[jjplan]

================(Malwarebytes' Anti-Malware log)==================
Malwarebytes' Anti-Malware 1.40
Database version: 2644
Windows 5.1.2600 Service Pack 2

2009/08/18 14:07:03
mbam-log-2009-08-18 (14-07-03).txt

Scan type: Quick Scan
Objects scanned: 85023
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

[Advertisements]

==============(Kaspersky Online log)================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 18, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 18, 2009 12:36:12
Records in database: 2654937
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
D:\
E:\
F:\
H:\
I:\

Scan statistics:
Objects scanned: 56474
Threats found: 7
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 01:37:34


File name / Threat / Threats count
D:\Qoobox\Quarantine\D\WINDOWS\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fgk 1
D:\Qoobox\Quarantine\D\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.ejx 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fgk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\cru629.dat.vir Infected: Backdoor.Win32.Small.ejx 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\dllcache\figaro.sys.vir Infected: Backdoor.Win32.UltimateDefender.xm 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.igv 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN2.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN3.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN4.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN5.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fft 1
D:\Qoobox\Quarantine\[4]-Submit_2009-08-16_22.24.58.zip Infected: Virus.Win32.Protector.c 1
D:\WINDOWS\system32\dllcache\ntfs.sys Infected: Virus.Win32.Protector.c 1

Selected area has been scanned.

[jjplan]

==============(Kaspersky Online log)================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 18, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 18, 2009 12:36:12
Records in database: 2654937
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
D:\
E:\
F:\
H:\
I:\

Scan statistics:
Objects scanned: 56474
Threats found: 7
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 01:37:34


File name / Threat / Threats count
D:\Qoobox\Quarantine\D\WINDOWS\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fgk 1
D:\Qoobox\Quarantine\D\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.ejx 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fgk 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\cru629.dat.vir Infected: Backdoor.Win32.Small.ejx 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\dllcache\figaro.sys.vir Infected: Backdoor.Win32.UltimateDefender.xm 1
D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.igv 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN2.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN3.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN4.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\BN5.tmp.vir Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
D:\Qoobox\Quarantine\D\WINDOWS\temp01\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fft 1
D:\Qoobox\Quarantine\[4]-Submit_2009-08-16_22.24.58.zip Infected: Virus.Win32.Protector.c 1
D:\WINDOWS\system32\dllcache\ntfs.sys Infected: Virus.Win32.Protector.c 1

Selected area has been scanned.

[Rorschach112]

hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *ntfs.sys*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[jjplan]

Hi, Rorschach112!

I forgot to tell you that my C: drive is only for the cartridge HDD for data. I have not used C: HDD all through the time when my PC was infected.

=======================(SystemLock log)=========================


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:23 on 19/08/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "*ntfs.sys*"
D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers\ntfs.sys.vir --a--c 619200 bytes [03:44 10/08/2004] [13:25 16/08/2009] 60FEDA7AEE9654B5B49A0CAD80FDA9B8
D:\WINDOWS\system32\dllcache\cache\ntfs.sys --a--c 574592 bytes [15:11 16/08/2009] [12:00 05/08/2004] B78BE402C3F63DD55521F73876951CDD
D:\WINDOWS\system32\dllcache\ntfs.sys --a--c 619200 bytes [03:44 10/08/2004] [15:16 12/08/2009] 5D407322AA69AC6E7B17C81B48DEB327
D:\WINDOWS\system32\drivers\ntfs.sys --a--- 574592 bytes [15:02 16/08/2009] [12:00 05/08/2004] B78BE402C3F63DD55521F73876951CDD

-=End Of File=-

[Rorschach112]

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
FCopy::
D:\WINDOWS\system32\dllcache\cache\ntfs.sys | D:\WINDOWS\system32\dllcache\ntfs.sys
D:\WINDOWS\system32\dllcache\cache\ntfs.sys | d:\windows\system32\drivers\ntfs.sys
KillAll::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[jjplan]

Hi!!!

CF asked me to download the new version, so I did so before running your script.

