[MorbidAngelSB23]

Pop up attacks lost my task manager, system restore has been changed

Thanks : )




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:40 AM, on 5/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: {ebf636fb-aeed-8fc8-edb4-506478292a30} - {03a29287-4605-4bde-8cf8-deeabf636fbe} - C:\WINDOWS\System32\gpngwvkg.dll
O2 - BHO: (no name) - {101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8} - C:\WINDOWS\System32\mlJaBrsS.dll (file missing)
O2 - BHO: (no name) - {4DD3850B-6025-47E3-9A11-C2E4465663F5} - C:\WINDOWS\System32\awtuRjKd.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\System32\yayXPFwx.dll
O2 - BHO: (no name) - {ED9B9958-CAFE-4209-8265-E551DEAC3E85} - C:\WINDOWS\System32\mlJbATLB.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [f8b3e333] rundll32.exe "C:\WINDOWS\System32\lgnqured.dll",b
O4 - HKLM\..\Run: [BMfb80d0af] Rundll32.exe "C:\WINDOWS\System32\nbcoskcj.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Piwwkq] "C:\Program Files\Common Files\??crosoft.NET\r?gsvr32.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205980464140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205980458328
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayXPFwx - C:\WINDOWS\SYSTEM32\yayXPFwx.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\Smc.exe (file missing)

--
End of file - 6829 bytes

[Advertisements]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[Rorschach112]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[MorbidAngelSB23]

Wow this virus wasent letting me log in...heres everything you need

SDFix: Version 1.182
Run by Meta Fable on Mon 05/12/2008 at 11:05 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\b2new.exe service

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\orknthsu\1.png - Deleted
C:\WINDOWS\orknthsu\2.png - Deleted
C:\WINDOWS\orknthsu\3.png - Deleted
C:\WINDOWS\orknthsu\4.png - Deleted
C:\WINDOWS\orknthsu\5.png - Deleted
C:\WINDOWS\orknthsu\6.png - Deleted
C:\WINDOWS\orknthsu\7.png - Deleted
C:\WINDOWS\orknthsu\8.png - Deleted
C:\WINDOWS\orknthsu\9.png - Deleted
C:\WINDOWS\orknthsu\bottom-rc.gif - Deleted
C:\WINDOWS\orknthsu\config.png - Deleted
C:\WINDOWS\orknthsu\content.png - Deleted
C:\WINDOWS\orknthsu\download.gif - Deleted
C:\WINDOWS\orknthsu\frame-bg.gif - Deleted
C:\WINDOWS\orknthsu\frame-bottom-left.gif - Deleted
C:\WINDOWS\orknthsu\frame-h1bg.gif - Deleted
C:\WINDOWS\orknthsu\head.png - Deleted
C:\WINDOWS\orknthsu\icon.png - Deleted
C:\WINDOWS\orknthsu\indexwp.html - Deleted
C:\WINDOWS\orknthsu\main.css - Deleted
C:\WINDOWS\orknthsu\memory-prots.png - Deleted
C:\WINDOWS\orknthsu\net.png - Deleted
C:\WINDOWS\orknthsu\pc.gif - Deleted
C:\WINDOWS\orknthsu\pc-mag.gif - Deleted
C:\WINDOWS\orknthsu\poloska1.png - Deleted
C:\WINDOWS\orknthsu\poloska2.png - Deleted
C:\WINDOWS\orknthsu\poloska3.png - Deleted
C:\WINDOWS\orknthsu\promowp1.html - Deleted
C:\WINDOWS\orknthsu\promowp2.html - Deleted
C:\WINDOWS\orknthsu\promowp3.html - Deleted
C:\WINDOWS\orknthsu\promowp4.html - Deleted
C:\WINDOWS\orknthsu\promowp5.html - Deleted
C:\WINDOWS\orknthsu\reg.png - Deleted
C:\WINDOWS\orknthsu\repair.png - Deleted
C:\WINDOWS\orknthsu\scr-1.png - Deleted
C:\WINDOWS\orknthsu\scr-2.png - Deleted
C:\WINDOWS\orknthsu\start.png - Deleted
C:\WINDOWS\orknthsu\styles.css - Deleted
C:\WINDOWS\orknthsu\top-rc.gif - Deleted
C:\WINDOWS\orknthsu\vline.gif - Deleted
C:\WINDOWS\orknthsu\wp.png - Deleted
C:\WINDOWS\system32\winlogon.ini - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\index.html - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\s32.txt - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted



Folder C:\Program Files\ISM - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 11:12:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jul 2003 72 A.SHR --- "C:\WINDOWS\system32\SKA.DLL"
Mon 28 Jul 2003 72 A.SHR --- "C:\WINDOWS\system32\SKA.EXE"
Thu 23 Aug 2001 21,504 A.SHR --- "C:\WINDOWS\system32\wsock32.dll"
Fri 21 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 24 Feb 2008 68,922 ..SHR --- "C:\Documents and Settings\Meta Fable\My Documents\s?stem32\wuauclt.exe"
Sun 27 Jul 2003 14,038 A..H. --- "C:\Documents and Settings\Meta Fable\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Sat 28 Jun 2003 8,246 A..H. --- "C:\Documents and Settings\Meta Fable\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Sat 28 Jun 2003 8,246 A..H. --- "C:\Documents and Settings\Meta Fable\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"

Finished!

[MorbidAngelSB23]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:23 AM, on 5/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0FAF492C-0A5E-4803-8D88-4B1A6CFA5E9F} - C:\WINDOWS\System32\ssqQjJBT.dll
O2 - BHO: (no name) - {101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8} - C:\WINDOWS\System32\mlJaBrsS.dll (file missing)
O2 - BHO: (no name) - {4DD3850B-6025-47E3-9A11-C2E4465663F5} - C:\WINDOWS\System32\awtuRjKd.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {8868dc32-cfac-5caa-9bc4-bf9180955d06} - {60d55908-19fb-4cb9-aac5-cafc23cd8688} - C:\WINDOWS\System32\yfymkmut.dll
O2 - BHO: (no name) - {67D4773E-CC1E-42C3-9CE6-B343C911968D} - C:\WINDOWS\System32\ljJYQIXQ.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\yayXPFwx.dll
O2 - BHO: (no name) - {E7207755-83F2-48D5-A585-FEEAE9C1F74E} - C:\WINDOWS\System32\geBtSKCv.dll
O2 - BHO: (no name) - {ED9B9958-CAFE-4209-8265-E551DEAC3E85} - C:\WINDOWS\System32\mlJbATLB.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [f8b3e333] rundll32.exe "C:\WINDOWS\System32\tytitbxg.dll",b
O4 - HKLM\..\Run: [BMfb80d0af] Rundll32.exe "C:\WINDOWS\System32\ehippkks.dll",s
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205980464140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205980458328
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayXPFwx - C:\WINDOWS\SYSTEM32\yayXPFwx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\Smc.exe (file missing)

