Help Request

[Canniballistic]

Ok the problem is i got something nasty onto my computer and now its reaking havoc. It seems to be blocking Spybot S&D and Malwarebytes Anti-Malware, redirecting google search results and creating pop-ups in my browser, also it seems to be playing around with other programs but i cant tell for sure.

Aside from Malwarebytes and Spybot S&D im also running C.O.M.O.D.O. but it doesnt seem to be helping to much.

-------------------------------------------------------------------------------------------------------------

DDS (Ver_09-06-26.01) - NTFSx86
Run by Canniballistic at 17:55:59.93 on Wed 01/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.590 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "f:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\cannib~1\startm~1\programs\startup\xfire.lnk - f:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - f:\program files\getright\getright.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-5-14 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-5-14 24096]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-5-14 692496]

=============== Created Last 30 ================

2009-06-30 13:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 13:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-30 13:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 13:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-30 12:30 <DIR> --dsh--- c:\documents and settings\canniballistic\IECompatCache
2009-06-29 08:13 <DIR> --dsh--- c:\documents and settings\canniballistic\PrivacIE
2009-06-24 17:48 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-06-24 17:26 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-06-24 17:26 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-06-24 17:26 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-06-24 17:26 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-06-24 17:26 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-24 17:26 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-24 17:26 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-24 17:26 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-24 17:25 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-06-24 17:25 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-06-24 17:25 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-24 17:25 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-16 20:24 4,096 a------- c:\windows\system32\drivers\nocashio.sys
2009-06-16 13:21 <DIR> --dsh--- c:\documents and settings\canniballistic\IETldCache
2009-06-16 13:05 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-16 13:05 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 13:05 <DIR> --d----- c:\windows\ie8updates
2009-06-16 13:05 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-16 13:04 <DIR> -cd-h--- c:\windows\ie8
2009-06-12 08:29 41,808 a------- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-07-01 01:01 189,680 a------- c:\windows\system32\PnkBstrB.exe
2009-07-01 00:02 138,672 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-30 12:25 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-23 10:42 132,640 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-26 16:22 22,328 a------- c:\docume~1\cannib~1\applic~1\PnkBstrK.sys
2009-05-26 16:21 682,280 a------- c:\windows\system32\pbsvc.exe
2009-05-21 14:32 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-05-21 14:32 17,212 a------t c:\windows\system32\SIntf32.dll
2009-05-21 14:32 12,067 a------t c:\windows\system32\SIntf16.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-18 20:05 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-15 21:25 168,208 a------- c:\windows\system32\guard32.dll
2009-05-15 21:25 24,096 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-05-14 00:21 217,536 a------- c:\windows\system32\drivers\truecrypt.sys
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 10:50 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-05-08 01:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 22:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-16 00:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-03 15:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 17:56:19.75 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Download ComboFix from any of the links below. You must rename it to Combo-Fix before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Get help here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

[Canniballistic]