====================(ComboFix log)=======================


ComboFix 09-08-18.03 - Administrator 2009/08/19 19:53.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1023.727 [GMT 9:00]
Running from: d:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

d:\windows\system32\dllcache\cache\ntfs.sys --> d:\windows\system32\dllcache\ntfs.sys
d:\windows\system32\dllcache\cache\ntfs.sys --> d:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-18 11:33 . 2009-08-18 11:33 -------- d-----w- d:\program files\PioneerDriveUtility_v118
2009-08-16 15:02 . 2004-08-05 12:00 574592 ----a-w- d:\windows\system32\drivers\ntfs.sys
2009-08-14 14:33 . 2009-08-14 14:33 19333 ----a-w- d:\documents and settings\LocalService\Application Data\obuwyzu.scr
2009-08-14 14:33 . 2009-08-14 14:33 15169 ----a-w- d:\documents and settings\LocalService\Application Data\sihed.exe
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-03 04:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-14 14:09 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:08 . 2009-08-03 04:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-14 12:45 . 2009-08-14 12:45 -------- d-----w- d:\program files\Safer Networking
2009-08-13 17:22 . 2009-08-13 17:22 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 17:12 . 2009-08-13 17:12 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET
2009-08-13 13:50 . 2009-08-14 13:46 -------- d-----w- d:\program files\Spyware Doctor
2009-08-03 10:11 . 2009-08-03 10:11 -------- d-----w- d:\windows\system32\Quarantine
2009-07-22 05:12 . 2009-07-22 05:12 -------- d-----w- d:\program files\MELCO INC
2009-07-21 16:00 . 2009-07-21 16:01 -------- d-----w- d:\program files\Madonote
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- d:\program files\Phantombility
2009-07-20 16:02 . 2009-03-17 08:37 113688 ----a-w- d:\windows\system32\drivers\vdrv9000.sys
2009-07-20 15:29 . 2006-09-20 03:42 11392 ----a-w- d:\windows\system32\drivers\HH9Help.sys
2009-07-20 15:29 . 2007-04-16 05:58 1097728 ----a-w- d:\windows\system32\NMSDVDX.dll
2009-07-20 15:29 . 2004-07-13 02:58 315392 ----a-w- d:\windows\system32\NCTAudioPlayer2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 02:22 . 2006-05-31 17:31 -------- d-----w- d:\program files\Trend Micro
2009-08-14 13:46 . 2009-02-06 00:39 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-14 13:27 . 2009-02-06 00:39 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 13:27 . 2009-02-04 12:05 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-14 13:25 . 2007-08-05 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 15:26 . 2008-08-02 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-13 12:41 . 2007-11-02 01:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Trend Micro
2009-08-12 19:34 . 2008-03-31 11:59 -------- d-----w- d:\documents and settings\Administrator\Application Data\Azureus
2009-08-09 23:30 . 2006-05-31 17:18 -------- d-----w- d:\program files\FlashGet
2009-08-07 02:52 . 2007-01-11 04:37 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
2009-08-07 01:05 . 2008-07-20 05:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\DVD Flick
2009-08-03 04:51 . 2006-10-01 13:44 777 ----a-w- d:\program files\funatree.ini
2009-07-20 15:28 . 2006-05-31 17:17 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\UltraISO
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\Common Files\EZB Systems
2009-07-20 11:59 . 2008-08-03 11:41 -------- d-----w- d:\program files\IsoBuster
2009-07-17 09:14 . 2009-07-17 09:14 -------- d-----w- d:\program files\UnH Solutions
2009-07-10 15:08 . 2009-07-10 15:07 -------- d-----w- d:\program files\FlashPlayerEx
2009-06-21 07:23 . 2008-07-12 12:22 -------- d-----w- d:\program files\SmileDownloader
2009-06-20 11:46 . 2008-07-20 05:24 -------- d-----w- d:\program files\DVD Flick
2009-06-20 03:07 . 2009-06-20 03:08 13567 ----a-w- d:\windows\system32\drivers\CDRBSDRV.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="d:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-01-28 2325504]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="d:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-10 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
MSI Live Monitor.lnk - d:\program files\MSI\Live Update 3\LMonitor.exe [2006-6-2 477696]
IconUtil.lnk - d:\program files\MELCO INC\Icon Util\IconUtil.exe [2005-12-18 114688]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BoosterTray.lnk - d:\program files\RingThree\bin\BoosterTray.exe [2007-11-8 339968]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendfirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=