--
End of file - 6331 bytes




ComboFix 08-05-11.1 - Meta Fable 2008-05-12 5:20:25.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.737 [GMT -4:00]
Running from: C:\Documents and Settings\Meta Fable\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\vCKStBeg.ini
C:\WINDOWS\system32\vCKStBeg.ini2
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Meta Fable\My Documents\ICROSO~1
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1\s?stem32\
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1\wuauclt.exe
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??mantec\
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191370854.old
C:\WINDOWS\cookies.ini
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BLTAbJlm.ini
C:\WINDOWS\system32\BLTAbJlm.ini2
C:\WINDOWS\system32\deruqngl.ini
C:\WINDOWS\system32\dKjRutwa.ini
C:\WINDOWS\system32\dKjRutwa.ini2
C:\WINDOWS\system32\dorhuvkr.ini
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\QXIQYJjl.ini
C:\WINDOWS\system32\QXIQYJjl.ini2
C:\WINDOWS\system32\SsrBaJlm.ini
C:\WINDOWS\system32\SsrBaJlm.ini2
C:\WINDOWS\system32\TBJjQqss.ini
C:\WINDOWS\system32\TBJjQqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 11:19 . 2008-05-12 11:19 314,496 --a------ C:\WINDOWS\system32\ssqQjJBT.dll
2008-05-12 11:02 . 2008-05-12 11:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 10:50 . 2008-05-12 11:14 <DIR> d-------- C:\SDFix
2008-05-12 05:34 . 2008-05-12 05:34 294 ---hs---- C:\WINDOWS\system32\gxbtityt.ini
2008-05-12 05:30 . 2008-05-12 05:30 322 --a------ C:\temp00.dat
2008-05-12 05:19 . 2008-05-12 05:19 314,480 --a------ C:\WINDOWS\system32\geBtSKCv.dll
2008-05-12 01:30 . 2008-05-12 01:30 83,024 --a------ C:\WINDOWS\system32\tytitbxg.dll
2008-05-12 01:29 . 2008-05-12 01:29 2,048 --a------ C:\WINDOWS\system32\rokouugj.exe
2008-05-12 01:26 . 2008-05-12 01:26 98,912 --a------ C:\WINDOWS\system32\yfymkmut.dll
2008-05-12 01:24 . 2008-05-12 01:24 90,208 --a------ C:\WINDOWS\system32\ehippkks.dll
2008-05-12 01:23 . 2008-05-12 01:23 316,464 --a------ C:\WINDOWS\system32\ljJYQIXQ.dll
2008-05-11 21:23 . 2008-05-11 21:23 98,912 --a------ C:\WINDOWS\system32\gpngwvkg.dll
2008-05-11 21:22 . 2008-05-11 21:22 2,048 --a------ C:\WINDOWS\system32\owvoqcpj.exe
2008-05-11 21:20 . 2008-05-11 21:20 90,208 --a------ C:\WINDOWS\system32\nbcoskcj.dll
2008-05-11 21:10 . 2008-05-11 21:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:10 . 2008-05-12 11:19 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:44 . 2008-05-11 17:44 <DIR> d-------- C:\VundoFix Backups
2008-05-11 06:49 . 2008-05-11 06:49 2,048 --a------ C:\WINDOWS\system32\tjuvjvoi.exe
2008-05-11 06:46 . 2008-05-11 06:46 98,912 --a------ C:\WINDOWS\system32\ilmkdmtq.dll
2008-05-11 06:43 . 2008-05-12 05:34 109,803 --a------ C:\WINDOWS\BMfb80d0af.xml
2008-05-11 06:43 . 2008-05-11 06:43 90,208 --a------ C:\WINDOWS\system32\njyqihyx.dll
2008-05-10 14:13 . 2008-05-10 15:01 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-10 13:47 . 2008-05-10 13:47 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-05-10 13:47 . 2008-05-10 13:47 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-05-10 13:47 . 2008-05-10 13:47 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-05-10 13:47 . 2008-05-10 13:47 1,294 --a------ C:\WINDOWS\homepage.html
2008-05-10 13:47 . 2008-05-10 13:47 507 --a------ C:\WINDOWS\promo6.html
2008-05-10 13:47 . 2008-05-10 13:47 500 --a------ C:\WINDOWS\promo4.html
2008-05-10 13:47 . 2008-05-10 13:47 478 --a------ C:\WINDOWS\promo5.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo3.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo2.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo1.html
2008-05-10 13:44 . 2008-05-10 13:44 25,728 --a------ C:\WINDOWS\system32\yayXPFwx.dll
2008-05-10 13:43 . 2008-05-10 13:43 25,600 --a------ C:\WINDOWS\b2new.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 23:52 --------- d-----w C:\Program Files\Java
2008-05-10 22:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-06 23:53 --------- d-----w C:\Program Files\Trillian
2008-04-24 22:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 07:54 --------- d-----w C:\Program Files\EmpirePokerMaster
2008-04-03 07:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-03 07:41 --------- d-----w C:\Program Files\QuickTime
2008-04-02 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:52 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2001-08-23 12:00 21,504 --sha-r C:\WINDOWS\system32\wsock32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FAF492C-0A5E-4803-8D88-4B1A6CFA5E9F}]
2008-05-12 11:19 314496 --a------ C:\WINDOWS\System32\ssqQjJBT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8}]
C:\WINDOWS\System32\mlJaBrsS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD3850B-6025-47E3-9A11-C2E4465663F5}]
C:\WINDOWS\System32\awtuRjKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60d55908-19fb-4cb9-aac5-cafc23cd8688}]
2008-05-12 01:26 98912 --a------ C:\WINDOWS\System32\yfymkmut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D4773E-CC1E-42C3-9CE6-B343C911968D}]
2008-05-12 01:23 316464 --a------ C:\WINDOWS\System32\ljJYQIXQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-10 13:44 25728 --a------ C:\WINDOWS\system32\yayXPFwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7207755-83F2-48D5-A585-FEEAE9C1F74E}]
2008-05-12 05:19 314480 --a------ C:\WINDOWS\System32\geBtSKCv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED9B9958-CAFE-4209-8265-E551DEAC3E85}]
C:\WINDOWS\System32\mlJbATLB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 15:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2002-11-13 18:34 73728 C:\WINDOWS\system32\sstray.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"f8b3e333"="C:\WINDOWS\System32\tytitbxg.dll" [2008-05-12 01:30 83024]
"BMfb80d0af"="C:\WINDOWS\System32\ehippkks.dll" [2008-05-12 01:24 90208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2006-01-24 18:48:06 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\yayXPFwx.dll [2008-05-10 13:44 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXPFwx]
yayXPFwx.dll 2008-05-10 13:44 25728 C:\WINDOWS\system32\yayXPFwx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for ICQ.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BitDefender for ICQ.lnk
backup=C:\WINDOWS\pss\BitDefender for ICQ.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for MSN Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for MSN Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Net Meeting.lnk]
backup=C:\WINDOWS\pss\BitDefender for Net Meeting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Yahoo! Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for Yahoo! Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murphy Shield.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Murphy Shield.lnk
backup=C:\WINDOWS\pss\Murphy Shield.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16:37]
S2 NMLFMZPF;NMLFMZPF;C:\WINDOWS\System32\nmlfmzpf.gbt []
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 04:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 13:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 14:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 15:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 16:00:57 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 17:00:35 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 18:00:11 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 19:00:16 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 20:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 21:00:21 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 22:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 05:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 23:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 01:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 02:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 03:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 06:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 09:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 10:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 11:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 05:34:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\gxbtityt.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NMLFMZPF]
"ImagePath"="\??\C:\WINDOWS\System32\nmlfmzpf.gbt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayXPFwx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\tytitbxg.dll
-> C:\WINDOWS\System32\ehippkks.dll
.
Completion time: 2008-05-12 5:37:31
ComboFix-quarantined-files.txt 2008-05-12 09:37:26

Pre-Run: 5,154,877,440 bytes free
Post-Run: 5,145,427,968 bytes free

236 --- E O F --- 2008-03-20 03:21:36

[Rorschach112]

Pretty badly infected PC


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\ssqQjJBT.dll
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\geBtSKCv.dll
C:\WINDOWS\system32\tytitbxg.dll
C:\WINDOWS\system32\rokouugj.exe
C:\WINDOWS\system32\yfymkmut.dll
C:\WINDOWS\system32\ehippkks.dll
C:\WINDOWS\system32\ljJYQIXQ.dll
C:\WINDOWS\system32\gpngwvkg.dll
C:\WINDOWS\system32\owvoqcpj.exe
C:\WINDOWS\system32\nbcoskcj.dll
C:\WINDOWS\system32\tjuvjvoi.exe
C:\WINDOWS\system32\ilmkdmtq.dll
C:\WINDOWS\BMfb80d0af.xml
C:\WINDOWS\system32\njyqihyx.dll
C:\WINDOWS\promogif3.gif
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\homepage.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo1.html
C:\WINDOWS\system32\yayXPFwx.dll
C:\WINDOWS\b2new.exe
C:\WINDOWS\System32\lpy5XbQo.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32\yayXPFwx.dll
C:\WINDOWS\System32\tytitbxg.dll
C:\WINDOWS\System32\ehippkks.dll

Rootkit::
C:\WINDOWS\system32\gxbtityt.ini

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]

Driver::
NMLFMZPF

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.




Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\SKA.EXE

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

[MorbidAngelSB23]

File SKA.EXE received on 05.13.2008 00:52:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.10 -
AntiVir 7.8.0.17 2008.05.12 -
Authentium 5.1.0.4 2008.05.12 -
Avast 4.8.1169.0 2008.05.12 -
AVG 7.5.0.516 2008.05.12 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.12 -
ClamAV 0.92.1 2008.05.12 -
DrWeb 4.44.0.09170 2008.05.12 -
eSafe 7.0.15.0 2008.05.12 -
eTrust-Vet 31.4.5783 2008.05.12 -
Ewido 4.0 2008.05.12 -
F-Prot 4.4.2.54 2008.05.12 -
F-Secure 6.70.13260.0 2008.05.12 -
Fortinet 3.14.0.0 2008.05.12 -
GData 2.0.7306.1023 2008.05.12 -
Ikarus T3.1.1.26 2008.05.12 -
Kaspersky 7.0.0.125 2008.05.13 -
McAfee 5293 2008.05.12 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3094 2008.05.12 -
Norman 5.80.02 2008.05.09 -
Panda 9.0.0.4 2008.05.12 -
Prevx1 V2 2008.05.13 -
Rising 20.44.02.00 2008.05.12 -
Sophos 4.29.0 2008.05.12 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.13 -
TheHacker 6.2.92.307 2008.05.12 -
VBA32 3.12.6.5 2008.05.12 -
VirusBuster 4.3.26:9 2008.05.12 -
Webwasher-Gateway 6.6.2 2008.05.12 -
Additional information
File size: 72 bytes
MD5...: 0feffd68eed98ae4420d3be43fb3c8eb
SHA1..: bded48e48d051c007e56b4f695aa6ffd92c68ec0
SHA256: 1774f1b5e3bb2760be13a2e0d9cab757625ba9fac6960da16ee15a7481110cec
SHA512: 97994cb36af9dd043ff7d26c47e76c93268e465f57071ac9a0ceb5c256885e5c
9498a0991cdac91cdaface54f576fbff988faf9053b164226b0c8d11daeeeb6e
PEiD..: -
PEInfo: -

[Rorschach112]

Post the ComboFix log

[MorbidAngelSB23]

ComboFix 08-05-11.1 - Meta Fable 2008-05-12 5:20:25.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.737 [GMT -4:00]
Running from: C:\Documents and Settings\Meta Fable\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\vCKStBeg.ini
C:\WINDOWS\system32\vCKStBeg.ini2
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Meta Fable\My Documents\ICROSO~1
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1\s?stem32\
C:\Documents and Settings\Meta Fable\My Documents\SSTEM3~1\wuauclt.exe
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??mantec\
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191370854.old
C:\WINDOWS\cookies.ini
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BLTAbJlm.ini
C:\WINDOWS\system32\BLTAbJlm.ini2
C:\WINDOWS\system32\deruqngl.ini
C:\WINDOWS\system32\dKjRutwa.ini
C:\WINDOWS\system32\dKjRutwa.ini2
C:\WINDOWS\system32\dorhuvkr.ini
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\QXIQYJjl.ini
C:\WINDOWS\system32\QXIQYJjl.ini2
C:\WINDOWS\system32\SsrBaJlm.ini
C:\WINDOWS\system32\SsrBaJlm.ini2
C:\WINDOWS\system32\TBJjQqss.ini
C:\WINDOWS\system32\TBJjQqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 11:19 . 2008-05-12 11:19 314,496 --a------ C:\WINDOWS\system32\ssqQjJBT.dll
2008-05-12 11:02 . 2008-05-12 11:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 10:50 . 2008-05-12 11:14 <DIR> d-------- C:\SDFix
2008-05-12 05:34 . 2008-05-12 05:34 294 ---hs---- C:\WINDOWS\system32\gxbtityt.ini
2008-05-12 05:30 . 2008-05-12 05:30 322 --a------ C:\temp00.dat
2008-05-12 05:19 . 2008-05-12 05:19 314,480 --a------ C:\WINDOWS\system32\geBtSKCv.dll
2008-05-12 01:30 . 2008-05-12 01:30 83,024 --a------ C:\WINDOWS\system32\tytitbxg.dll
2008-05-12 01:29 . 2008-05-12 01:29 2,048 --a------ C:\WINDOWS\system32\rokouugj.exe
2008-05-12 01:26 . 2008-05-12 01:26 98,912 --a------ C:\WINDOWS\system32\yfymkmut.dll
2008-05-12 01:24 . 2008-05-12 01:24 90,208 --a------ C:\WINDOWS\system32\ehippkks.dll
2008-05-12 01:23 . 2008-05-12 01:23 316,464 --a------ C:\WINDOWS\system32\ljJYQIXQ.dll
2008-05-11 21:23 . 2008-05-11 21:23 98,912 --a------ C:\WINDOWS\system32\gpngwvkg.dll
2008-05-11 21:22 . 2008-05-11 21:22 2,048 --a------ C:\WINDOWS\system32\owvoqcpj.exe
2008-05-11 21:20 . 2008-05-11 21:20 90,208 --a------ C:\WINDOWS\system32\nbcoskcj.dll
2008-05-11 21:10 . 2008-05-11 21:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:10 . 2008-05-12 11:19 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:44 . 2008-05-11 17:44 <DIR> d-------- C:\VundoFix Backups
2008-05-11 06:49 . 2008-05-11 06:49 2,048 --a------ C:\WINDOWS\system32\tjuvjvoi.exe
2008-05-11 06:46 . 2008-05-11 06:46 98,912 --a------ C:\WINDOWS\system32\ilmkdmtq.dll
2008-05-11 06:43 . 2008-05-12 05:34 109,803 --a------ C:\WINDOWS\BMfb80d0af.xml
2008-05-11 06:43 . 2008-05-11 06:43 90,208 --a------ C:\WINDOWS\system32\njyqihyx.dll
2008-05-10 14:13 . 2008-05-10 15:01 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-10 13:47 . 2008-05-10 13:47 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-05-10 13:47 . 2008-05-10 13:47 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-05-10 13:47 . 2008-05-10 13:47 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-05-10 13:47 . 2008-05-10 13:47 1,294 --a------ C:\WINDOWS\homepage.html
2008-05-10 13:47 . 2008-05-10 13:47 507 --a------ C:\WINDOWS\promo6.html
2008-05-10 13:47 . 2008-05-10 13:47 500 --a------ C:\WINDOWS\promo4.html
2008-05-10 13:47 . 2008-05-10 13:47 478 --a------ C:\WINDOWS\promo5.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo3.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo2.html
2008-05-10 13:47 . 2008-05-10 13:47 283 --a------ C:\WINDOWS\promo1.html
2008-05-10 13:44 . 2008-05-10 13:44 25,728 --a------ C:\WINDOWS\system32\yayXPFwx.dll
2008-05-10 13:43 . 2008-05-10 13:43 25,600 --a------ C:\WINDOWS\b2new.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 23:52 --------- d-----w C:\Program Files\Java
2008-05-10 22:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-06 23:53 --------- d-----w C:\Program Files\Trillian
2008-04-24 22:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 07:54 --------- d-----w C:\Program Files\EmpirePokerMaster
2008-04-03 07:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-03 07:41 --------- d-----w C:\Program Files\QuickTime
2008-04-02 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:52 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2001-08-23 12:00 21,504 --sha-r C:\WINDOWS\system32\wsock32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FAF492C-0A5E-4803-8D88-4B1A6CFA5E9F}]
2008-05-12 11:19 314496 --a------ C:\WINDOWS\System32\ssqQjJBT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8}]
C:\WINDOWS\System32\mlJaBrsS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD3850B-6025-47E3-9A11-C2E4465663F5}]
C:\WINDOWS\System32\awtuRjKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60d55908-19fb-4cb9-aac5-cafc23cd8688}]
2008-05-12 01:26 98912 --a------ C:\WINDOWS\System32\yfymkmut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D4773E-CC1E-42C3-9CE6-B343C911968D}]
2008-05-12 01:23 316464 --a------ C:\WINDOWS\System32\ljJYQIXQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-10 13:44 25728 --a------ C:\WINDOWS\system32\yayXPFwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7207755-83F2-48D5-A585-FEEAE9C1F74E}]
2008-05-12 05:19 314480 --a------ C:\WINDOWS\System32\geBtSKCv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED9B9958-CAFE-4209-8265-E551DEAC3E85}]
C:\WINDOWS\System32\mlJbATLB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 15:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2002-11-13 18:34 73728 C:\WINDOWS\system32\sstray.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"f8b3e333"="C:\WINDOWS\System32\tytitbxg.dll" [2008-05-12 01:30 83024]
"BMfb80d0af"="C:\WINDOWS\System32\ehippkks.dll" [2008-05-12 01:24 90208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2006-01-24 18:48:06 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\yayXPFwx.dll [2008-05-10 13:44 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXPFwx]
yayXPFwx.dll 2008-05-10 13:44 25728 C:\WINDOWS\system32\yayXPFwx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for ICQ.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BitDefender for ICQ.lnk
backup=C:\WINDOWS\pss\BitDefender for ICQ.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for MSN Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for MSN Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Net Meeting.lnk]
backup=C:\WINDOWS\pss\BitDefender for Net Meeting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Yahoo! Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for Yahoo! Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murphy Shield.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Murphy Shield.lnk
backup=C:\WINDOWS\pss\Murphy Shield.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16:37]
S2 NMLFMZPF;NMLFMZPF;C:\WINDOWS\System32\nmlfmzpf.gbt []
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 04:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 13:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 14:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 15:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 16:00:57 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 17:00:35 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 18:00:11 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 19:00:16 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 20:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 21:00:21 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 22:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 05:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-11 23:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 01:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 02:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 03:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 06:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 09:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 10:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 11:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
"2008-05-12 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\lpy5XbQo.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 05:34:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\gxbtityt.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NMLFMZPF]
"ImagePath"="\??\C:\WINDOWS\System32\nmlfmzpf.gbt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayXPFwx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\tytitbxg.dll
-> C:\WINDOWS\System32\ehippkks.dll
.
Completion time: 2008-05-12 5:37:31
ComboFix-quarantined-files.txt 2008-05-12 09:37:26