ComboFix 09-07-03.03 - Canniballistic 04/07/2009 17:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.730 [GMT 10:00]
Running from: c:\documents and settings\Canniballistic\Desktop\Combo-Fix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CANNIB~1\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\drivers\MSIVXyedvjxvveqmtjppxpuwmyxijyovtxdrj.sys
c:\windows\system32\MSIVXaoyproeulalnqggwspqdxyyqgskrlgna.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXdfjjwtdonsoafrrdfkqxiljsmolckhmt.dll
c:\windows\system32\tmp32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 01:15 . 2009-07-04 01:15 -------- d-----w- c:\documents and settings\Canniballistic\Local Settings\Application Data\Doom_Productions
2009-06-30 03:09 . 2009-06-17 01:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 03:09 . 2009-06-30 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 03:09 . 2009-06-17 01:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 03:08 . 2009-06-30 03:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-30 02:30 . 2009-06-30 02:30 -------- d-sh--w- c:\documents and settings\Canniballistic\IECompatCache
2009-06-28 22:13 . 2009-06-28 22:13 -------- d-sh--w- c:\documents and settings\Canniballistic\PrivacIE
2009-06-28 13:45 . 2009-06-28 13:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-24 07:49 . 2006-02-28 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-06-24 07:49 . 2006-02-28 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-06-24 07:26 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-24 07:26 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-06-24 07:26 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-06-24 07:26 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-06-24 07:26 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-06-24 07:26 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-06-24 07:26 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-06-24 07:26 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-06-24 07:25 . 2008-04-14 01:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-06-24 07:25 . 2008-04-14 01:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-06-24 07:25 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-06-24 07:25 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-06-20 09:13 . 2009-06-20 09:13 -------- d-----w- c:\documents and settings\Canniballistic\Local Settings\Application Data\COMODO
2009-06-16 10:24 . 2009-06-16 10:24 4096 ----a-w- c:\windows\system32\drivers\nocashio.sys
2009-06-16 03:22 . 2009-06-16 03:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-16 03:21 . 2009-06-16 03:21 -------- d-sh--w- c:\documents and settings\Canniballistic\IETldCache
2009-06-16 03:05 . 2009-06-16 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-06-16 03:05 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-16 03:05 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 03:05 . 2009-06-16 03:05 -------- d-----w- c:\windows\ie8updates
2009-06-16 03:05 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-16 03:04 . 2009-06-16 03:05 -------- dc-h--w- c:\windows\ie8
2009-06-16 03:01 . 2009-06-16 03:01 152576 ----a-w- c:\documents and settings\Canniballistic\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 07:06 . 2009-04-03 01:24 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Azureus
2009-07-04 07:06 . 2009-04-03 00:53 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Xfire
2009-07-04 06:27 . 2009-04-29 23:48 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-04 04:56 . 2009-04-29 23:49 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-04 04:18 . 2009-03-02 10:34 21992 ----a-w- c:\documents and settings\Canniballistic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 03:18 . 2009-03-08 05:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-04 01:27 . 2009-05-18 10:40 77456 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-03 23:49 . 2009-05-14 11:43 183912 ----a-w- c:\windows\system32\guard32.dll
2009-07-03 23:49 . 2009-05-14 11:43 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-07-03 23:49 . 2009-05-14 11:43 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-07-03 23:49 . 2009-05-14 11:43 131912 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-01 11:15 . 2009-05-22 07:45 -------- d-----w- c:\program files\Electronic Arts
2009-07-01 11:15 . 2009-03-02 10:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-30 03:08 . 2009-04-03 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-30 02:25 . 2009-05-16 23:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-24 08:21 . 2009-05-12 11:25 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\gtk-2.0