R0 fasttrak;fasttrak;d:\windows\system32\drivers\Fasttrak.sys [2006/06/01 1:07 70528]
R0 phmburnr;phmburnr;d:\windows\system32\drivers\phmburnr.sys [2008/02/28 7:19 45208]
R1 TxDevCmd;TxDevCmd;d:\windows\system32\drivers\TxDevCmd.sys [2009/02/16 14:28 15896]
R2 PVM Service;PVM Service;d:\program files\RingThree\bin\PvmService.exe [2007/11/08 10:02 294912]
R2 tmfilter;Tmfilter;d:\windows\system32\drivers\tmxpflt.sys [2005/09/26 14:23 183808]
R2 tmntsrv;Trend Micro Real-time Service;d:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005/09/28 22:19 340037]
R2 tmpfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005/09/12 21:57 630845]
R2 tmpreflt;Tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2005/09/26 14:23 25088]
R2 tmproxy;Trend Micro Proxy Service;d:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005/09/12 21:59 286788]
R3 GVSC200;GVSC200;d:\windows\system32\drivers\GVSC200.sys [2007/08/24 13:41 7680]
R3 PXTV432P;PXTV432P service;d:\windows\system32\drivers\PXTV432P.sys [2005/05/23 18:08 966552]
S0 tffsmon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 tfsysmon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 3xHybrid;3xHybrid service;d:\windows\system32\drivers\3xHybrid.sys [2006/09/26 3:15 613632]
S3 Cap713x;Philips Cap713x Video Capture;d:\windows\system32\drivers\Cap713x.sys [2006/07/01 3:43 685824]
S3 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
S3 tfnetmon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S3 UtilNT;UtilNT;\??\d:\windows\system32\drivers\UtilNT.sys --> d:\windows\system32\drivers\UtilNT.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - WEBNTACCESS
*Deregistered* - WEBNTACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
d:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 03:46]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with FlashGet - d:\progra~1\FlashGet\jc_link.htm
IE: Download all with FlashGet - d:\progra~1\FlashGet\jc_all.htm
IE: Playback with FlashPlayerEx - d:\progra~1\FLASHP~1\LINK.HTM
IE: Web search with JWord(&J)
IE: Save Flash - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
IE: Save with SmileDownloader(&Y) - d:\program files\SmileDownloader\IEMenu\IEMenuExt.htm
IE: Save flash movie in this page- d:\progra~1\FLASHP~1\XTR.HTM
IE: Open flash movie - d:\progra~1\FLASHP~1\STR.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 20:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RichVideo]
"ImagePath"="-\"d:\program files\CyberLink\Shared Files\RichVideo.exe\"\00\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\02\00\02H\02H\02H\02H"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\@*sSO0・]
"Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\｢0ｯ0ｻ0ｵ0・\ｷ0ｹ0ﾆ0・ *ﾄ0・・]
"Order"=hex:08,00,00,00,02,00,00,00,dc,05,00,00,01,00,00,00,09,00,00,00,b4,00,
00,00,00,00,00,00,a6,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,94,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(3996)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\msctf.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\NMSSvc.Exe
d:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\windows\system32\conime.exe
d:\windows\system32\rundll32.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 11:06
ComboFix2.txt 2009-08-16 15:13
ComboFix3.txt 2009-08-15 13:09
ComboFix4.txt 2009-08-15 12:08

Pre-Run: 7,431,413,760 bytes free
Post-Run: 7,467,204,608 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
208

[Rorschach112]

why aren't you installing the recovery console ?

You need to let ComboFix do that. Can you run it again and let it

[jjplan]

Oh, I installed it but when I change the language of GUI into Japanese with the process of installing Japanese SP2 to English Window, it seems to have gone...
Now I reinstall it and run CF again with your script.
Thank you or ARIGATO in Japanese..