Pre-Run: 5,154,877,440 bytes free
Post-Run: 5,145,427,968 bytes free

236 --- E O F --- 2008-03-20 03:21:36

[Rorschach112]

Thats the wrong ComboFix log, can you post the other one

[MorbidAngelSB23]

I just noticed that myself sorry




ComboFix 08-05-11.1 - Meta Fable 2008-05-12 19:37:38.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.764 [GMT -4:00]
Running from: C:\Documents and Settings\Meta Fable\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Meta Fable\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMfb80d0af.xml
C:\WINDOWS\homepage.html
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\system32\ehippkks.dll
C:\WINDOWS\System32\ehippkks.dll
C:\WINDOWS\system32\ehippkks.dll
C:\WINDOWS\System32\ehippkks.dll
C:\WINDOWS\system32\geBtSKCv.dll
C:\WINDOWS\system32\gpngwvkg.dll
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\ilmkdmtq.dll
C:\WINDOWS\system32\ljJYQIXQ.dll
C:\WINDOWS\System32\lpy5XbQo.exe
C:\WINDOWS\system32\nbcoskcj.dll
C:\WINDOWS\system32\njyqihyx.dll
C:\WINDOWS\system32\owvoqcpj.exe
C:\WINDOWS\system32\rokouugj.exe
C:\WINDOWS\system32\ssqQjJBT.dll
C:\WINDOWS\system32\tjuvjvoi.exe
C:\WINDOWS\system32\tytitbxg.dll
C:\WINDOWS\System32\tytitbxg.dll
C:\WINDOWS\system32\yayXPFwx.dll
C:\WINDOWS\system32\yfymkmut.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b2new.exe
C:\WINDOWS\BMfb80d0af.xml
C:\WINDOWS\homepage.html
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\pskt.ini
C:\WINDOWS\System32\ehippkks.dll
C:\WINDOWS\system32\geBtSKCv.dll
C:\WINDOWS\system32\gpngwvkg.dll
C:\WINDOWS\system32\gxbtityt.ini
C:\WINDOWS\system32\ilmkdmtq.dll
C:\WINDOWS\system32\ljJYQIXQ.dll
C:\WINDOWS\system32\nbcoskcj.dll
C:\WINDOWS\system32\njyqihyx.dll
C:\WINDOWS\system32\owvoqcpj.exe
C:\WINDOWS\system32\rokouugj.exe
C:\WINDOWS\system32\ssqQjJBT.dll
C:\WINDOWS\system32\tjuvjvoi.exe
C:\WINDOWS\System32\tytitbxg.dll
C:\WINDOWS\system32\UBaKQXyb.ini
C:\WINDOWS\system32\UBaKQXyb.ini2
C:\WINDOWS\system32\yayXPFwx.dll
C:\WINDOWS\system32\yfymkmut.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NMLFMZPF
-------\Service_NMLFMZPF


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 19:30 . 2008-05-12 19:30 314,480 --a------ C:\WINDOWS\system32\byXQKaBU.dll
2008-05-12 11:02 . 2008-05-12 11:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 10:50 . 2008-05-12 11:14 <DIR> d-------- C:\SDFix
2008-05-11 21:10 . 2008-05-11 21:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 21:10 . 2008-05-12 11:19 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-11 17:44 . 2008-05-11 17:44 <DIR> d-------- C:\VundoFix Backups
2008-05-10 14:13 . 2008-05-10 15:01 1,916 --a------ C:\WINDOWS\system32\default.htm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 23:52 --------- d-----w C:\Program Files\Java
2008-05-10 22:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-06 23:53 --------- d-----w C:\Program Files\Trillian
2008-04-24 22:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 07:54 --------- d-----w C:\Program Files\EmpirePokerMaster
2008-04-03 07:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-03 07:41 --------- d-----w C:\Program Files\QuickTime
2008-04-02 21:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:52 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2001-08-23 12:00 21,504 --sha-r C:\WINDOWS\system32\wsock32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_ 5.37.09.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 09:33:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 23:40:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-05-12 23:39:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8}]
C:\WINDOWS\System32\mlJaBrsS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FEFB36A-4958-47B5-AB9A-F3189276AF27}]
2008-05-12 19:30 314480 --a------ C:\WINDOWS\System32\byXQKaBU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD3850B-6025-47E3-9A11-C2E4465663F5}]
C:\WINDOWS\System32\awtuRjKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED9B9958-CAFE-4209-8265-E551DEAC3E85}]
C:\WINDOWS\System32\mlJbATLB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 15:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2002-11-13 18:34 73728 C:\WINDOWS\system32\sstray.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"f8b3e333"="C:\WINDOWS\System32\tytitbxg.dll" [ ]
"BMfb80d0af"="C:\WINDOWS\System32\ehippkks.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2006-01-24 18:48:06 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXPFwx]
yayXPFwx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for ICQ.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BitDefender for ICQ.lnk
backup=C:\WINDOWS\pss\BitDefender for ICQ.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for MSN Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for MSN Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Net Meeting.lnk]
backup=C:\WINDOWS\pss\BitDefender for Net Meeting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Yahoo! Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for Yahoo! Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murphy Shield.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Murphy Shield.lnk
backup=C:\WINDOWS\pss\Murphy Shield.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)

R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16:37]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 08:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:42:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-05-12 19:45:43 - machine was rebooted [Meta Fable]
ComboFix-quarantined-files.txt 2008-05-12 23:45:40
ComboFix2.txt 2008-05-12 09:37:32

Pre-Run: 5,098,377,216 bytes free
Post-Run: 5,121,449,984 bytes free

243 --- E O F --- 2008-03-20 03:21:36

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\byXQKaBU.dll

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download NIAP to your desktop and unzip it to it's own folder

Close all windows and run NIAP_XRay_FileMgr

• Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
• Exit out of NIAP_XRay_FileMgr

Next run NIAP_XRay_Regedit

• Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
• Exit out of NIAP_XRay_Regedit

Finally run NIAP_XRay_System

• Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run.
• Once it is done close the program and post the log back here along with the other two logs.