2009-06-16 07:18 . 2009-05-13 14:25 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\TrueCrypt
2009-06-16 03:01 . 2009-04-03 00:46 -------- d-----w- c:\program files\Java
2009-06-15 02:50 . 2009-03-02 13:42 -------- d-----w- c:\program files\PunkBuster
2009-06-11 09:29 . 2009-03-02 11:16 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\U3
2009-06-11 09:26 . 2009-03-02 13:40 -------- d-----w- c:\program files\Warcraft III
2009-05-26 06:22 . 2009-04-29 23:49 22328 ----a-w- c:\documents and settings\Canniballistic\Application Data\PnkBstrK.sys
2009-05-26 06:22 . 2009-04-29 23:49 22328 ----a-w- c:\documents and settings\Canniballistic\Application Data\PnkBstrK.sys
2009-05-26 06:21 . 2009-04-29 23:48 682280 ----a-w- c:\windows\system32\pbsvc.exe
2009-05-26 06:06 . 2009-03-02 13:41 -------- d-----w- c:\program files\Activision
2009-05-25 09:26 . 2009-05-25 09:26 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\CyberLink
2009-05-24 07:02 . 2009-05-24 07:02 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Petroglyph
2009-05-24 06:40 . 2009-05-24 06:35 -------- d-----w- c:\program files\LucasArts
2009-05-24 06:33 . 2009-05-24 06:33 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\InstallShield
2009-05-23 10:28 . 2009-03-28 05:12 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\dvdcss
2009-05-22 23:22 . 2009-05-22 23:09 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-05-22 08:01 . 2009-05-22 07:53 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\My Battle for Middle-earth(tm) II Files
2009-05-22 03:54 . 2009-04-29 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-05-22 03:24 . 2009-05-22 03:24 -------- d-----w- c:\program files\Ubisoft
2009-05-21 04:32 . 2009-05-21 04:19 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-05-21 04:32 . 2009-05-21 04:19 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-05-21 04:32 . 2009-05-21 04:18 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-05-21 04:26 . 2009-05-21 04:23 -------- d-----w- c:\program files\Fox
2009-05-21 01:33 . 2009-04-03 00:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 10:44 . 2009-05-18 10:44 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\InstallShield Installation Information
2009-05-18 10:44 . 2009-05-18 10:44 -------- d-----w- c:\program files\Bethesda Softworks
2009-05-18 10:40 . 2009-05-18 10:40 -------- d-----w- c:\program files\MSBuild
2009-05-18 10:16 . 2009-05-18 10:16 -------- d-----w- c:\program files\Reference Assemblies
2009-05-18 10:06 . 2009-05-18 12:46 147456 ----a-w- c:\documents and settings\Canniballistic\Application Data\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\_setup.dll
2009-05-18 10:05 . 2009-03-03 03:23 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-16 04:51 . 2009-03-02 13:37 -------- d-----w- c:\program files\THQ
2009-05-16 04:09 . 2009-03-02 13:32 -------- d-----w- c:\program files\Steam
2009-05-15 08:14 . 2009-05-15 06:17 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\GarageGames
2009-05-15 08:13 . 2009-05-15 08:13 61136 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\xinput9_1_0.dll
2009-05-15 08:13 . 2009-05-15 08:13 4308992 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\marbleBlast.exe
2009-05-15 08:13 . 2009-05-15 08:13 3495784 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\d3dx9_33.dll
2009-05-15 08:13 . 2009-05-15 08:13 319488 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\d3dx8dll.dll
2009-05-15 08:13 . 2009-05-15 08:13 316416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\fmodex.dll
2009-05-15 07:41 . 2009-05-15 07:41 68888 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\xinput1_3.dll
2009-05-15 07:41 . 2009-05-15 07:41 3026944 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\Zap.exe
2009-05-15 07:41 . 2009-05-15 07:41 60416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\OpenAL32.dll
2009-05-15 07:41 . 2009-05-15 07:41 2319568 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\d3dx9_27.dll
2009-05-15 07:41 . 2009-05-15 07:41 184320 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\d3dx8dll.dll
2009-05-15 07:25 . 2009-05-15 07:25 971544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx9_31.dll
2009-05-15 07:25 . 2009-05-15 07:25 60416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\OpenAL32.dll
2009-05-15 07:25 . 2009-05-15 07:25 4214784 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\ThinkTanks.exe
2009-05-15 07:25 . 2009-05-15 07:25 316416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\fmodex.dll
2009-05-15 07:25 . 2009-05-15 07:25 270336 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx8dll.dll