====================(Combo-Fix log)======================


ComboFix 09-08-20.07 - Administrator 2009/08/21 22:20.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1023.706 [GMT 9:00]
Running from: d:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

d:\windows\system32\dllcache\cache\ntfs.sys --> d:\windows\system32\dllcache\ntfs.sys
d:\windows\system32\dllcache\cache\ntfs.sys --> d:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-18 11:33 . 2009-08-18 11:33 -------- d-----w- d:\program files\PioneerDriveUtility_v118
2009-08-16 15:02 . 2004-08-05 12:00 574592 ----a-w- d:\windows\system32\drivers\ntfs.sys
2009-08-14 14:33 . 2009-08-14 14:33 19333 ----a-w- d:\documents and settings\LocalService\Application Data\obuwyzu.scr
2009-08-14 14:33 . 2009-08-14 14:33 15169 ----a-w- d:\documents and settings\LocalService\Application Data\sihed.exe
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-03 04:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-14 14:09 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:08 . 2009-08-03 04:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-14 12:45 . 2009-08-14 12:45 -------- d-----w- d:\program files\Safer Networking
2009-08-13 17:22 . 2009-08-13 17:22 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 17:12 . 2009-08-13 17:12 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET
2009-08-13 13:50 . 2009-08-14 13:46 -------- d-----w- d:\program files\Spyware Doctor
2009-08-03 10:11 . 2009-08-03 10:11 -------- d-----w- d:\windows\system32\Quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 03:46 . 2008-03-31 11:59 -------- d-----w- d:\documents and settings\Administrator\Application Data\Azureus
2009-08-20 07:18 . 2008-08-02 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-15 02:22 . 2006-05-31 17:31 -------- d-----w- d:\program files\Trend Micro
2009-08-14 13:46 . 2009-02-06 00:39 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-14 13:27 . 2009-02-06 00:39 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 13:27 . 2009-02-04 12:05 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-14 13:25 . 2007-08-05 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 12:41 . 2007-11-02 01:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Trend Micro
2009-08-09 23:30 . 2006-05-31 17:18 -------- d-----w- d:\program files\FlashGet
2009-08-07 02:52 . 2007-01-11 04:37 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
2009-08-07 01:05 . 2008-07-20 05:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\DVD Flick
2009-08-03 04:51 . 2006-10-01 13:44 777 ----a-w- d:\program files\funatree.ini
2009-07-22 05:12 . 2009-07-22 05:12 -------- d-----w- d:\program files\MELCO INC
2009-07-21 16:01 . 2009-07-21 16:00 -------- d-----w- d:\program files\Madonote
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- d:\program files\Phantombility
2009-07-20 15:28 . 2006-05-31 17:17 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\UltraISO
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\Common Files\EZB Systems
2009-07-20 11:59 . 2008-08-03 11:41 -------- d-----w- d:\program files\IsoBuster
2009-07-17 09:14 . 2009-07-17 09:14 -------- d-----w- d:\program files\UnH Solutions
2009-07-10 15:08 . 2009-07-10 15:07 -------- d-----w- d:\program files\FlashPlayerEx
2009-06-20 03:07 . 2009-06-20 03:08 13567 ----a-w- d:\windows\system32\drivers\CDRBSDRV.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_12.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 08:32 . 2001-07-14 08:32 69632 d:\windows\setupupd\temp\wsdueng.dll
+ 2009-08-21 08:12 . 2009-08-21 08:12 12900 d:\windows\setupupd\dudrvs\4541876\hwcomp.dat
+ 2009-08-21 08:12 . 2002-10-09 00:38 32768 d:\windows\setupupd\dudrvs\4541876\CMNPROP.DLL
+ 2009-08-21 08:12 . 2002-11-19 06:46 39104 d:\windows\setupupd\dudrvs\4541876\cmijack.dat
+ 2009-08-21 08:12 . 2002-11-19 06:43 22178 d:\windows\setupupd\dudrvs\4541876\cmaudio.dat
+ 2009-08-21 08:12 . 2001-06-22 01:25 53248 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\PROUnstl.exe
+ 2009-08-21 08:12 . 2001-07-19 21:40 23040 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\intelnic.dll
+ 2009-08-21 08:12 . 2002-02-27 23:23 88592 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\E1000NT5.SYS
+ 2009-08-21 08:12 . 2000-10-20 09:28 765952 d:\windows\setupupd\dudrvs\4541876\CRLDS3D.DLL
+ 2009-08-21 08:12 . 2002-07-11 02:24 139264 d:\windows\setupupd\dudrvs\4541876\CMUNINST.EXE
+ 2009-08-21 08:12 . 2002-07-11 03:13 135168 d:\windows\setupupd\dudrvs\4541876\CMUNINST.DAT
+ 2009-08-21 08:12 . 2002-11-18 06:51 377358 d:\windows\setupupd\dudrvs\4541876\cmaudio.sys
+ 2009-08-21 08:12 . 2001-11-23 03:08 712704 d:\windows\setupupd\dudrvs\4541876\AUDIO3D.DLL
+ 2009-08-21 08:12 . 2002-10-15 09:00 1818624 d:\windows\setupupd\dudrvs\4541876\MIXER.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="d:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-01-28 2325504]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="d:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-10 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
MSI Live Monitor.lnk - d:\program files\MSI\Live Update 3\LMonitor.exe [2006-6-2 477696]
ｱｲｺﾝ変更ﾕｰﾃｨﾘﾃｨ.lnk - d:\program files\MELCO INC\Icon Util\IconUtil.exe [2005-12-18 114688]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BoosterTray.lnk - d:\program files\RingThree\bin\BoosterTray.exe [2007-11-8 339968]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendfirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=