Also post a new HijackThis log

[MorbidAngelSB23]

I'm not sure what happened it stopped at stage 35 this is all I have. Should I re-do?

I have not done the second step other then downloading the NIAP program which I saved to desktop (In case you need me to re-do the first step)

ComboFix 08-05-11.1 - Meta Fable 2008-05-12 20:50:16.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.713 [GMT -4:00]
Running from: C:\Documents and Settings\Meta Fable\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Meta Fable\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\byXQKaBU.dll
.

Edited by MorbidAngelSB23, 12 May 2008 - 07:52 PM.

[Rorschach112]

Do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Then do the NIAP step

[MorbidAngelSB23]

Deckard's System Scanner v20071014.68
Run by Meta Fable on 2008-05-13 11:50:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-05-13 15:50:29 UTC - RP251 - Deckard's System Scanner Restore Point
41: 2008-05-13 00:50:07 UTC - RP250 - ComboFix created restore point
40: 2008-05-12 23:46:36 UTC - RP249 - Last known good configuration
39: 2008-05-12 23:46:34 UTC - RP248 - ComboFix created restore point
38: 2008-05-12 23:46:34 UTC - RP247 - Last known good configuration


-- First Restore Point --
1: 2008-05-12 23:46:32 UTC - RP210 - Restore Operation


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Meta Fable.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51, on 2008-05-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Documents and Settings\Meta Fable\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Meta Fable.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8} - C:\WINDOWS\System32\mlJaBrsS.dll (file missing)
O2 - BHO: (no name) - {352CEB91-259C-48A9-A104-CDE097248E8C} - C:\WINDOWS\System32\byXQKaBU.dll (file missing)
O2 - BHO: (no name) - {4DD3850B-6025-47E3-9A11-C2E4465663F5} - C:\WINDOWS\System32\awtuRjKd.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {ED9B9958-CAFE-4209-8265-E551DEAC3E85} - C:\WINDOWS\System32\mlJbATLB.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [f8b3e333] rundll32.exe "C:\WINDOWS\System32\tytitbxg.dll",b
O4 - HKLM\..\Run: [BMfb80d0af] Rundll32.exe "C:\WINDOWS\System32\ehippkks.dll",s
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205980464140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205980458328
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayXPFwx - yayXPFwx.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\Smc.exe (file missing)

--
End of file - 5774 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys <Not Verified; Sygate Technologies, Inc.; SyberGen WGXN>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 SmcService (Sygate Personal Firewall) - c:\program files\sygate\spf\smc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-12 19:46:22 1000 --ahs---- C:\WINDOWS\System32\UBaKQXyb.ini2
2008-05-12 18:10:22 0 d-------- C:\cmdcons
2008-05-12 11:18:30 68096 --a------ C:\WINDOWS\zip.exe
2008-05-12 11:18:30 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-12 11:18:30 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 11:18:30 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-12 11:18:30 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 11:18:30 98816 --a------ C:\WINDOWS\sed.exe
2008-05-12 11:18:30 80412 --a------ C:\WINDOWS\grep.exe
2008-05-12 11:18:30 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 11:02:02 0 d-------- C:\WINDOWS\ERUNT
2008-05-11 21:10:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-11 21:10:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-11 21:10:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-11 21:10:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-11 21:10:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-11 21:10:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-11 21:10:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-11 21:10:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-11 21:10:23 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-11 21:10:23 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-11 21:10:23 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-11 21:10:23 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-11 21:10:23 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-11 21:10:22 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-11 17:44:52 0 d-------- C:\VundoFix Backups
2008-05-10 13:49:57 4980736 --a------ C:\Documents and Settings\Meta Fable\ntuser.dat
2008-05-10 13:43:16 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-10 13:43:16 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-12 11:20:13 0 d-------- C:\Program Files\Common Files
2008-05-10 19:52:35 0 d-------- C:\Program Files\Java
2008-05-06 19:53:46 0 d-------- C:\Program Files\Trillian
2008-04-24 18:41:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 03:54:40 0 d-------- C:\Program Files\EmpirePokerMaster
2008-04-03 03:42:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-03 03:41:50 0 d-------- C:\Program Files\QuickTime
2008-04-02 18:53:12 0 d-------- C:\Documents and Settings\Meta Fable\Application Data\Macromedia
2008-04-02 17:34:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-01 13:09:36 0 d-------- C:\Documents and Settings\Meta Fable\Application Data\Adobe
2008-03-19 23:05:01 0 d-------- C:\Program Files\Messenger
2008-03-19 22:52:35 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-19 22:50:25 0 d--h----- C:\Program Files\WindowsUpdate


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8}]
C:\WINDOWS\System32\mlJaBrsS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{352CEB91-259C-48A9-A104-CDE097248E8C}]
C:\WINDOWS\System32\byXQKaBU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD3850B-6025-47E3-9A11-C2E4465663F5}]
C:\WINDOWS\System32\awtuRjKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED9B9958-CAFE-4209-8265-E551DEAC3E85}]
C:\WINDOWS\System32\mlJbATLB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 15:19]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2002-11-13 18:34 C:\WINDOWS\system32\sstray.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"f8b3e333"="C:\WINDOWS\System32\tytitbxg.dll" []
"BMfb80d0af"="C:\WINDOWS\System32\ehippkks.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2006-01-24 18:48:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXPFwx]
yayXPFwx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for ICQ.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BitDefender for ICQ.lnk
backup=C:\WINDOWS\pss\BitDefender for ICQ.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for MSN Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for MSN Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Net Meeting.lnk]
backup=C:\WINDOWS\pss\BitDefender for Net Meeting.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BitDefender for Yahoo! Messenger.lnk]
backup=C:\WINDOWS\pss\BitDefender for Yahoo! Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murphy Shield.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Murphy Shield.lnk
backup=C:\WINDOWS\pss\Murphy Shield.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-13 11:51:36 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 991.49 MiB / 767.89 MiB
Pagefile Memory (total/avail): 2440.63 MiB / 2333.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.77 GiB total, 4.74 GiB free.
D: is Fixed (NTFS) - 39.06 GiB total, 37.27 GiB free.
E: is Fixed (FAT32) - 27.84 GiB total, 14.41 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L090AVV207-0 - 76.69 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 9.77 GiB - C:
\PARTITION1 - Installable File System - 39.06 GiB - D:
\PARTITION2 - Unknown - 27.85 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Meta Fable\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MINI-LORE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Meta Fable
LOGONSERVER=\\MINI-LORE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\METAFA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\METAFA~1\LOCALS~1\Temp
USERDOMAIN=MINI-LORE
USERNAME=Meta Fable
USERPROFILE=C:\Documents and Settings\Meta Fable
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Meta Fable (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\VERIZO~1\Uninstall.exe Verizon
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00BF-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00C6-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00D1-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF03DA-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Advanced Networking Pack for Windows XP --> C:\WINDOWS\$NtUninstallKB817778$\spuninst\spuninst.exe
Ahead Nero - Burning Rom --> C:\WINDOWS\UNNERO.exe /UNINSTALL
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
BitDefender Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2E05AB6-9ED1-40D8-AC7C-0E94EA2808CA}\setup.exe"
CCleaner (remove only) --> "D:\CCleaner\uninst.exe"
DesertCombat 0.7 --> C:\WINDOWS\iun6002.exe "C:\Program Files\EA GAMES\Battlefield 1942\DesertCombat.ini"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
EmpirePoker --> "C:\Program Files\EmpirePokerMaster\EmpirePoker\Uninstall.exe" "C:\Program Files\EmpirePokerMaster\EmpirePoker\install.log"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C191BE7C-8542-4A61-973A-714EF76C5995}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
NVIDIA nForce Drivers --> C:\WINDOWS\System32\nvuninst.exe Uninstall C:\WINDOWS\System32\NVU001.nvu,NVIDIA nForce Drivers
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Secure Delivery --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\kdx\kdx.inf,DefaultUninstall,5
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D422994-9E10-11D4-AEB1-00D0B7237D97}\setup.exe" -Uninstall
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Verizon Online --> C:\WINDOWS\System32\VerizonUninstaller.exe
Verizon Online Support Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00A1-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VuePrint --> C:\WINDOWS\vuepro32.exe /Remove
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type2813 / Error
Event Submitted/Written: 05/13/2008 01:56:48 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2800.1106, faulting module ntdll.dll, version 5.1.2600.1217, fault address 0x00007ec4.

Event Record #/Type2806 / Error
Event Submitted/Written: 05/12/2008 10:59:12 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2805 / Error
Event Submitted/Written: 05/12/2008 10:59:12 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type2785 / Error
Event Submitted/Written: 05/11/2008 10:29:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2800.1106, faulting module kernel32.dll, version 5.1.2600.1869, fault address 0x000088ba.

Event Record #/Type2783 / Error
Event Submitted/Written: 05/11/2008 09:10:12 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15444 / Error
Event Submitted/Written: 05/13/2008 01:59:54 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type15441 / Error
Event Submitted/Written: 05/13/2008 01:59:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Sygate Personal Firewall service failed to start due to the following error:
%%2

Event Record #/Type15432 / Error
Event Submitted/Written: 05/12/2008 10:12:42 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type15429 / Error
Event Submitted/Written: 05/12/2008 10:12:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Sygate Personal Firewall service failed to start due to the following error:
%%2

Event Record #/Type15411 / Error
Event Submitted/Written: 05/12/2008 07:42:44 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747



-- End of Deckard's System Scanner: finished at 2008-05-13 11:51:36 ------------

[MorbidAngelSB23]

Report:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:NvCplDaemon , Path:RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Name:nwiz , Path:nwiz.exe /install
Name:nForce Tray Options , Path:sstray.exe /r
Name:kdx , Path:C:\WINDOWS\kdx\KHost.exe
Name:Adobe Reader Speed Launcher , Path:"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name:SunJavaUpdateSched , Path:"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
Name:f8b3e333 , Path:rundll32.exe "C:\WINDOWS\System32\tytitbxg.dll",b
Name:BMfb80d0af , Path:Rundll32.exe "C:\WINDOWS\System32\ehippkks.dll",s


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\:


HKCC\Software\Microsoft\Windows NT\CurrentVersion\Windows\[Load]:
Value: None

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Userinit]:
Value: C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Shell]:
Value: Explorer.exe

HKLM\SYSTEM\ControlSet001\Control\Session Manager\[BootExecute]:
Value: autocheck autochk *



BHO Items List:
{101673D4-E3DD-4E1E-A7E4-E869F5C1AEC8}
InprocServer32:C:\WINDOWS\System32\mlJaBrsS.dll
ThreadingModel:Both
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{352CEB91-259C-48A9-A104-CDE097248E8C}
InprocServer32:C:\WINDOWS\System32\byXQKaBU.dll
ThreadingModel:Both
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{4DD3850B-6025-47E3-9A11-C2E4465663F5}
InprocServer32:C:\WINDOWS\System32\awtuRjKd.dll
ThreadingModel:Both
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}
InprocServer32:C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
ThreadingModel:Apartment
ProgID:vzbb.VZBB
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{53707962-6F74-2D53-2644-206D7942484F}
InprocServer32:C:\PROGRA~1\SPYBOT~1\SDHelper.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
InprocServer32:C:\Program Files\Yahoo!\Common\yiesrvc.dll
ThreadingModel:Apartment
ProgID:YUber.UberButton.1
Programmable:None
TypeLib:{35A57663-BB23-4E81-89C6-B87F580FEC47}
VersionIndependentProgID:YUber.UberButton
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
InprocServer32:C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{ED9B9958-CAFE-4209-8265-E551DEAC3E85}
InprocServer32:C:\WINDOWS\System32\mlJbATLB.dll
ThreadingModel:Both
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None

File Links List:
.txt: %SystemRoot%\system32\NOTEPAD.EXE %1
.exe: "%1" %*
.com: "%1" %*
.pif: "%1" %*
.bat: "%1" %*
.reg: regedit.exe "%1"
.chm: "C:\WINDOWS\hh.exe" %1
.hlp: %SystemRoot%\System32\winhlp32.exe %1
.ini: %SystemRoot%\System32\NOTEPAD.EXE %1
.inf: %SystemRoot%\System32\NOTEPAD.EXE %1
.vbs: %SystemRoot%\System32\WScript.exe "%1" %*
.js: %SystemRoot%\System32\WScript.exe "%1" %*
.lnk: CLSID: {00021401-0000-0000-C000-000000000046} shell32.dll

Image File Execution Options:
Your Image File Name Here without a path: ntsd -d

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\[AppInit_DLLs]:
Value:


ShellExecuteHooks:
{AEB6717E-7E19-11d0-97EE-00C04FD91972} : URL Exec Hook
InProcServer32:shell32.dll
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} : SABShellExecuteHook Class
InProcServer32:C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\[Debugger]:
Value: drwtsn32 -p %ld -e %ld -g

Kernel Drivers:
ElbyCDIO
DisplayName:ElbyCDIO Driver
Description:None
ImagePath:System32\Drivers\ElbyCDIO.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
ElbyDelay
DisplayName:ElbyDelay
Description:None
ImagePath:System32\Drivers\ElbyDelay.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Lvckap
DisplayName:Logitech Kernel Audio Processing Filter Driver
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\Lvckap.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
lvmvdrv
DisplayName:Logitech Machine Vision Engine Loader
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\lvmvdrv.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
LVPrcMon
DisplayName:Logitech LVPrcMon Driver
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NIAPSafe
DisplayName:NIAPSafe
Description:None
ImagePath:\??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
PxHelp20
DisplayName:PxHelp20
Description:None
ImagePath:System32\Drivers\PxHelp20.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
SASDIFSV
DisplayName:SASDIFSV
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
SASENUM
DisplayName:SASENUM
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Secdrv
DisplayName:Secdrv
Description:SafeDisc driver
ImagePath:System32\DRIVERS\secdrv.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
Teefer
DisplayName:Teefer for NT
Description:None
ImagePath:SYSTEM32\Drivers\Teefer.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
vsdatant
DisplayName:vsdatant
Description:None
ImagePath:\??\C:\WINDOWS\System32\vsdatant.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
wg3n
DisplayName:SyGate for NT, wg3n
Description:None
ImagePath:\SystemRoot\SYSTEM32\Drivers\wg3n.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
wpsdrvnt
DisplayName:wpsdrvnt
Description:None
ImagePath:\??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)

Services:
HidServ
DisplayName:Human Interface Device Access
Description:Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
ImagePath:%SystemRoot%\System32\svchost.exe -k netsvcs
ServiceDll:%SystemRoot%\System32\hidserv.dll [File not found]
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_SHARE_PROCESS(32)
IDriverT
DisplayName:InstallDriver Table Manager
Description:Provides support for the Running Object Table for InstallShield Drivers
ImagePath:"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
LVPrcSrv
DisplayName:Logitech Process Monitor
Description:Webcam Effects Helper.
ImagePath:c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
SmcService
DisplayName:Sygate Personal Firewall
Description:None
ImagePath:C:\Program Files\Sygate\SPF\Smc.exe [File not found]
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
XCOMM
DisplayName:BitDefender Communicator
Description:None
ImagePath:C:\WINDOWS\system32\xcommsvr.exe /service
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_OWN_PROCESS(16)



NIAP_XRay_System Version 0.0.0.5 System log

Process:
PID | EPROCESS | Process Name | Module Path
00000004 86933838 System
0000013C 8654FDA8 smss.exe \SystemRoot\System32\smss.exe
00000190 8602C868 mpbtn.exe C:\Program Files\Verizon Online\bin\mpbtn.exe
00000198 865E64B8 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
000001B0 867C82F8 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
000001E4 86532DA8 services.exe C:\WINDOWS\system32\services.exe
000001F0 867C34E0 lsass.exe C:\WINDOWS\system32\lsass.exe
000002A4 866251C8 svchost.exe C:\WINDOWS\system32\svchost.exe
000002D0 85D09020 NIAP_XRay_Syste C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAP_XRay_System.exe
000002D8 865DC980 svchost.exe C:\WINDOWS\System32\svchost.exe
00000380 86678490 svchost.exe C:\WINDOWS\System32\svchost.exe
000003BC 8653E200 svchost.exe C:\WINDOWS\system32\svchost.exe
00000420 865D8398 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
00000444 8659F628 LVPrcSrv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
00000494 865F1490 alg.exe C:\WINDOWS\System32\alg.exe
000004C0 8661F588 nvsvc32.exe C:\WINDOWS\System32\nvsvc32.exe
000005B8 865CD360 svchost.exe C:\WINDOWS\System32\svchost.exe
000005E4 865E2840 wdfmgr.exe C:\WINDOWS\System32\wdfmgr.exe
00000718 86634BE8 explorer.exe C:\WINDOWS\Explorer.EXE
000007E0 866AF430 sstray.exe C:\WINDOWS\System32\sstray.exe
000007F8 86633880 jusched.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