2009-05-15 07:25 . 2009-05-15 07:25 1338728 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx9_33.dll
2009-05-15 07:13 . 2009-05-15 07:13 4608 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\w9xpopen.exe
2009-05-15 07:13 . 2009-05-15 07:13 438272 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_image.dll
2009-05-15 07:13 . 2009-05-15 07:13 364544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL.dll
2009-05-15 07:13 . 2009-05-15 07:13 348160 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\MSVCR71.dll
2009-05-15 07:13 . 2009-05-15 07:13 282624 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_mixer.dll
2009-05-15 07:13 . 2009-05-15 07:13 274432 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_ttf.dll
2009-05-15 07:13 . 2009-05-15 07:13 2113536 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\python25.dll
2009-05-15 07:13 . 2009-05-15 07:13 204800 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\smpeg.dll
2009-05-15 07:13 . 2009-05-15 07:13 34304 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\main.exe
2009-05-15 06:38 . 2009-05-15 06:38 971544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\d3dx9_31.dll
2009-05-15 06:38 . 2009-05-15 06:38 34512 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\xinput9_1_0.dll
2009-05-15 06:38 . 2009-05-15 06:38 335360 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\fmodex.dll
2009-05-15 06:38 . 2009-05-15 06:38 1457160 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\d3dx9_36.dll
2009-05-15 06:38 . 2009-05-15 06:38 2043392 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\Lore.exe
2009-05-15 06:20 . 2009-05-15 06:20 4878336 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\Legions.exe
2009-05-15 06:20 . 2009-05-15 06:20 3727720 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\d3dx9_35.dll
2009-05-15 06:20 . 2009-05-15 06:20 345088 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\fmodex.dll
2009-05-14 21:31 . 2009-05-14 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-05-14 11:43 . 2009-05-14 11:43 -------- d-----w- c:\program files\COMODO
2009-05-13 14:21 . 2009-05-13 14:21 217536 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 20:52 . 2009-05-09 10:03 441408 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-05-09 20:51 . 2009-05-09 10:03 334912 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-05-09 20:51 . 2009-05-09 10:03 171072 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-05-09 20:51 . 2009-05-09 10:03 874660 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-05-09 20:51 . 2009-05-09 10:03 57344 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-05-09 20:51 . 2009-05-09 10:03 479232 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-05-09 20:51 . 2009-05-09 10:03 2669632 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-05-09 10:03 . 2009-05-09 10:03 874660 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-05-09 10:03 . 2009-05-09 10:03 57344 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-05-09 09:58 . 2009-05-09 09:58 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\id Software
2009-05-09 09:56 . 2009-05-09 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-05-08 00:50 . 2009-04-29 23:48 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-08 00:47 . 2009-05-08 00:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-05-08 00:24 . 2009-05-08 00:24 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\teamspeak2
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-03 1793808]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Canniballistic\Start Menu\Programs\Startup\
Xfire.lnk - f:\program files\Xfire\Xfire.exe [2009-6-12 3182928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Start GetRight.lnk - f:\program files\GetRight\getright.exe [2006-11-24 4572232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [14/05/2009 9:43 PM 131912]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [14/05/2009 9:43 PM 25160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 17:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-2147198587-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,6b,72,df,68,5f,a6,a2,4b,17,8b,d4,0b,22,43,97,a0,b6,b8,7c,a3,d4,43,
95,6b,ce,96,27,75,cb,46,c3,f8,17,f8,89,d1,4d,2c,d7,6b,e2,fb,99,bd,2a,7b,f1,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-583907252-2147198587-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:0b,ad,b5,85,d8,19,01,2d,c6,d0,73,fe,19,f4,6b,47,11,ea,3f,21,4d,
74,5c,ee,f2,19,d4,c0,75,2a,22,8f,c2,90,9e,86,32,03,59,36,b5,ee,c9,16,13,e3,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
Completion time: 2009-07-04 17:19
ComboFix-quarantined-files.txt 2009-07-04 07:19