R0 fasttrak;fasttrak;d:\windows\system32\drivers\Fasttrak.sys [2006/06/01 1:07 70528]
R0 phmburnr;phmburnr;d:\windows\system32\drivers\phmburnr.sys [2008/02/28 7:19 45208]
R1 TxDevCmd;TxDevCmd;d:\windows\system32\drivers\TxDevCmd.sys [2009/02/16 14:28 15896]
R2 PVM Service;PVM Service;d:\program files\RingThree\bin\PvmService.exe [2007/11/08 10:02 294912]
R2 tmfilter;Tmfilter;d:\windows\system32\drivers\tmxpflt.sys [2005/09/26 14:23 183808]
R2 tmntsrv;Trend Micro Real-time Service;d:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005/09/28 22:19 340037]
R2 tmpfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005/09/12 21:57 630845]
R2 tmpreflt;Tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2005/09/26 14:23 25088]
R2 tmproxy;Trend Micro Proxy Service;d:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005/09/12 21:59 286788]
R3 GVSC200;GVSC200;d:\windows\system32\drivers\GVSC200.sys [2007/08/24 13:41 7680]
R3 PXTV432P;PXTV432P service;d:\windows\system32\drivers\PXTV432P.sys [2005/05/23 18:08 966552]
S0 tffsmon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 tfsysmon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 3xHybrid;3xHybrid service;d:\windows\system32\drivers\3xHybrid.sys [2006/09/26 3:15 613632]
S3 Cap713x;Philips Cap713x Video Capture;d:\windows\system32\drivers\Cap713x.sys [2006/07/01 3:43 685824]
S3 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
S3 tfnetmon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S3 UtilNT;UtilNT;\??\d:\windows\system32\drivers\UtilNT.sys --> d:\windows\system32\drivers\UtilNT.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
d:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 03:46]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Download with FlashGet - d:\progra~1\FlashGet\jc_link.htm
IE: Download all with FlashGet - d:\progra~1\FlashGet\jc_all.htm
IE: Playback with FlashPlayerEx - d:\progra~1\FLASHP~1\LINK.HTM
IE: Web search with JWord(&J)
IE: Save Flash - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
IE: Save with SmileDownloader(&Y) - d:\program files\SmileDownloader\IEMenu\IEMenuExt.htm
IE: Save flash movie in this page- d:\progra~1\FLASHP~1\XTR.HTM
IE: Open flash movie - d:\progra~1\FLASHP~1\STR.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RichVideo]
"ImagePath"="-\"d:\program files\CyberLink\Shared Files\RichVideo.exe\"\00\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\02\00\02H\02H\02H\02H"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\@*sSO0・]
"Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\｢0ｯ0ｻ0ｵ0・\ｷ0ｹ0ﾆ0・ *ﾄ0・・]
"Order"=hex:08,00,00,00,02,00,00,00,dc,05,00,00,01,00,00,00,09,00,00,00,b4,00,
00,00,00,00,00,00,a6,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,94,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(1628)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\msctf.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\NMSSvc.Exe
d:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\windows\system32\conime.exe
d:\windows\system32\rundll32.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-21 22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 13:35
ComboFix2.txt 2009-08-19 11:06
ComboFix3.txt 2009-08-16 15:13
ComboFix4.txt 2009-08-15 13:09
ComboFix5.txt 2009-08-21 13:19

