF - component: c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\m5l07omz.default\extensions\[email protected]\components\DTToolbarFF.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86EB8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7660f28
\Driver\ACPI -> ACPI.sys @ 0xf74f3cb8
\Driver\atapi -> atapi.sys @ 0xf7485852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7391bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7380a0d
SendHandler -> NDIS.sys @ 0xf7394b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SCPDFReadSpool]
"ImagePath"="c:\windows\Installer\MSI1D5.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nayxgygia]
"ServiceDll"="c:\windows\system32\umeayhrk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-04-08 09:21:05
ComboFix-quarantined-files.txt 2010-04-08 01:21
ComboFix2.txt 2010-04-07 14:05

Pre-Run: 16,328,310,784 bytes free
Post-Run: 16,294,879,232 bytes free

- - End Of File - - A18FDEA3E82764F796A0A75853EAA8A2

is this the one? i uninstalled combofix already but i managed to save this.

Edited by Psypher, 09 April 2010 - 07:31 AM.

yes

you may need to download a new version of combofix.exe to do this step, use this link

Link 1


Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...tk-t273463.html

Collect::
c:\windows\ndll.exe
c:\windows\system32\booyaka.exe

Driver::
nayxgygia

NetSvc::
nayxgygia

KillAll::

Suspect::

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

How long will all these take? It's kinda late in my country.

2-3 hours

we can do it tomorrow

OK. Will do it first thing tomorrow. Thanks.

ok

Combofix updated then it restarted. Nothing happened at startup. I used combofix 25 minutes ago.

Skipped to step 2. I'm wating for gmer to finish. I'm using a laptop now.

ok lets see what gmer shows

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 09:51:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\aa\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB638FC56] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB638FB12] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB63900C6] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB638FFF0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB638F6E8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB638FBEC] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB638F628] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB638F68C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB638FD0C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB6390194] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB638FCCC] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB638FE4C] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504560 4 Bytes CALL 09067E5B
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF73D9314]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF442F360, 0x37192D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[192] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[192] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[192] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1416] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0293000A
.text C:\WINDOWS\System32\svchost.exe[1416] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 023A000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 872BBAC8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nayxgygia <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@DisplayName Shell Security
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia@Description Dieser Dienst analysiert im Hintergrund die Nutzung Ihres Computers und erm?glicht die automatische Durchf?hrung von situationsabh?ngigen Optimierungen. Alle Funktionen k?nnen in TuneUp Utilities eingestellt werden. Wenn Sie diesen Dienst stoppen oder deaktivieren, funktionieren Teile von TuneUp Utilities nicht mehr.
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\nayxgygia\Parameters@ServiceDll C:\WINDOWS\system32\umeayhrk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0x0E 0x82 0x7E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x0C 0x9D 0x15 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0xF9 0x22 0x48 ...
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@DisplayName Shell Security
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia@Description Dieser Dienst analysiert im Hintergrund die Nutzung Ihres Computers und erm?glicht die automatische Durchf?hrung von situationsabh?ngigen Optimierungen. Alle Funktionen k?nnen in TuneUp Utilities eingestellt werden. Wenn Sie diesen Dienst stoppen oder deaktivieren, funktionieren Teile von TuneUp Utilities nicht mehr.
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\nayxgygia\Parameters@ServiceDll C:\WINDOWS\system32\umeayhrk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0x0E 0x82 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x0C 0x9D 0x15 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0xF9 0x22 0x48 ...
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@DisplayName Shell Security
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia@Description Dieser Dienst analysiert im Hintergrund die Nutzung Ihres Computers und erm?glicht die automatische Durchf?hrung von situationsabh?ngigen Optimierungen. Alle Funktionen k?nnen in TuneUp Utilities eingestellt werden. Wenn Sie diesen Dienst stoppen oder deaktivieren, funktionieren Teile von TuneUp Utilities nicht mehr.
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nayxgygia\Parameters@ServiceDll C:\WINDOWS\system32\umeayhrk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0x0E 0x82 0x7E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x0C 0x9D 0x15 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0xF9 0x22 0x48 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@DisplayName Shell Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia@Description Dieser Dienst analysiert im Hintergrund die Nutzung Ihres Computers und erm?glicht die automatische Durchf?hrung von situationsabh?ngigen Optimierungen. Alle Funktionen k?nnen in TuneUp Utilities eingestellt werden. Wenn Sie diesen Dienst stoppen oder deaktivieren, funktionieren Teile von TuneUp Utilities nicht mehr.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nayxgygia\Parameters@ServiceDll C:\WINDOWS\system32\umeayhrk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0x0E 0x82 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x0C 0x9D 0x15 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0xF9 0x22 0x48 ...
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@DisplayName Shell Security
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@Type 32
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@Start 2
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia@Description Dieser Dienst analysiert im Hintergrund die Nutzung Ihres Computers und erm?glicht die automatische Durchf?hrung von situationsabh?ngigen Optimierungen. Alle Funktionen k?nnen in TuneUp Utilities eingestellt werden. Wenn Sie diesen Dienst stoppen oder deaktivieren, funktionieren Teile von TuneUp Utilities nicht mehr.
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\nayxgygia\Parameters@ServiceDll C:\WINDOWS\system32\umeayhrk.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9F 0x0E 0x82 0x7E ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x0C 0x9D 0x15 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1D 0xF9 0x22 0x48 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Here it is.

Edited by Psypher, 10 April 2010 - 05:31 AM.