Pre-Run: 25,698,541,568 bytes free
Post-Run: 25,869,127,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

252 --- E O F --- 2009-06-16 03:05

[Canniballistic]

ComboFix 09-07-03.03 - Canniballistic 04/07/2009 17:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.730 [GMT 10:00]
Running from: c:\documents and settings\Canniballistic\Desktop\Combo-Fix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CANNIB~1\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\drivers\MSIVXyedvjxvveqmtjppxpuwmyxijyovtxdrj.sys
c:\windows\system32\MSIVXaoyproeulalnqggwspqdxyyqgskrlgna.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXdfjjwtdonsoafrrdfkqxiljsmolckhmt.dll
c:\windows\system32\tmp32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 01:15 . 2009-07-04 01:15 -------- d-----w- c:\documents and settings\Canniballistic\Local Settings\Application Data\Doom_Productions
2009-06-30 03:09 . 2009-06-17 01:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 03:09 . 2009-06-30 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 03:09 . 2009-06-17 01:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 03:08 . 2009-06-30 03:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-30 02:30 . 2009-06-30 02:30 -------- d-sh--w- c:\documents and settings\Canniballistic\IECompatCache
2009-06-28 22:13 . 2009-06-28 22:13 -------- d-sh--w- c:\documents and settings\Canniballistic\PrivacIE
2009-06-28 13:45 . 2009-06-28 13:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-24 07:49 . 2006-02-28 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-06-24 07:49 . 2006-02-28 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-06-24 07:49 . 2006-02-28 12:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-06-24 07:26 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-24 07:26 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-06-24 07:26 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-06-24 07:26 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-06-24 07:26 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-06-24 07:26 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-06-24 07:26 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-06-24 07:26 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-06-24 07:25 . 2008-04-14 01:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-06-24 07:25 . 2008-04-14 01:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-06-24 07:25 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-06-24 07:25 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-06-20 09:13 . 2009-06-20 09:13 -------- d-----w- c:\documents and settings\Canniballistic\Local Settings\Application Data\COMODO
2009-06-16 10:24 . 2009-06-16 10:24 4096 ----a-w- c:\windows\system32\drivers\nocashio.sys
2009-06-16 03:22 . 2009-06-16 03:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-16 03:21 . 2009-06-16 03:21 -------- d-sh--w- c:\documents and settings\Canniballistic\IETldCache
2009-06-16 03:05 . 2009-06-16 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-06-16 03:05 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-16 03:05 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 03:05 . 2009-06-16 03:05 -------- d-----w- c:\windows\ie8updates
2009-06-16 03:05 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-16 03:04 . 2009-06-16 03:05 -------- dc-h--w- c:\windows\ie8
2009-06-16 03:01 . 2009-06-16 03:01 152576 ----a-w- c:\documents and settings\Canniballistic\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 07:06 . 2009-04-03 01:24 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Azureus
2009-07-04 07:06 . 2009-04-03 00:53 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Xfire
2009-07-04 06:27 . 2009-04-29 23:48 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-04 04:56 . 2009-04-29 23:49 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-04 04:18 . 2009-03-02 10:34 21992 ----a-w- c:\documents and settings\Canniballistic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 03:18 . 2009-03-08 05:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-04 01:27 . 2009-05-18 10:40 77456 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-03 23:49 . 2009-05-14 11:43 183912 ----a-w- c:\windows\system32\guard32.dll
2009-07-03 23:49 . 2009-05-14 11:43 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-07-03 23:49 . 2009-05-14 11:43 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-07-03 23:49 . 2009-05-14 11:43 131912 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-01 11:15 . 2009-05-22 07:45 -------- d-----w- c:\program files\Electronic Arts
2009-07-01 11:15 . 2009-03-02 10:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-30 03:08 . 2009-04-03 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-30 02:25 . 2009-05-16 23:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-24 08:21 . 2009-05-12 11:25 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\gtk-2.0