Pre-Run: 5,205,778,432 bytes free
Post-Run: 6,094,991,360 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
220

[Rorschach112]

hows it running

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  
  • d:\windows\system32\drivers\ntfs.sys
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

[jjplan]

WOW! 79%.... Many say "Dialer"!!!

========================(VirSCAN.org result)==========================

VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 13:31:50 (JST)
Scanner results: 79% Scanner(30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/r...5aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

[Rorschach112]

hi

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

[jjplan]

Hi!

Maybe you are going to find and delete the malwares hidden in the contents to be restored, aren't you? How tricky their way to hide themselves is!!

=======================(DrWeb.csv)=======================

cru629.dat.vir;D:\Qoobox\Quarantine\D\WINDOWS;Trojan.Proxy.1739;Deleted.;
cru629.dat.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32;Trojan.Proxy.1739;Deleted.;
figaro.sys.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32\dllcache;Trojan.NtRootKit.3206;Deleted.;
beep.sys.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers;Trojan.NtRootKit.3206;Deleted.;
e7b275fa.sys.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers;Trojan.Spambot.4632;Deleted.;
braviax.exe.vir;D:\Qoobox\Quarantine\D\WINDOWS\temp01;Trojan.Fakealert.4774;Deleted.;
A0000001.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.Fakealert.4774;Deleted.;
A0000015.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.Fakealert.4774;Deleted.;
A0000017.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.Fakealert.4774;Deleted.;
A0000018.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.Spambot.4632;Deleted.;
A0000019.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.NtRootKit.3206;Deleted.;
A0000097.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.NtRootKit.3206;Deleted.;
A0000099.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.Fakealert.4774;Deleted.;
A0000100.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.NtRootKit.3206;Deleted.;
A0000105.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.NtRootKit.3206;Deleted.;
A0000106.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP0;Trojan.NtRootKit.3206;Deleted.;
A0000108.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000109.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000110.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000114.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000115.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000132.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000133.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000205.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000207.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000208.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000214.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000215.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000219.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000220.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000228.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000229.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000230.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000235.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000236.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000238.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000239.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
A0000240.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000252.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000253.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000257.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000345.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.NtRootKit.3206;Deleted.;
A0000383.exe;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1;Trojan.Fakealert.4774;Deleted.;
MFEX-1.DAT;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP1\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0001053.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP2;Trojan.NtRootKit.3206;Deleted.;
A0001413.sys;D:\System Volume Information\_restore{54941CAD-701A-4B83-84FF-080F346415BB}\RP3;BackDoor.Bulknet.404;Cured.;

[Rorschach112]

hi

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[jjplan]

Hi!! I'm sorry to be late. I was away from home.

This time CF did not reboot the PC.