Kernel Module:
EntryPoint | Module Base | Image Size | Module Path
80683698 804D4000 001F2400 ntoskrnl.exe \WINDOWS\system32\ntoskrnl.exe
806E316E 806C7000 0001F380 hal.dll \WINDOWS\system32\hal.dll
F7987CE6 F7987000 00002000 kdcom.dll \WINDOWS\system32\KDCOM.DLL
F7898872 F7897000 00003000 BOOTVID.dll \WINDOWS\system32\BOOTVID.dll
F7460C00 F743A000 0002C000 ACPI.sys ACPI.sys
F7989B80 F7989000 00002000 WMILIB.SYS \WINDOWS\System32\DRIVERS\WMILIB.SYS
F74938C4 F7487000 00010000 pci.sys pci.sys
F749E3E4 F7497000 00009000 isapnp.sys isapnp.sys
F74B039A F74A7000 0000E000 ohci1394.sys ohci1394.sys
F74BED76 F74B7000 0000D000 1394BUS.SYS \WINDOWS\System32\DRIVERS\1394BUS.SYS
F7A4F61E F7A4F000 00001000 pciide.sys pciide.sys
F770B04A F7707000 00006000 PCIIDEX.SYS \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
F74CEF40 F74C7000 0000A000 MountMgr.sys MountMgr.sys
F74364E2 F741B000 0001F000 ftdisk.sys ftdisk.sys
F798BBF6 F798B000 00002000 dmload.sys dmload.sys
F73FD2A8 F73F7000 00024000 dmio.sys dmio.sys
F7712880 F770F000 00005000 PartMgr.sys PartMgr.sys
F74DFE80 F74D7000 0000C000 VolSnap.sys VolSnap.sys
F73F3974 F73E1000 00016000 atapi.sys atapi.sys
F74ED780 F74E7000 00009000 disk.sys disk.sys
F7501200 F74F7000 0000C000 CLASSPNP.SYS \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
F73DECC4 F73D0000 00011000 sr.sys sr.sys
F77174B7 F7717000 00005000 PxHelp20.sys PxHelp20.sys
F73CDE9E F73BC000 00014000 KSecDD.sys KSecDD.sys
F73B4398 F7332000 0008A000 Ntfs.sys Ntfs.sys
F732E980 F7309000 00029000 NDIS.sys NDIS.sys
F72F3FBB F72F3000 00016000 Teefer.sys Teefer.sys
F750F498 F7507000 0000A000 sbp2port.sys sbp2port.sys
F7721F8E F771F000 00005000 nv_agp.sys nv_agp.sys
F72EFD82 F72D9000 0001A000 Mup.sys Mup.sys
F77EBE3E F77E7000 00008000 processr.sys \SystemRoot\System32\DRIVERS\processr.sys
F7943300 F7943000 00004000 usbohci.sys \SystemRoot\System32\DRIVERS\usbohci.sys
F6C18380 F6C18000 00022000 USBPORT.SYS \SystemRoot\System32\DRIVERS\USBPORT.SYS
F77F1A96 F77EF000 00005000 usbehci.sys \SystemRoot\System32\DRIVERS\usbehci.sys
F6C04830 F6C04000 00014000 NVENET.sys \SystemRoot\System32\DRIVERS\NVENET.sys
F77FCC9E F77F7000 00008000 nvax.sys \SystemRoot\system32\drivers\nvax.sys
F762F080 F7627000 0000A000 Imapi.SYS \SystemRoot\System32\Drivers\Imapi.SYS
F7BB1780 F7BB1000 00001000 ElbyDelay.sys \SystemRoot\System32\Drivers\ElbyDelay.sys
F7640E80 F7637000 0000C000 cdrom.sys \SystemRoot\System32\DRIVERS\cdrom.sys
F764A820 F7647000 0000E000 redbook.sys \SystemRoot\System32\DRIVERS\redbook.sys
F6BE34A7 F6BC6000 00020000 ks.sys \SystemRoot\System32\DRIVERS\ks.sys
F76636C2 F7657000 0000F000 nic1394.sys \SystemRoot\System32\DRIVERS\nic1394.sys
F6BB9BDC F6A8E000 00138000 nv4_mini.sys \SystemRoot\System32\DRIVERS\nv4_mini.sys
F6A8B280 F6A7C000 00012000 VIDEOPRT.SYS \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
F7804030 F77FF000 00007000 fdc.sys \SystemRoot\System32\DRIVERS\fdc.sys
F7671793 F7667000 00010000 serial.sys \SystemRoot\System32\DRIVERS\serial.sys
F794DD80 F794B000 00004000 serenum.sys \SystemRoot\System32\DRIVERS\serenum.sys
F6A6BCA7 F6A69000 00013000 parport.sys \SystemRoot\System32\DRIVERS\parport.sys
F767FD80 F7677000 0000D000 i8042prt.sys \SystemRoot\System32\DRIVERS\i8042prt.sys
F780AD22 F7807000 00006000 kbdclass.sys \SystemRoot\System32\DRIVERS\kbdclass.sys
F7AF6600 F7AF6000 00001000 audstub.sys \SystemRoot\System32\DRIVERS\audstub.sys
F7561A80 F7557000 0000C000 rasl2tp.sys \SystemRoot\System32\DRIVERS\rasl2tp.sys
F7964A22 F7963000 00003000 ndistapi.sys \SystemRoot\System32\DRIVERS\ndistapi.sys
F6A66063 F6A53000 00016000 ndiswan.sys \SystemRoot\System32\DRIVERS\ndiswan.sys
F756F800 F7567000 0000A000 raspppoe.sys \SystemRoot\System32\DRIVERS\raspppoe.sys
F7581080 F7577000 0000C000 raspptp.sys \SystemRoot\System32\DRIVERS\raspptp.sys
F7967632 F7967000 00004000 TDI.SYS \SystemRoot\System32\DRIVERS\TDI.SYS
F781A4A2 F7817000 00005000 ptilink.sys \SystemRoot\System32\DRIVERS\ptilink.sys
F7822200 F781F000 00005000 raspti.sys \SystemRoot\System32\DRIVERS\raspti.sys
F69AE0FD F6986000 0002D000 rdpdr.sys \SystemRoot\System32\DRIVERS\rdpdr.sys
F758E99E F7587000 0000A000 termdd.sys \SystemRoot\System32\DRIVERS\termdd.sys
F782A7C0 F7827000 00006000 mouclass.sys \SystemRoot\System32\DRIVERS\mouclass.sys
F7B8A8CD F7B8A000 00001000 swenum.sys \SystemRoot\System32\DRIVERS\swenum.sys
F6984A80 F6964000 00022000 update.sys \SystemRoot\System32\DRIVERS\update.sys
F759EF20 F7597000 0000A000 NDProxy.SYS \SystemRoot\System32\Drivers\NDProxy.SYS
F75A8A64 F75A7000 0000D000 usbhub.sys \SystemRoot\System32\DRIVERS\usbhub.sys
F79B9300 F79B9000 00002000 USBD.SYS \SystemRoot\System32\DRIVERS\USBD.SYS
F68FB120 F68C8000 00047000 nvapu.sys \SystemRoot\system32\drivers\nvapu.sys
F68BD866 F68A7000 00021000 portcls.sys \SystemRoot\system32\drivers\portcls.sys
F75C92D0 F75C7000 0000F000 drmk.sys \SystemRoot\system32\drivers\drmk.sys
F67E9CE0 F67C9000 000DE000 nvmcp.sys \SystemRoot\system32\drivers\nvmcp.sys
F67BAFC8 F67B8000 00011000 nvarm.sys \SystemRoot\system32\drivers\nvarm.sys
F787AD80 F7877000 00005000 flpydisk.sys \SystemRoot\System32\DRIVERS\flpydisk.sys
F79DA5E4 F79D9000 00002000 Fs_Rec.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7ADE59A F7ADE000 00001000 Null.SYS \SystemRoot\System32\Drivers\Null.SYS
F79DB66C F79DB000 00002000 Beep.SYS \SystemRoot\System32\Drivers\Beep.SYS
F7893200 F788F000 00005000 vga.sys \SystemRoot\System32\drivers\vga.sys
F79DD646 F79DD000 00002000 mnmdd.SYS \SystemRoot\System32\Drivers\mnmdd.SYS
F79DF944 F79DF000 00002000 RDPCDD.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys
F77425A2 F773F000 00005000 Msfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS
F774CFFA F7747000 00008000 Npfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS
F792C66B F792B000 00003000 rasacd.sys \SystemRoot\System32\DRIVERS\rasacd.sys
ED5BE800 ED5AE000 00013000 ipsec.sys \SystemRoot\System32\DRIVERS\ipsec.sys
F75FB232 F75F7000 00009000 msgpc.sys \SystemRoot\System32\DRIVERS\msgpc.sys
ED5A7ECF ED55A000 00054000 tcpip.sys \SystemRoot\System32\DRIVERS\tcpip.sys
F7751E90 F774F000 00008000 wpsdrvnt.sys \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys
ED556003 ED535000 00025000 netbt.sys \SystemRoot\System32\DRIVERS\netbt.sys
ED517090 ED515000 00020000 SASKUTIL.sys \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
F760DA46 F7607000 00009000 wanarp.sys \SystemRoot\System32\DRIVERS\wanarp.sys
F7758000 F7757000 00007000 SASDIFSV.SYS \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
F76183A4 F7617000 0000E000 arp1394.sys \SystemRoot\System32\DRIVERS\arp1394.sys
F769BF2B F7697000 00009000 Fips.SYS \SystemRoot\System32\Drivers\Fips.SYS
F7957366 F7957000 00003000 hidusb.sys \SystemRoot\System32\DRIVERS\hidusb.sys
F768C584 F7687000 00009000 HIDCLASS.SYS \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
F7767440 F7767000 00006000 HIDPARSE.SYS \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
ED449067 ED429000 00024000 Fastfat.SYS \SystemRoot\System32\Drivers\Fastfat.SYS
F7960F28 F795F000 00003000 mouhid.sys \SystemRoot\System32\DRIVERS\mouhid.sys
BF9A53D6 BF800000 001B8000 win32k.sys \SystemRoot\System32\win32k.sys
F694DE80 F694C000 00003000 Dxapi.sys \SystemRoot\System32\drivers\Dxapi.sys
F694B400 F6948000 00004000 watchdog.sys \SystemRoot\System32\watchdog.sys
BFF8F900 BFF80000 00011000 dxg.sys \SystemRoot\System32\drivers\dxg.sys
F7B62359 F7B62000 00001000 dxgthk.sys \SystemRoot\System32\drivers\dxgthk.sys
BF9BC5EE BF9B8000 003B9000 nv4_disp.dll \SystemRoot\System32\nv4_disp.dll
ED063AB8 ED047000 00021000 afd.sys \SystemRoot\System32\drivers\afd.sys
ED0BE258 ED0BC000 00003000 ndisuio.sys \SystemRoot\System32\DRIVERS\ndisuio.sys
F7A192EA F7A19000 00002000 wg3n.sys \SystemRoot\SYSTEM32\Drivers\wg3n.sys
ECE46CE2 ECE3C000 0002B000 mrxdav.sys \SystemRoot\System32\DRIVERS\mrxdav.sys
F7A39E1E F7A39000 00002000 ParVdm.SYS \SystemRoot\System32\Drivers\ParVdm.SYS
ECF4C61E ECF4B000 00003000 ElbyCDIO.sys \SystemRoot\System32\Drivers\ElbyCDIO.sys
ECDE4DBA ECD9D000 0004F000 srv.sys \SystemRoot\System32\DRIVERS\srv.sys
ECF153E0 ECF13000 00003000 secdrv.sys \SystemRoot\System32\DRIVERS\secdrv.sys
ECBBA25E ECBA9000 00014000 ipnat.sys \SystemRoot\System32\DRIVERS\ipnat.sys
F6A0F9CC F6A03000 0000E000 sysaudio.sys \SystemRoot\system32\drivers\sysaudio.sys
ECB567E0 ECB4B000 00013000 wdmaud.sys \SystemRoot\system32\drivers\wdmaud.sys
F78320D8 F782F000 00005000 LVPrcMon.sys \??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
ECA68B80 ECA5C000 0000F000 Cdfs.SYS \SystemRoot\System32\Drivers\Cdfs.SYS
EC7A6F50 EC7A4000 0000E000 NIAPMirrorSystem.sys \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys
EC71BA98 EC70D000 00027000 kmixer.sys \SystemRoot\system32\drivers\kmixer.sys
EC6F7B50 EC6F3000 0001A000 NIAPRkDetect.sys \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPRkDetect.sys