2009-06-16 07:18 . 2009-05-13 14:25 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\TrueCrypt
2009-06-16 03:01 . 2009-04-03 00:46 -------- d-----w- c:\program files\Java
2009-06-15 02:50 . 2009-03-02 13:42 -------- d-----w- c:\program files\PunkBuster
2009-06-11 09:29 . 2009-03-02 11:16 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\U3
2009-06-11 09:26 . 2009-03-02 13:40 -------- d-----w- c:\program files\Warcraft III
2009-05-26 06:22 . 2009-04-29 23:49 22328 ----a-w- c:\documents and settings\Canniballistic\Application Data\PnkBstrK.sys
2009-05-26 06:22 . 2009-04-29 23:49 22328 ----a-w- c:\documents and settings\Canniballistic\Application Data\PnkBstrK.sys
2009-05-26 06:21 . 2009-04-29 23:48 682280 ----a-w- c:\windows\system32\pbsvc.exe
2009-05-26 06:06 . 2009-03-02 13:41 -------- d-----w- c:\program files\Activision
2009-05-25 09:26 . 2009-05-25 09:26 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\CyberLink
2009-05-24 07:02 . 2009-05-24 07:02 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\Petroglyph
2009-05-24 06:40 . 2009-05-24 06:35 -------- d-----w- c:\program files\LucasArts
2009-05-24 06:33 . 2009-05-24 06:33 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\InstallShield
2009-05-23 10:28 . 2009-03-28 05:12 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\dvdcss
2009-05-22 23:22 . 2009-05-22 23:09 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-05-22 08:01 . 2009-05-22 07:53 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\My Battle for Middle-earth(tm) II Files
2009-05-22 03:54 . 2009-04-29 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-05-22 03:24 . 2009-05-22 03:24 -------- d-----w- c:\program files\Ubisoft
2009-05-21 04:32 . 2009-05-21 04:19 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-05-21 04:32 . 2009-05-21 04:19 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-05-21 04:32 . 2009-05-21 04:18 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-05-21 04:26 . 2009-05-21 04:23 -------- d-----w- c:\program files\Fox
2009-05-21 01:33 . 2009-04-03 00:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 10:44 . 2009-05-18 10:44 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\InstallShield Installation Information
2009-05-18 10:44 . 2009-05-18 10:44 -------- d-----w- c:\program files\Bethesda Softworks
2009-05-18 10:40 . 2009-05-18 10:40 -------- d-----w- c:\program files\MSBuild
2009-05-18 10:16 . 2009-05-18 10:16 -------- d-----w- c:\program files\Reference Assemblies
2009-05-18 10:06 . 2009-05-18 12:46 147456 ----a-w- c:\documents and settings\Canniballistic\Application Data\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\_setup.dll
2009-05-18 10:05 . 2009-03-03 03:23 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-16 04:51 . 2009-03-02 13:37 -------- d-----w- c:\program files\THQ
2009-05-16 04:09 . 2009-03-02 13:32 -------- d-----w- c:\program files\Steam
2009-05-15 08:14 . 2009-05-15 06:17 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\GarageGames
2009-05-15 08:13 . 2009-05-15 08:13 61136 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\xinput9_1_0.dll
2009-05-15 08:13 . 2009-05-15 08:13 4308992 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\marbleBlast.exe
2009-05-15 08:13 . 2009-05-15 08:13 3495784 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\d3dx9_33.dll
2009-05-15 08:13 . 2009-05-15 08:13 319488 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\d3dx8dll.dll
2009-05-15 08:13 . 2009-05-15 08:13 316416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\100\install\fmodex.dll
2009-05-15 07:41 . 2009-05-15 07:41 68888 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\xinput1_3.dll
2009-05-15 07:41 . 2009-05-15 07:41 3026944 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\Zap.exe
2009-05-15 07:41 . 2009-05-15 07:41 60416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\OpenAL32.dll
2009-05-15 07:41 . 2009-05-15 07:41 2319568 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\d3dx9_27.dll
2009-05-15 07:41 . 2009-05-15 07:41 184320 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\7000\install\d3dx8dll.dll
2009-05-15 07:25 . 2009-05-15 07:25 971544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx9_31.dll
2009-05-15 07:25 . 2009-05-15 07:25 60416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\OpenAL32.dll
2009-05-15 07:25 . 2009-05-15 07:25 4214784 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\ThinkTanks.exe
2009-05-15 07:25 . 2009-05-15 07:25 316416 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\fmodex.dll
2009-05-15 07:25 . 2009-05-15 07:25 270336 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx8dll.dll
