[Flyer0810]

When I go to some websites they say I have this malware('Troj/Rustok-N') and have been DOS thier site.

Rooter Log -
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:76308 Mo/Free:2973 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
Z:\ [Network] (Total:237976 Mo/Free:672 Mo)

Fri 04/17/2009| 7:51

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\WLTRYSVC.EXE
---------- C:\WINDOWS\System32\bcmwltry.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
---------- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Symantec AntiVirus\DefWatch.exe
---------- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
---------- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
---------- C:\WINDOWS\system32\SearchIndexer.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
---------- C:\PROGRA~1\SYMANT~1\VPTray.exe
---------- C:\WINDOWS\system32\WLTRAY.exe
---------- C:\Program Files\Digital Media Reader\shwicon2k.exe
---------- C:\WINDOWS\system32\igfxtray.exe
---------- C:\WINDOWS\system32\hkcmd.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
---------- C:\Program Files\LimeWire\LimeWire.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Program Files\Java\jre6\bin\jucheck.exe
---------- C:\WINDOWS\system32\SearchProtocolHost.exe
---------- C:\WINDOWS\system32\SearchFilterHost.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{6A516350-39D5-4D1A-B192-A63435BD6E51}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{6A516350-39D5-4D1A-B192-A63435BD6E51}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{6A516350-39D5-4D1A-B192-A63435BD6E51}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{6AADE596-4F95-49C0-B3E4-F4046B269C49}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
NameServer REG_SZ 85.255.112.203
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{DA8D8022-A941-47A3-B163-32F40F26052B}]
DhcpNameServer REG_SZ 85.255.112.143,85.255.112.203
==> WAREOUT <==

----------------------\\ ROOTKIT !!


----------------------\\ Cracks & Keygens..

C:\DOCUME~1\James\Cookies\james@crackle[2].txt


1 - "C:\Rooter$\Rooter_1.txt" - Fri 04/17/2009| 7:52

----------------------\\ Scan completed at 7:52

And OTListIt2 Log -

OTListIt logfile created on: 4/17/2009 8:04:00 AM - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\James\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

479.36 Mb Total Physical Memory | 93.10 Mb Available Physical Memory | 19.42% Memory free
1.10 Gb Paging File | 0.42 Gb Available in Paging File | 38.24% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 63.09 Gb Free Space | 84.67% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 232.40 Gb Total Space | 104.66 Gb Free Space | 45.03% Space Free | Partition Type: NTFS