SSDT:
ID | Current Function Address | Module Path | Source Function Address | Function Name
HOOK 00000035 F7751B30 \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys 80564C10 ZwCreateThread
HOOK 0000006C F7751850 \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys 8055CA31 ZwMapViewOfSection
HOOK 00000101 F7751CE0 \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys 8057556E ZwTerminateProcess
HOOK 0000011C EC7A6530 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys D7639355 -----
HOOK 0000011D EC7A6590 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 71315D8B -----
HOOK 0000011E EC7A65E0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 049B3FDF -----
HOOK 0000011F EC7A6630 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7FDD4024 -----
HOOK 00000120 EC7A6680 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 9C507BFF -----
HOOK 00000121 EC7A66D0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 68615673 -----
HOOK 00000122 EC7A6710 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800E5C58 -----
HOOK 00000123 EC7A6750 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 051D000B -----
HOOK 00000124 EC7A67A0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D40C2 -----
HOOK 00000125 EC7A67F0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 2329838B -----
HOOK 00000126 EC7A6850 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7FED3008 -----
HOOK 00000127 EC7A68A0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 8139F3FF -----
HOOK 00000128 EC7A68F0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 13984000 -----
HOOK 00000129 EC7A6940 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D4134 -----
HOOK 0000012A EC7A6980 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 9880CB52 -----
HOOK 0000012B EC7A69E0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys ACB0C956 -----
HOOK 0000012C EC7A6A30 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 030D4001 -----
HOOK 0000012D EC7A6A80 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7C9930E4 -----
HOOK 0000012E EC7A6AC0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 821E2C81 -----
HOOK 0000012F EC7A6B00 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 6E8E4000 -----
HOOK 00000130 EC7A6B40 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D4210 -----
HOOK 00000131 EC7A6BB0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 091BCBFA -----
HOOK 00000132 EC7A6C00 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys CE98640C -----
HOOK 00000133 EC7A6C40 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys A459C904 -----
HOOK 00000134 EC7A6C80 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 885BCB04 -----
HOOK 00000135 EC7A6CF0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 88318C89 -----
HOOK 00000136 EC7A6D40 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 09258E8B -----
HOOK 00000137 EC7A6D90 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 0B25644C -----
HOOK 00000138 EC7A6DF0 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800F4C8E -----
HOOK 00000139 EC7A6E50 \??\C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAPMirrorSystem.sys A499C900 -----

Shadow Table:
ID | Current Function Address | Module Path | Source Function Address | Function Name

FSD Dispatch hook:
Driver Name | Major Function | Address | Module Path

Kernel Mode Hook:
Module Name | Address | Hook Type | Memo

Windows Hook:
Process Name | IsGlobal | Function Address | Hook Type | Module Path
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 0041EB20 WH_CBT C:\Documents and Settings\Meta Fable\Desktop\NIAP 0.5\NIAP_XRay_System.exe