2009-05-15 07:25 . 2009-05-15 07:25 1338728 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\101\install\d3dx9_33.dll
2009-05-15 07:13 . 2009-05-15 07:13 4608 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\w9xpopen.exe
2009-05-15 07:13 . 2009-05-15 07:13 438272 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_image.dll
2009-05-15 07:13 . 2009-05-15 07:13 364544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL.dll
2009-05-15 07:13 . 2009-05-15 07:13 348160 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\MSVCR71.dll
2009-05-15 07:13 . 2009-05-15 07:13 282624 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_mixer.dll
2009-05-15 07:13 . 2009-05-15 07:13 274432 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\SDL_ttf.dll
2009-05-15 07:13 . 2009-05-15 07:13 2113536 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\python25.dll
2009-05-15 07:13 . 2009-05-15 07:13 204800 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\smpeg.dll
2009-05-15 07:13 . 2009-05-15 07:13 34304 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\9500\install\dist\main.exe
2009-05-15 06:38 . 2009-05-15 06:38 971544 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\d3dx9_31.dll
2009-05-15 06:38 . 2009-05-15 06:38 34512 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\xinput9_1_0.dll
2009-05-15 06:38 . 2009-05-15 06:38 335360 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\fmodex.dll
2009-05-15 06:38 . 2009-05-15 06:38 1457160 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\d3dx9_36.dll
2009-05-15 06:38 . 2009-05-15 06:38 2043392 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\6500\install\Lore.exe
2009-05-15 06:20 . 2009-05-15 06:20 4878336 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\Legions.exe
2009-05-15 06:20 . 2009-05-15 06:20 3727720 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\d3dx9_35.dll
2009-05-15 06:20 . 2009-05-15 06:20 345088 ----a-w- c:\documents and settings\Canniballistic\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\fmodex.dll
2009-05-14 21:31 . 2009-05-14 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-05-14 11:43 . 2009-05-14 11:43 -------- d-----w- c:\program files\COMODO
2009-05-13 14:21 . 2009-05-13 14:21 217536 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 20:52 . 2009-05-09 10:03 441408 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-05-09 20:51 . 2009-05-09 10:03 334912 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-05-09 20:51 . 2009-05-09 10:03 171072 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-05-09 20:51 . 2009-05-09 10:03 874660 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-05-09 20:51 . 2009-05-09 10:03 57344 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-05-09 20:51 . 2009-05-09 10:03 479232 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-05-09 20:51 . 2009-05-09 10:03 2669632 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-05-09 10:03 . 2009-05-09 10:03 874660 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-05-09 10:03 . 2009-05-09 10:03 57344 ----a-w- c:\documents and settings\Canniballistic\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-05-09 09:58 . 2009-05-09 09:58 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\id Software
2009-05-09 09:56 . 2009-05-09 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-05-08 00:50 . 2009-04-29 23:48 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-08 00:47 . 2009-05-08 00:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-05-08 00:24 . 2009-05-08 00:24 -------- d-----w- c:\documents and settings\Canniballistic\Application Data\teamspeak2
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-03 1793808]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Canniballistic\Start Menu\Programs\Startup\
Xfire.lnk - f:\program files\Xfire\Xfire.exe [2009-6-12 3182928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Start GetRight.lnk - f:\program files\GetRight\getright.exe [2006-11-24 4572232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [14/05/2009 9:43 PM 131912]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [14/05/2009 9:43 PM 25160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 17:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-2147198587-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,6b,72,df,68,5f,a6,a2,4b,17,8b,d4,0b,22,43,97,a0,b6,b8,7c,a3,d4,43,
95,6b,ce,96,27,75,cb,46,c3,f8,17,f8,89,d1,4d,2c,d7,6b,e2,fb,99,bd,2a,7b,f1,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-583907252-2147198587-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:0b,ad,b5,85,d8,19,01,2d,c6,d0,73,fe,19,f4,6b,47,11,ea,3f,21,4d,
74,5c,ee,f2,19,d4,c0,75,2a,22,8f,c2,90,9e,86,32,03,59,36,b5,ee,c9,16,13,e3,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
Completion time: 2009-07-04 17:19
ComboFix-quarantined-files.txt 2009-07-04 07:19