Computer Name: JAMES-0H65EHGBN
Current User Name: James
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\WLTRYSVC.EXE ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Broadcom Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe (Sling Media Inc.)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\WLTRAY.exe (Broadcom Corporation)
PRC - C:\Program Files\Digital Media Reader\shwicon2k.exe (Alcor Micro, Corp.)
PRC - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe (Western Digital Technologies)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\James\Desktop\OTListIt2.exe (OldTimer Tools)
PRC - C:\WINDOWS\notepad.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (dsNcService [Auto | Running]) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (SlingAgentService [Auto | Running]) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe (Sling Media Inc.)
SRV - (SNDSrvc [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (SPBBCSvc [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\WLTRYSVC.EXE ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (BCM43XX [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corporation)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (CAMCAUD [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\camcaud.sys (Conexant Systems Inc.)
DRV - (CAMCHALA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\camchal.sys (Conexant Systems Inc.)
DRV - (dsNcAdpt [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys (Juniper Networks)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EMCFILT [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\EMcFilt.sys (Alcor Micro Corp.)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HSFHWICH [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NAVENG [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090415.003\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090415.003\NAVEX15.SYS (Symantec Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RimUsb [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\RimUsb.sys (Research In Motion Limited)
DRV - (SAVRT [System | Running]) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (StreamDispatcher [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\strmdisp.sys (Conexant Systems, Inc.)
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMTDI [System | Running]) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/01/30 18:54:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/02/08 12:45:14 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe (Broadcom Corporation)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WD NetCenter EasyLink] C:\Program Files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe -s (Western Digital Technologies)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\James\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1233351975765 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://anywhereny.n...perSetupSP1.cab (JuniperSetupSP1 Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.143,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{6A516350-39D5-4D1A-B192-A63435BD6E51}\\NameServer = 85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{6AADE596-4F95-49C0-B3E4-F4046B269C49}\\NameServer = 85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{DA8D8022-A941-47A3-B163-32F40F26052B}\\NameServer = 85.255.112.203
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{11a4d19c-ef03-11dd-aa76-ba90beef0afe}\Shell - "" = AutoRun
O33 - MountPoints2\{11a4d19c-ef03-11dd-aa76-ba90beef0afe}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{11a4d19c-ef03-11dd-aa76-ba90beef0afe}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/04/17 08:01:38 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTListIt2.exe
[2009/04/17 08:00:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/17 08:00:12 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/17 07:59:50 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\James\Desktop\erunt_setup.exe
[2009/04/17 07:54:15 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\James\Desktop\HijackThis.lnk
[2009/04/17 07:54:15 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/17 07:53:30 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\James\Desktop\HJTInstall.exe
[2009/04/17 07:51:05 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/17 07:50:57 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\James\Desktop\Rooter.exe
[2009/04/16 22:09:59 | 00,000,422 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{55772175-3531-40CF-A80E-0DE7F1F99AC4}.job
[2009/04/10 18:57:54 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\James\My Documents\blackd.exe
[2009/04/08 23:03:44 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\James\Desktop\blackd.exe.exe
[2009/03/22 16:02:47 | 00,260,754 | ---- | C] () -- C:\Documents and Settings\James\Desktop\packertrackerdump032208.dmp
[2009/03/22 11:53:24 | 00,008,077 | ---- | C] () -- C:\Documents and Settings\James\Desktop\CCNA__James_LAB_1.pkt
[2009/03/21 14:12:37 | 00,006,275 | ---- | C] () -- C:\Documents and Settings\James\Desktop\CCNA_LAB_1.pkt
[2009/03/21 14:12:27 | 00,000,000 | ---D | C] -- C:\Program Files\Packet Tracer 5.1
[2009/01/30 17:45:36 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/01/30 17:45:36 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/01/30 17:45:36 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/01/30 17:45:36 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/01/30 17:45:36 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/01/30 17:45:36 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/01/30 17:36:58 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/30 17:25:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/01/30 16:08:05 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/30 16:08:03 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/11/06 12:37:32 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 12:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 12:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 12:33:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/09/27 11:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/29 08:00:00 | 00,000,613 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/08/29 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/17 08:01:44 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\OTListIt2.exe
[2009/04/17 07:59:56 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\James\Desktop\erunt_setup.exe
[2009/04/17 07:54:15 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\James\Desktop\HijackThis.lnk
[2009/04/17 07:54:13 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\James\Desktop\HJTInstall.exe
[2009/04/17 07:51:03 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Rooter.exe
[2009/04/16 22:13:41 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{55772175-3531-40CF-A80E-0DE7F1F99AC4}.job
[2009/04/16 21:13:05 | 00,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/16 21:13:05 | 00,462,736 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 21:13:05 | 00,078,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/16 21:11:50 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/16 21:08:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/16 21:08:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/16 21:07:59 | 50,271,4368 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/10 18:57:54 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\James\My Documents\blackd.exe
[2009/04/06 07:28:13 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/22 16:33:37 | 00,008,077 | ---- | M] () -- C:\Documents and Settings\James\Desktop\CCNA__James_LAB_1.pkt
[2009/03/22 16:02:49 | 00,260,754 | ---- | M] () -- C:\Documents and Settings\James\Desktop\packertrackerdump032208.dmp
[2009/03/20 14:15:41 | 00,001,722 | -H-- | M] () -- C:\Documents and Settings\James\My Documents\Default.rdp
[2009/03/19 14:02:26 | 00,006,275 | ---- | M] () -- C:\Documents and Settings\James\Desktop\CCNA_LAB_1.pkt
< End of report >

Thanks!

[Advertisements]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Rorschach112]

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Flyer0810]

ComboFix Log -

ComboFix 09-04-19.05 - James 04/19/2009 14:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.128 [GMT -4:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcxumwewaobyniwafyaptlxkpbkbqtvqcm.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcxuxvcrvqkmwaomgdnaiolqfgyushhkrc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-17 11:51 . 2009-04-17 11:52 -------- d-----w C:\Rooter$
2009-04-13 01:03 . 2009-04-13 01:03 -------- d-----w c:\documents and settings\LocalService\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 18:39 . 2009-01-30 19:45 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-19 18:37 . 2009-02-08 16:46 -------- d-----w c:\documents and settings\James\Application Data\LimeWire
2009-04-17 12:00 . 2009-04-17 12:00 -------- d-----w c:\program files\ERUNT
2009-04-17 11:54 . 2009-04-17 11:54 -------- d-----w c:\program files\Trend Micro
2009-04-17 11:52 . 2009-04-17 11:52 5416 ----a-w C:\Rooter.txt
2009-03-21 18:13 . 2009-03-21 18:12 -------- d-----w c:\program files\Packet Tracer 5.1
2009-03-08 23:04 . 2009-03-08 23:04 -------- d-----w c:\documents and settings\NetworkService\Application Data\Juniper Networks
2009-03-08 23:04 . 2009-03-08 23:04 -------- d-----w c:\program files\Juniper Networks
2009-03-08 23:04 . 2009-03-08 23:03 -------- d-----w c:\documents and settings\James\Application Data\Juniper Networks
2009-02-09 11:13 . 2002-08-29 07:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 16:45 . 2009-02-08 16:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-01-30 23:54 . 2009-01-30 19:42 64368 ----a-w c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-30 19:37 . 2009-01-30 19:13 80007 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-01-30 19:30 . 2002-08-29 06:05 250048 --sha-r C:\ntldr
2009-01-30 19:09 . 2009-01-30 19:09 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"WD NetCenter EasyLink"="c:\program files\Western Digital Technologies\NetCenter EasyLink\WDEzLink.exe" [2005-05-17 442368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-08 136600]

c:\documents and settings\James\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-1-29 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11a4d19c-ef03-11dd-aa76-ba90beef0afe}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\User_Feed_Synchronization-{55772175-3531-40CF-A80E-0DE7F1F99AC4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcxumwewaobyniwafyaptlxkpbkbqtvqcm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-04-19 14:47
ComboFix-quarantined-files.txt 2009-04-19 18:47

Pre-Run: 67,565,551,616 bytes free
Post-Run: 68,152,442,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

116 --- E O F --- 2009-03-17 07:02

[Rorschach112]

hello

Please download OTMoveIt3 by OldTimer

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  [-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\gxvxcserv.sys]
  
  
  :Files
  C:\windows\system32\drivers\gxvxcxumwewaobyniwafyaptlxkpbkbqtvqcm.sys
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[Flyer0810]

OTMoveIt3 log -

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\system\ControlSet003\Services\gxvxcserv.sys\\ not found.
========== FILES ==========
File/Folder C:\windows\system32\drivers\gxvxcxumwewaobyniwafyaptlxkpbkbqtvqcm.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\hsperfdata_James\3724 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\YQJX283T\Troj-Rustok-N-t235951[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\QMS9COWF\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_140.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04202009_200553

Files moved on Reboot...
File C:\DOCUME~1\James\LOCALS~1\Temp\hsperfdata_James\3724 not found!
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\YQJX283T\Troj-Rustok-N-t235951[1].htm moved successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\QMS9COWF\iframe[1].htm moved successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_140.dat not found!

[Rorschach112]

hello

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Rorschach112]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.