=======================(ComboFix log)=========================

ComboFix 09-08-22.06 - Administrator 2009/08/23 22:27.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1023.724 [GMT 9:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 03:24 . 2009-08-17 07:15 -------- d-----w- D:\Nucleus Soundlab Ambient Space Vol.1 REFILL
2009-08-21 15:16 . 2009-08-21 15:16 -------- d-----w- d:\documents and settings\Administrator\DoctorWeb
2009-08-18 11:33 . 2009-08-18 11:33 -------- d-----w- d:\program files\PioneerDriveUtility_v118
2009-08-16 15:02 . 2004-08-05 12:00 574592 ------w- d:\windows\system32\drivers\ntfs.sys
2009-08-14 14:33 . 2009-08-14 14:33 19333 ----a-w- d:\documents and settings\LocalService\Application Data\obuwyzu.scr
2009-08-14 14:33 . 2009-08-14 14:33 15169 ----a-w- d:\documents and settings\LocalService\Application Data\sihed.exe
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-03 04:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-14 14:09 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:08 . 2009-08-03 04:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-14 12:45 . 2009-08-14 12:45 -------- d-----w- d:\program files\Safer Networking
2009-08-13 17:22 . 2009-08-13 17:22 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 17:12 . 2009-08-13 17:12 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET
2009-08-13 13:50 . 2009-08-14 13:46 -------- d-----w- d:\program files\Spyware Doctor
2009-08-03 10:11 . 2009-08-03 10:11 -------- d-----w- d:\windows\system32\Quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 10:20 . 2008-08-02 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-22 06:37 . 2008-03-31 11:59 -------- d-----w- d:\documents and settings\Administrator\Application Data\Azureus
2009-08-15 02:22 . 2006-05-31 17:31 -------- d-----w- d:\program files\Trend Micro
2009-08-14 13:46 . 2009-02-06 00:39 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-14 13:27 . 2009-02-06 00:39 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 13:27 . 2009-02-04 12:05 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-14 13:25 . 2007-08-05 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 12:41 . 2007-11-02 01:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Trend Micro
2009-08-09 23:30 . 2006-05-31 17:18 -------- d-----w- d:\program files\FlashGet
2009-08-07 02:52 . 2007-01-11 04:37 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
2009-08-07 01:05 . 2008-07-20 05:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\DVD Flick
2009-08-03 04:51 . 2006-10-01 13:44 777 ----a-w- d:\program files\funatree.ini
2009-07-22 05:12 . 2009-07-22 05:12 -------- d-----w- d:\program files\MELCO INC
2009-07-21 16:01 . 2009-07-21 16:00 -------- d-----w- d:\program files\Madonote
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- d:\program files\Phantombility
2009-07-20 15:28 . 2006-05-31 17:17 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\UltraISO
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\Common Files\EZB Systems
2009-07-20 11:59 . 2008-08-03 11:41 -------- d-----w- d:\program files\IsoBuster
2009-07-17 09:14 . 2009-07-17 09:14 -------- d-----w- d:\program files\UnH Solutions
2009-07-10 15:08 . 2009-07-10 15:07 -------- d-----w- d:\program files\FlashPlayerEx
2009-06-20 03:07 . 2009-06-20 03:08 13567 ----a-w- d:\windows\system32\drivers\CDRBSDRV.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_12.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 08:32 . 2001-07-14 08:32 69632 d:\windows\setupupd\temp\wsdueng.dll
+ 2009-08-21 08:12 . 2009-08-21 08:12 12900 d:\windows\setupupd\dudrvs\4541876\hwcomp.dat
+ 2009-08-21 08:12 . 2002-10-09 00:38 32768 d:\windows\setupupd\dudrvs\4541876\CMNPROP.DLL
+ 2009-08-21 08:12 . 2002-11-19 06:46 39104 d:\windows\setupupd\dudrvs\4541876\cmijack.dat
+ 2009-08-21 08:12 . 2002-11-19 06:43 22178 d:\windows\setupupd\dudrvs\4541876\cmaudio.dat
+ 2009-08-21 08:12 . 2001-06-22 01:25 53248 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\PROUnstl.exe
+ 2009-08-21 08:12 . 2001-07-19 21:40 23040 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\intelnic.dll
+ 2009-08-21 08:12 . 2002-02-27 23:23 88592 d:\windows\setupupd\dudrvs\2399502\Windows\Drivers\IA32\E1000NT5.SYS
+ 2004-08-10 03:44 . 2004-08-05 12:00 574592 d:\windows\system32\dllcache\ntfs.sys
+ 2009-08-21 08:12 . 2000-10-20 09:28 765952 d:\windows\setupupd\dudrvs\4541876\CRLDS3D.DLL
+ 2009-08-21 08:12 . 2002-07-11 02:24 139264 d:\windows\setupupd\dudrvs\4541876\CMUNINST.EXE
+ 2009-08-21 08:12 . 2002-07-11 03:13 135168 d:\windows\setupupd\dudrvs\4541876\CMUNINST.DAT
+ 2009-08-21 08:12 . 2002-11-18 06:51 377358 d:\windows\setupupd\dudrvs\4541876\cmaudio.sys
+ 2009-08-21 08:12 . 2001-11-23 03:08 712704 d:\windows\setupupd\dudrvs\4541876\AUDIO3D.DLL
+ 2009-08-21 08:12 . 2002-10-15 09:00 1818624 d:\windows\setupupd\dudrvs\4541876\MIXER.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="d:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-01-28 2325504]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="d:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-10 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
MSI Live Monitor.lnk - d:\program files\MSI\Live Update 3\LMonitor.exe [2006-6-2 477696]
IconUtil.lnk - d:\program files\MELCO INC\Icon Util\IconUtil.exe [2005-12-18 114688]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BoosterTray.lnk - d:\program files\RingThree\bin\BoosterTray.exe [2007-11-8 339968]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendfirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=