Pre-Run: 25,698,541,568 bytes free
Post-Run: 25,869,127,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

252 --- E O F --- 2009-06-16 03:05

[chemist]

Hello, Canniballistic. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears you have P2P software ( Azureus ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[Canniballistic]

After removing the root-kit I was able to start up and run both Malwarebytes Anti-Malware and Spybot S&D then finished it off by running a scan through COMODO and after they removed what could be found my system was considerably better off. I am still however having one slight problem, my browser seems to be speaking with a webite by the name of "doubleclick" sounding like a pretty obvious adware site.

As far as im concerned about Azureus, FEAR NOT! I'm a diciplined P2P user never using in-built search engines and only using trused torrents so Azureus is, hasent and most likely will not become a risk to my system and im well aware on where I found this collection of malware/addware.

I couldnt merge the registry file. It returned an error saying it wasent a registry script and could only be merged inside regedit. I would merge it manualy but last time i played with regedit i needed to format. ><

I couldnt select "Firefox" in ATF-Cleaner although the rest of the settings worked fine. I do have CC Cleaner (which i've run), though if it does the same thing or not im not sure of.

Kaspersky reported the following as infected:
C:\Qoobox\Quarantine\C\WINDOWS\System32\drivers\MSIVXyedvjxvveqmtjppxpuwmyxijyovtxdrj.sys.vir
~\System32\MSIVX~.dll.vir
~\System32\MSIVX~.dll.vir

(Note I use the tidle(~) to skip writing the random letters in the file names and indicate same directory as above. I have a copy of the full names at hand just in case. I would have liked to provide the full report but alas, both times i ran the scan it would not open a window to save the report, just diactivating the "Save Report As" button.)

[chemist]

Quote:

After removing the root-kit I was able to start up and run both Malwarebytes Anti-Malware and Spybot S&D then finished it off by running a scan through COMODO

What part of the following did you not understand?

Quote:

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

[Canniballistic]

Sorry i read everything and didnt remember seeing you write that. The less problems on my computer the better right? so whats the big deal?

[chemist]

You came to this forum for help. Who's going to fix it, you or me? Let me know.

[Canniballistic]

Dude i appoligised what do you want from me? Will you help me or do you want to just try and make me feel inferior?

Let me know that to.

[chemist]

Sorry, that wasn't my intention. Did you run Kaspersky before or after MBAM and COMODO?

Please post the MBAM and COMODO logs in your next reply. You can find the MBAM log under the Logs tab. I am unfamiliar with COMODO.

[chemist]

Sorry, that wasn't my intention. Did you run Kaspersky before or after MBAM and COMODO?

Please post the MBAM and COMODO logs in your next reply. You can find the MBAM log under the Logs tab. I am unfamiliar with COMODO.

[Canniballistic]

Its all good. I scaned before using kaspersky.

I was also going to upload a spy bot S&D log but it seems they may not make any, also, the COMODO log had to be html and also had to show a few extra files that had nothing to do with the original problem. (eg. flash mute)

Im sorry again if this causes any problems it wasent my intention.

[chemist]

Hello again, Canniballistic.

Quote:

I am still however having one slight problem, my browser seems to be speaking with a webite by the name of "doubleclick" sounding like a pretty obvious adware site.

Does it prevent you from going to the desired site? Read here about doubleclick > http://en.wikipedia.org/wiki/DoubleClick

------------------------------------------------------

[Canniballistic]

Ah i think i understand, and no im not being redirected or halted but the only reason i noticed it is because my browser was laged and i noticed it was talking to doubleclick at the time.

I've also noticed lag spikes in my computer and sometimes with my internet were i never had problems before. The lag spikes are the only real thing out of the usual anymore.

I assume whatever is lagging my computer laged my broswer and i assumed it was doubleclick when i saw the address.

[chemist]

Hello again, Canniballistic. Not sure about the lag.

You may want to try our Windows XP Support Forum

Let them know you were here first and were cleared of malware.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable COMODO before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an add-on available for both Firefox and IE.
  
• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[Canniballistic]

Ok, well thanks for all the help i realy appreciate it.

[chemist]

You're very welcome, Canniballistic! Glad to have helped.