R0 fasttrak;fasttrak;d:\windows\system32\drivers\Fasttrak.sys [2006/06/01 1:07 70528]
R0 phmburnr;phmburnr;d:\windows\system32\drivers\phmburnr.sys [2008/02/28 7:19 45208]
R1 TxDevCmd;TxDevCmd;d:\windows\system32\drivers\TxDevCmd.sys [2009/02/16 14:28 15896]
R2 PVM Service;PVM Service;d:\program files\RingThree\bin\PvmService.exe [2007/11/08 10:02 294912]
R2 tmfilter;Tmfilter;d:\windows\system32\drivers\tmxpflt.sys [2005/09/26 14:23 183808]
R2 tmpreflt;Tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2005/09/26 14:23 25088]
R3 GVSC200;GVSC200;d:\windows\system32\drivers\GVSC200.sys [2007/08/24 13:41 7680]
R3 PXTV432P;PXTV432P service;d:\windows\system32\drivers\PXTV432P.sys [2005/05/23 18:08 966552]
S0 tffsmon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 tfsysmon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S2 tmntsrv;Trend Micro Real-time Service;d:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005/09/28 22:19 340037]
S2 tmpfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005/09/12 21:57 630845]
S2 tmproxy;Trend Micro Proxy Service;d:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005/09/12 21:59 286788]
S3 3xHybrid;3xHybrid service;d:\windows\system32\drivers\3xHybrid.sys [2006/09/26 3:15 613632]
S3 Cap713x;Philips Cap713x Video Capture;d:\windows\system32\drivers\Cap713x.sys [2006/07/01 3:43 685824]
S3 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
S3 tfnetmon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S3 UtilNT;UtilNT;\??\d:\windows\system32\drivers\UtilNT.sys --> d:\windows\system32\drivers\UtilNT.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
d:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 03:46]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with FlashGet - d:\progra~1\FlashGet\jc_link.htm
IE: Download all with FlashGet - d:\progra~1\FlashGet\jc_all.htm
IE: Playback with FlashPlayerEx - d:\progra~1\FLASHP~1\LINK.HTM
IE: Web search with JWord(&J)
IE: Save Flash - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
IE: Save with SmileDownloader(&Y) - d:\program files\SmileDownloader\IEMenu\IEMenuExt.htm
IE: Save flash movie in this page - d:\progra~1\FLASHP~1\XTR.HTM
IE: Open flash movie - d:\progra~1\FLASHP~1\STR.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 22:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RichVideo]
"ImagePath"="-\"d:\program files\CyberLink\Shared Files\RichVideo.exe\"\00\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\02\00\02H\02H\02H\02H"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\@*sSO0・]
"Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\｢0ｯ0ｻ0ｵ0・\ｷ0ｹ0ﾆ0・ *ﾄ0・・]
"Order"=hex:08,00,00,00,02,00,00,00,dc,05,00,00,01,00,00,00,09,00,00,00,b4,00,
00,00,00,00,00,00,a6,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,94,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(4000)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\msi.dll
.
Completion time: 2009-08-23 22:36
ComboFix-quarantined-files.txt 2009-08-23 13:36
ComboFix2.txt 2009-08-21 13:35
ComboFix3.txt 2009-08-19 11:06
ComboFix4.txt 2009-08-16 15:13
ComboFix5.txt 2009-08-23 13:25

Pre-Run: 4,321,136,640 bytes free
Post-Run: 4,910,403,584 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
202

[Rorschach112]

hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *ntfs.sys*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt