Free Malware Removal Forum

[John B.]

Hi,

Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Before disabling your security program disconnect from the internet as you can get infected very easily with your security disabled.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

File::
C:\WINDOWS\system32\cbXrSjjG.dll
C:\WINDOWS\TEMP\mc21.tmp

Driver::
mchInjDrv

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt. Also post the DeQuarantine_log.txt log which will be produced.

Note: Remember reconnect and re-enable your anti virus and anti malware programs.

Greets, John.

[doldi]

Hi there,

here is the log file.

ComboFix 08-10-08.05 - vali 2008-10-09 21:04:17.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2225 [GMT 1:00]
Running from: C:\Documents and Settings\vali\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\vali\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cbXrSjjG.dll
C:\WINDOWS\TEMP\mc21.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbXrSjjG.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Service_mchInjDrv


((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 21:49 . 2008-10-08 21:49 3,120 --a------ C:\WINDOWS\system32\0810be8f-b2fd-4cfc-bbc2-e45e10a7568b.dll
2008-10-08 21:49 . 2008-10-08 21:49 3,120 --a------ C:\WINDOWS\3fb680fe-6b4e-43bc-aa56-f398c3caf31b.ocx
2008-10-08 17:11 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-10-07 22:47 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-10-07 22:47 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\vali\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-04-17 05:25 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-10-06 18:47 . 2008-04-17 05:25 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-10-06 18:47 . 2008-04-17 05:25 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-10-06 15:56 . 2008-10-06 15:56 <DIR> d-------- C:\Documents and Settings\vali\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-05 14:28 . 2008-10-05 14:28 <DIR> d-------- C:\Documents and Settings\vali\Application Data\dvdcss
2008-10-05 14:27 . 2008-10-05 14:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-05 14:19 . 2008-10-05 14:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-05 14:09 . 2008-10-05 14:09 0 --a------ C:\WINDOWS\iPlayer.INI
2008-10-05 14:06 . 2008-10-05 14:06 <DIR> d-------- C:\Program Files\InterActual
2008-10-01 21:18 . 2008-10-01 21:18 <DIR> d--hs---- C:\FOUND.003
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Apple Computer
2008-09-30 22:53 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-09-30 22:53 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Program Files\QuickTime
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-30 22:51 . 2008-09-30 22:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-30 21:54 . 2008-09-30 21:54 <DIR> d--hs---- C:\FOUND.002
2008-09-30 19:09 . 2008-09-30 19:09 <DIR> d--hs---- C:\FOUND.001
2008-09-30 18:28 . 2008-09-30 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 17:23 . 2008-09-30 17:23 <DIR> d--hs---- C:\FOUND.000
2008-09-29 21:43 . 2008-09-29 21:43 <DIR> d-------- C:\Program Files\Kontiki
2008-09-29 11:33 . 2008-09-29 11:33 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Uniblue
2008-09-27 18:43 . 2008-09-27 18:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-26 16:57 . 2008-09-26 16:57 <DIR> d-------- C:\WINDOWS\Bs350u2
2008-09-26 16:57 . 2004-12-02 20:23 605,312 --a------ C:\WINDOWS\system32\drivers\Bs350u2.sys
2008-09-26 16:57 . 2004-10-07 20:38 81,920 --a------ C:\WINDOWS\system\vfwExtC.dll
2008-09-26 16:57 . 2004-10-07 20:25 77,824 --a------ C:\WINDOWS\system\FiltProp.dll
2008-09-26 16:57 . 2004-11-29 12:36 40,960 --a------ C:\WINDOWS\Bs350u2r.exe
2008-09-26 16:57 . 2003-09-22 13:49 15,190 --a------ C:\WINDOWS\M1000Twn.ini
2008-09-26 16:57 . 2003-09-22 14:36 13,448 --a------ C:\WINDOWS\M1000Twn.src
2008-09-26 16:57 . 2004-06-17 22:23 12,537 --a------ C:\WINDOWS\system\S10H0110.csr
2008-09-26 16:57 . 2004-06-26 17:39 11,528 --a------ C:\WINDOWS\system\S10F0110.csr
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10H0110.bin
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10F0110.bin
2008-09-26 14:56 . 2008-09-26 14:56 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-24 13:07 . 2008-09-24 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 13:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-05 13:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-04 13:03 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-04 12:58 --------- d-----w C:\Program Files\NOS
2008-09-04 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 11:15 --------- d-----w C:\Program Files\PowerISO
2008-09-04 11:02 --------- d-----w C:\Documents and Settings\vali\Application Data\Canon
2008-09-03 23:49 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-03 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-09-03 14:02 --------- d-----w C:\Program Files\Bonjour
2008-09-03 13:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-09-03 13:42 --------- d-----w C:\Program Files\MagicISO
2008-09-02 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-02 17:41 --------- d-----w C:\Program Files\DNA
2008-09-01 12:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-29 21:09 --------- d-----w C:\Program Files\Real
2008-08-29 21:09 --------- d-----w C:\Program Files\Common Files\Real
2008-08-29 19:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-08-29 09:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 22:46 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-28 22:43 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-28 22:42 --------- d-----w C:\Program Files\Windows Live
2008-08-28 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-28 22:38 --------- d-----w C:\Documents and Settings\vali\Application Data\skypePM
2008-08-28 22:37 --------- d-----w C:\Program Files\Skype
2008-08-28 22:37 --------- d-----w C:\Program Files\Google
2008-08-28 22:37 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\vali\Application Data\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-28 22:11 --------- d-----w C:\Program Files\ESET
2008-08-28 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-28 19:57 --------- d-----w C:\Program Files\WIDCOMM
2008-08-28 19:56 --------- d-----w C:\Program Files\Wlan
2008-08-28 19:53 --------- d-----w C:\Program Files\Synaptics
2008-08-28 19:44 --------- d-----w C:\Program Files\Realtek
2008-08-28 19:41 --------- d-----w C:\Program Files\Intel
2008-08-28 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 19:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-28 19:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-18 12:27 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-08-18 12:19 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-08-18 12:18 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-07_12.01.06.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-07 21:47:38 65,536 ----a-r C:\WINDOWS\Installer\{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}\ARPPRODUCTICON.exe
+ 2008-10-07 21:47:30 65,536 ----a-r C:\WINDOWS\Installer\{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}\ARPPRODUCTICON.exe
+ 2007-02-20 14:34:06 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
- 2008-03-24 19:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-02-20 15:04:02 2,463,976 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-24 19:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-02-20 15:04:04 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-03-12 13:02:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-29 5898240]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-04-29 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-29 708698]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"OnlineArmor GUI"="D:\Programs\Online Armor\oaui.exe" [2008-04-17 5545536]
"PtiuPbmd"="ptipbm.dll" [2005-01-14 C:\WINDOWS\system32\ptipbm.dll]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 C:\WINDOWS\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-04-29 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2001-12-26 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\vali\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-09-26 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN Configuration Utility.lnk - C:\Program Files\Wlan\IPN2220\wlan_ui.exe [2004-11-08 454656]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-03-03 512061]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "D:\Programs\ONLINE~1\oaevent.dll" [2008-04-17 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\USMT\\MIGWIZ.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872]
R2 SvcOnlineArmor;Online Armor;D:\Programs\Online Armor\oasrv.exe [2008-04-17 5435968]
R3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv.sys [2005-04-29 230448]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-04-27 148480]

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder

2008-09-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 21:10:53
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\EKRN.EXE
C:\PROGRAM FILES\KONTIKI\KSERVICE.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\SLSERV.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTSTACKSERVER.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-10-09 21:13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 20:13:42
ComboFix3.txt 2008-10-07 11:01:22
ComboFix2.txt 2008-10-07 20:47:58

Pre-Run: 284,819,456 bytes free
Post-Run: 694,444,032 bytes free

234 --- E O F --- 2008-10-08 17:50:03

i could not find the quarantene file but i found this file ComboFix-quarantined-files in Qoobox on drive c.Its a folder that seems to be related to combo fix.


2007-02-28 21:05:10 952,775 C:\Qoobox\Quarantine\C\WINDOWS\system32\agxjkwcg.ini.vir
2007-02-28 21:07:18 952,775 C:\Qoobox\Quarantine\C\WINDOWS\system32\tbpgomms.ini.vir
2008-04-17 12:12:54 107,368 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll.vir
2008-04-17 12:12:54 15,464 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys.vir
2008-04-17 12:12:54 2,761 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf.vir
2008-04-17 12:12:54 319,456 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll.vir
2008-04-24 07:25:18 11,168 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat.vir
2008-07-04 12:35:40 54,632 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe.vir
2008-09-26 21:40:12 950,354 C:\Qoobox\Quarantine\C\WINDOWS\system32\bhraspsi.ini.vir
2008-09-27 09:29:28 952,775 C:\Qoobox\Quarantine\C\WINDOWS\system32\vatpdchi.ini.vir
2008-09-27 16:54:10 0 C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-09-29 08:52:18 952,775 C:\Qoobox\Quarantine\C\WINDOWS\system32\refbrbcv.ini.vir
2008-09-30 11:43:22 924,054 C:\Qoobox\Quarantine\C\WINDOWS\system32\upelejdv.ini.vir
2008-10-02 11:47:30 712,531 C:\Qoobox\Quarantine\C\WINDOWS\system32\knXyGfhk.ini2.vir
2008-10-02 11:50:06 712,531 C:\Qoobox\Quarantine\C\WINDOWS\system32\knXyGfhk.ini.vir
2008-10-04 17:11:58 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJAtQGa.dll.vir
2008-10-04 18:26:12 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkJaAqP.dll.vir
2008-10-05 13:00:28 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcCRHYr.dll.vir
2008-10-05 14:00:28 325,666 C:\Qoobox\Quarantine\C\WINDOWS\system32\efcAPICU.dll.vir
2008-10-05 15:00:30 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\urqOEwVo.dll.vir
2008-10-05 16:00:30 0 C:\Qoobox\Quarantine\C\WINDOWS\system32\fccaWOEW.dll.vir
2008-10-05 18:00:50 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRIxwTN.dll.vir
2008-10-05 19:00:52 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\urqOHAQh.dll.vir
2008-10-05 20:00:54 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\geBqOHAQ.dll.vir
2008-10-05 21:00:54 325,982 C:\Qoobox\Quarantine\C\WINDOWS\system32\urqPfgEx.dll.vir
2008-10-06 12:36:58 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\pMDuSMDu.dll.vir
2008-10-06 15:37:02 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\ljjIaWOf.dll.vir
2008-10-06 19:29:18 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\khfGwWOG.dll.vir
2008-10-06 20:29:26 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJAQGxw.dll.vir
2008-10-07 10:43:42 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvTmMeE.dll.vir
2008-10-07 11:01:08 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-07 11:01:08 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-07 11:01:08 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-10-07 11:01:08 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E}.reg.dat
2008-10-07 11:01:10 149 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-484c15da.reg.dat
2008-10-07 11:01:10 176 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Uniblue RegistryBooster 2009.reg.dat
2008-10-07 13:07:38 324,564 C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXrSjjG.dll.vir
2008-10-07 17:51:08 326,016 C:\Qoobox\Quarantine\C\WINDOWS\system32\efccYRHX.dll.vir
2008-10-07 20:37:10 744 C:\Qoobox\Quarantine\C\WINDOWS\system32\XHRYccfe.ini2.vir
2008-10-07 20:37:40 744 C:\Qoobox\Quarantine\C\WINDOWS\system32\XHRYccfe.ini.vir
2008-10-07 20:47:46 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{E7604E8A-43F0-4005-885A-DF2A385E1FB7}.reg.dat
2008-10-07 20:47:50 498 C:\Qoobox\Quarantine\Registry_backups\Notify-cbXRKCvT.reg.dat
2008-10-07 20:48:00 975,537 C:\Qoobox\Quarantine\[4]-Submit_2008-10-07@21.37.zip
2008-10-09 20:07:46 8,017 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-09 20:08:12 1,290 C:\Qoobox\Quarantine\Registry_backups\Legacy_MCHINJDRV.reg.dat
2008-10-09 20:08:12 850 C:\Qoobox\Quarantine\Registry_backups\Service_mchInjDrv.reg.dat
2008-10-09 20:08:38 270 C:\Qoobox\Quarantine\catchme.log

Thanks

[John B.]

Hi,

Can you please tell me if this file is present on your computer:
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll
Or is this folder even not there:

C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86

Step 1: Install Recovery Console
Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System (select Windows XP Service Pack 2 when you are running Service Pack 3).



Download the file & save it as it's originally named on your desktop next to ComboFix.exe.



Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Before disabling your security program disconnect from the internet as you can get infected very easily with your security disabled.

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
• At the next prompt, click No to exit ComboFix.
  
  
  
• When finished, it will produce a report for you. This report may also be saved in C:\ComboFix.txt, but I am not sure. Please check the date in the header of the ComboFix log.

Note: Remember reconnect and re-enable your anti virus and anti malware programs.

Step 2: Download and Run Gmer
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

Step 3: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):

• Let me know if the file and the folder I listed are present
• Possible ComboFix log
• Gmer log

Greets, John.

[doldi]

Hello

The file you asked me for is not in there,in fact the hole folder is non existent.

Here are the logs
CF-RC:(combo fix)
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Rootkit:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-11 22:23:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xAF444C90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xAF4450C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwConnectPort [0xAF444580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateFile [0xAF4465D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateKey [0xAF447170]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreatePort [0xAF444440]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcess [0xAF4451F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcessEx [0xAF442FD0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateSection [0xAF442BD0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateThread [0xAF443580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDebugActiveProcess [0xAF443E10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDeleteFile [0xAF446C30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDeleteKey [0xAF446050]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDeleteValueKey [0xAF4479E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwEnumerateKey [0xAF4465B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwEnumerateValueKey [0xAF4465C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwLoadDriver [0xAF444B00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwLoadKey [0xAF447D50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenFile [0xAF446990]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenKey [0xAF446200]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenProcess [0xAF4432E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenSection [0xAF442E00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenThread [0xAF443960]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xAF444E00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwQueryKey [0xAF446590]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwQueryValueKey [0xAF4465A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwReplaceKey [0xAF446210]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xAF4447D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRestoreKey [0xAF4463D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwResumeThread [0xAF4441C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSaveKey [0xAF446580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetContextThread [0xAF443CC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetInformationFile [0xAF446E90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetValueKey [0xAF4474D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwShutdownSystem [0xAF444A40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendProcess [0xAF444300]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendThread [0xAF444060]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSystemDebugControl [0xAF443F40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateProcess [0xAF443430]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateThread [0xAF443B50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xAF444F60]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C42 805044CE 2 Bytes [ 44, AF ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes [ 40, 44, 44, AF, F0, 51, 44, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CBE 8050454A 6 Bytes [ 44, AF, 50, 60, 44, AF ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [ 00, 43, 44, AF, 60, 40, 44, ... ]
? C:\WINDOWS\system32\drivers\OAnet.sys Access is denied.
? C:\WINDOWS\system32\drivers\OAmon.sys Access is denied.
? C:\WINDOWS\system32\drivers\OADriver.sys Access is denied.
? C:\WINDOWS\TEMP\mc22.tmp The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[268] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[268] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[268] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[268] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[268] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Kontiki\KService.exe[356] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\nvsvc32.exe[464] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\svchost.exe[560] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\slserv.exe[648] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\notepad.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[900] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[900] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[900] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\notepad.exe[900] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\notepad.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[1032] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[1032] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[1032] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\notepad.exe[1032] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1932] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1948] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1988] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1988] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2248] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2248] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2248] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2248] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\mHotkey.exe[2272] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\mHotkey.exe[2272] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\mHotkey.exe[2272] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\mHotkey.exe[2272] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\mHotkey.exe[2272] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\vali\Desktop\gmer.exe[2444] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\vali\Desktop\gmer.exe[2444] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\vali\Desktop\gmer.exe[2444] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\vali\Desktop\gmer.exe[2444] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Documents and Settings\vali\Desktop\gmer.exe[2444] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2496] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2496] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2496] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2496] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2496] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2560] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2560] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2560] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2560] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2560] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PowerISO\PWRISOVM.EXE[2612] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\PowerISO\PWRISOVM.EXE[2612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\PowerISO\PWRISOVM.EXE[2612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\PowerISO\PWRISOVM.EXE[2612] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\PowerISO\PWRISOVM.EXE[2612] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2672] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2672] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2672] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2672] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2672] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[2676] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Kontiki\KHost.exe[2716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Kontiki\KHost.exe[2716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Kontiki\KHost.exe[2716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Kontiki\KHost.exe[2716] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Kontiki\KHost.exe[2716] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\explorer.exe[2768] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\explorer.exe[2768] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\explorer.exe[2768] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\explorer.exe[2768] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\explorer.exe[2768] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text D:\Programs\Online Armor\oaui.exe[2876] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\System32\alg.exe[3092] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[3096] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[3096] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[3096] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[3096] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3272] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[3272] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3272] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[3272] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\ctfmon.exe[3272] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3580] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[3580] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3580] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[3580] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\wscntfy.exe[3580] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Wlan\IPN2220\wlan_ui.exe[3656] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Wlan\IPN2220\wlan_ui.exe[3656] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Wlan\IPN2220\wlan_ui.exe[3656] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Wlan\IPN2220\wlan_ui.exe[3656] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Wlan\IPN2220\wlan_ui.exe[3656] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\MagicDisc\MagicDisc.exe[3828] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\MagicDisc\MagicDisc.exe[3828] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\MagicDisc\MagicDisc.exe[3828] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\MagicDisc\MagicDisc.exe[3828] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\MagicDisc\MagicDisc.exe[3828] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3880] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3880] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3880] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3880] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3880] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B6A7D410] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B6A7D470] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B6A7D720] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B6A7D760] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B6A7D720] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B6A7D470] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B6A7D410] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B6A7D410] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B6A7D470] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B6A7D760] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B6A7D720] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [B6A7D470] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [B6A7D720] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [B6A7D410] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [B6A7D760] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B6A7D720] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B6A7D760] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B6A7D410] \??\C:\WINDOWS\system32\drivers\OAnet.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B6A7D470] \??\C:\WINDOWS\system32\drivers\OAnet.sys

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp OAmon.sys
Device \Driver\Tcpip \Device\Udp OAmon.sys
Device \Driver\Tcpip \Device\RawIp OAmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.14 ----

Aotoskan:
GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-10-11 22:24:54
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
btwdins@ = C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
ekrn@ = "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
KService@ = "C:\Program Files\Kontiki\KService.exe"
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SLService@ = slserv.exe
SvcOnlineArmor@ = "D:\Programs\Online Armor\oasrv.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@PtiuPbmdRundll32.exe ptipbm.dll,SetWriteBack = Rundll32.exe ptipbm.dll,SetWriteBack
@High Definition Audio Property Page ShortcutHDAudPropShortcut.exe = HDAudPropShortcut.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@AlcWzrdALCWZRD.EXE = ALCWZRD.EXE
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@CHotkeymHotkey.exe = mHotkey.exe
@SynTPLprC:\Program Files\Synaptics\SynTP\SynTPLpr.exe = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@egui"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
@PWRISOVM.EXEC:\Program Files\PowerISO\PWRISOVM.EXE = C:\Program Files\PowerISO\PWRISOVM.EXE
@GrooveMonitor"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
@4oD"C:\Program Files\Kontiki\KHost.exe" -all = "C:\Program Files\Kontiki\KHost.exe" -all
@OnlineArmor GUI"D:\Programs\Online Armor\oaui.exe" = "D:\Programs\Online Armor\oaui.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Skype"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
@MsnMsgr"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background = "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@kdxC:\Program Files\Kontiki\KHost.exe -all /*file not found*/ = C:\Program Files\Kontiki\KHost.exe -all /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{B5A7F190-DDA6-4420-B3BA-52453494E6CD}C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{4F07DA45-8170-4859-9B5F-037EF2970034}D:\Programs\ONLINE~1\oaevent.dll = D:\Programs\ONLINE~1\oaevent.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*Eset Smart Security - Context Menu Shell Extension*/C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll = C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682} /*IZArc DragDrop Menu*/(null) =
@{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} /*IZArc Shell Context Menu*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{920E6DB1-9907-4370-B3A0-BAFC03D81399} /*Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{99FD978C-D287-4F50-827F-B2C658EDA8E7} /*Groove Explorer Icon Overlay 1 (GFS Unread Stub)*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} /*Groove Explorer Icon Overlay 4 (GFS Unread Mark)*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} /*Groove Explorer Icon Overlay 2 (GFS Stub)*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{16F3DD56-1AF5-4347-846D-7C10C4192619} /*Groove Explorer Icon Overlay 3 (GFS Folder)*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{387E725D-DC16-4D76-B310-2C93ED4752A0} /*Groove XML Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{6C467336-8281-4E60-8204-430CED96822D} /*Groove GFS Context Menu Handler*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{B5A7F190-DDA6-4420-B3BA-52453494E6CD} /*Groove GFS Stub Execution Hook*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{A449600E-1DC6-4232-B948-9BD794D62056} /*Groove GFS Stub Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} /*Groove GFS Explorer Bar*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{72853161-30C5-4D22-B7F9-0BBC1D38A37E} /*Groove GFS Browser Helper*/C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/D:\Programs\rpshell.dll = D:\Programs\rpshell.dll
@{4F07DA46-8170-4859-9B5F-037EF2970034} /*Online Armor Shell Extension*/D:\Programs\ONLINE~1\oaevent.dll = D:\Programs\ONLINE~1\oaevent.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = D:\Programs\ONLINE~1\oaevent.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = D:\Programs\ONLINE~1\oaevent.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
XXX Groove GFS Context Menu Handler XXX@{6C467336-8281-4E60-8204-430CED96822D} = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{22BF413B-C6D2-4d91-82A9-A0F997BA588C}C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll = C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
@{72853161-30C5-4D22-B7F9-0BBC1D38A37E}C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL = C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar1.dll = c:\program files\google\googletoolbar1.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.lolaevents.co.uk/ = http://www.lolaevents.co.uk/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
grooveLocalGWS@CLSID = C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
skype4com@CLSID = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\vali\Start Menu\Programs\Startup = MagicDisc.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
WLAN Configuration Utility.lnk = WLAN Configuration Utility.lnk
BTTray.lnk = BTTray.lnk

---- EOF - GMER 1.0.14 ----

Thanks

[John B.]

Hi,

The file you asked me for is not in there,in fact the hole folder is non existent.

Excuse me, give it another try after doing this:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon (or click Start, then select My Computer)
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and shutdown My Computer.
  Now your computer is configured to show all hidden files.

Now see how far you get when trying to browse to this file:
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

All the logs are looking fine, are you still having any problems?

Greets, John.

[doldi]

Hi there,

My mashine is runnimng fine.
No flashing e-explorer pages any more,my updates are back and everything seems to be ok except from geting lots of spam lately in my hotmail.?
Anything than that its all good.The file is not there and i did search with the windows search software and its not there!?

[John B.]

Hi,

My mashine is runnimng fine.
No flashing e-explorer pages any more,my updates are back and everything seems to be ok

That's good, as all your logs look clean

except from geting lots of spam lately in my hotmail.?

Remember to never give your e-mailaddress to any website which may send you spam. To find that out you can use the SiteAdvisor website:
http://www.siteadvisor.com/
The analysis of the websites are very good. You may even want to consider installing the program if you like the thing.

The file is not there and i did search with the windows search software and its not there!?

The reason why I am asking is because I accidentally removed it with ComboFix, but it is not bad so we will have to put it back. This can ComboFix do itself. Let's give it another try.

Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Before disabling your security program disconnect from the internet as you can get infected very easily with your security disabled.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report is called DeQuarantine_log.txt. Please post this log. If you cannot find it please do a search for it as I really want to see it.

Note: Remember reconnect and re-enable your anti virus and anti malware programs.

Greets, John.

[doldi]

Hi John,

I searched two times and runed the combo 2 times did not found the quarantine reporte file.The only file that was produced was the regular log file.
Here it is:
ComboFix 08-10-12.01 - vali 2008-10-13 23:23:49.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2247 [GMT 1:00]
Running from: C:\Documents and Settings\vali\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\vali\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-11 22:17 . 2008-10-11 22:22 250 --a------ C:\WINDOWS\gmer.ini
2008-10-08 21:49 . 2008-10-08 21:49 3,120 --a------ C:\WINDOWS\system32\0810be8f-b2fd-4cfc-bbc2-e45e10a7568b.dll
2008-10-08 21:49 . 2008-10-08 21:49 3,120 --a------ C:\WINDOWS\3fb680fe-6b4e-43bc-aa56-f398c3caf31b.ocx
2008-10-08 17:11 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-10-07 22:47 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-10-07 22:47 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\vali\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-04-17 05:25 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-10-06 18:47 . 2008-04-17 05:25 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-10-06 18:47 . 2008-04-17 05:25 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-10-06 15:56 . 2008-10-06 15:56 <DIR> d-------- C:\Documents and Settings\vali\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-05 14:28 . 2008-10-05 14:28 <DIR> d-------- C:\Documents and Settings\vali\Application Data\dvdcss
2008-10-05 14:27 . 2008-10-05 14:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-05 14:19 . 2008-10-05 14:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-05 14:09 . 2008-10-05 14:09 0 --a------ C:\WINDOWS\iPlayer.INI
2008-10-05 14:06 . 2008-10-05 14:06 <DIR> d-------- C:\Program Files\InterActual
2008-10-01 21:18 . 2008-10-01 21:18 <DIR> d--hs---- C:\FOUND.003
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Apple Computer
2008-09-30 22:53 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-09-30 22:53 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Program Files\QuickTime
2008-09-30 21:54 . 2008-09-30 21:54 <DIR> d--hs---- C:\FOUND.002
2008-09-30 19:09 . 2008-09-30 19:09 <DIR> d--hs---- C:\FOUND.001
2008-09-30 18:28 . 2008-09-30 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 17:23 . 2008-09-30 17:23 <DIR> d--hs---- C:\FOUND.000
2008-09-29 21:43 . 2008-09-29 21:43 <DIR> d-------- C:\Program Files\Kontiki
2008-09-29 11:33 . 2008-09-29 11:33 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Uniblue
2008-09-27 18:43 . 2008-09-27 18:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-26 16:57 . 2008-09-26 16:57 <DIR> d-------- C:\WINDOWS\Bs350u2
2008-09-26 16:57 . 2004-12-02 20:23 605,312 --a------ C:\WINDOWS\system32\drivers\Bs350u2.sys
2008-09-26 16:57 . 2004-10-07 20:38 81,920 --a------ C:\WINDOWS\system\vfwExtC.dll
2008-09-26 16:57 . 2004-10-07 20:25 77,824 --a------ C:\WINDOWS\system\FiltProp.dll
2008-09-26 16:57 . 2004-11-29 12:36 40,960 --a------ C:\WINDOWS\Bs350u2r.exe
2008-09-26 16:57 . 2003-09-22 13:49 15,190 --a------ C:\WINDOWS\M1000Twn.ini
2008-09-26 16:57 . 2003-09-22 14:36 13,448 --a------ C:\WINDOWS\M1000Twn.src
2008-09-26 16:57 . 2004-06-17 22:23 12,537 --a------ C:\WINDOWS\system\S10H0110.csr
2008-09-26 16:57 . 2004-06-26 17:39 11,528 --a------ C:\WINDOWS\system\S10F0110.csr
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10H0110.bin
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10F0110.bin
2008-09-26 14:56 . 2008-09-26 14:56 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-24 13:07 . 2008-09-24 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 13:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-05 13:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-04 13:03 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-04 12:58 --------- d-----w C:\Program Files\NOS
2008-09-04 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 11:15 --------- d-----w C:\Program Files\PowerISO
2008-09-04 11:02 --------- d-----w C:\Documents and Settings\vali\Application Data\Canon
2008-09-03 23:49 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-03 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-09-03 14:02 --------- d-----w C:\Program Files\Bonjour
2008-09-03 13:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-09-03 13:42 --------- d-----w C:\Program Files\MagicISO
2008-09-02 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-02 17:41 --------- d-----w C:\Program Files\DNA
2008-09-01 12:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-29 21:09 --------- d-----w C:\Program Files\Real
2008-08-29 21:09 --------- d-----w C:\Program Files\Common Files\Real
2008-08-29 19:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-08-29 09:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 22:46 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-28 22:43 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-28 22:42 --------- d-----w C:\Program Files\Windows Live
2008-08-28 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-28 22:38 --------- d-----w C:\Documents and Settings\vali\Application Data\skypePM
2008-08-28 22:37 --------- d-----w C:\Program Files\Skype
2008-08-28 22:37 --------- d-----w C:\Program Files\Google
2008-08-28 22:37 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\vali\Application Data\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-28 22:11 --------- d-----w C:\Program Files\ESET
2008-08-28 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-28 19:57 --------- d-----w C:\Program Files\WIDCOMM
2008-08-28 19:56 --------- d-----w C:\Program Files\Wlan
2008-08-28 19:53 --------- d-----w C:\Program Files\Synaptics
2008-08-28 19:44 --------- d-----w C:\Program Files\Realtek
2008-08-28 19:41 --------- d-----w C:\Program Files\Intel
2008-08-28 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 19:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-28 19:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-18 12:27 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-08-18 12:19 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-08-18 12:18 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-07_12.01.06.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-11 21:17:32 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 20:13:00 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-10-07 21:47:38 65,536 ----a-r C:\WINDOWS\Installer\{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}\ARPPRODUCTICON.exe
+ 2008-10-07 21:47:30 65,536 ----a-r C:\WINDOWS\Installer\{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}\ARPPRODUCTICON.exe
+ 2008-10-11 21:17:32 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-02-20 14:34:06 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
- 2008-03-24 19:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-02-20 15:04:02 2,463,976 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-24 19:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-02-20 15:04:04 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-03-12 13:02:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
+ 2008-10-13 21:55:28 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_2e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-29 5898240]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-04-29 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-29 708698]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"OnlineArmor GUI"="D:\Programs\Online Armor\oaui.exe" [2008-04-17 5545536]
"PtiuPbmd"="ptipbm.dll" [2005-01-14 C:\WINDOWS\system32\ptipbm.dll]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 C:\WINDOWS\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-04-29 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2001-12-26 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\vali\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-09-26 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN Configuration Utility.lnk - C:\Program Files\Wlan\IPN2220\wlan_ui.exe [2004-11-08 454656]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-03-03 512061]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "D:\Programs\ONLINE~1\oaevent.dll" [2008-04-17 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\USMT\\MIGWIZ.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872]
R2 SvcOnlineArmor;Online Armor;D:\Programs\Online Armor\oasrv.exe [2008-04-17 5435968]
R3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv.sys [2005-04-29 230448]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-04-27 148480]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 23:28:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-10-13 23:30:21
ComboFix-quarantined-files.txt 2008-10-13 22:30:16
ComboFix4.txt 2008-10-07 20:47:58
ComboFix3.txt 2008-10-09 20:13:52
ComboFix5.txt 2008-10-13 22:22:52
ComboFix2.txt 2008-10-13 22:15:16

Pre-Run: 569,974,784 bytes free
Post-Run: 558,227,456 bytes free

213 --- E O F --- 2008-10-12 21:43:32

[John B.]

And is are the files and folders I listed present inside Application Data?

[doldi]

C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

This file is not in my system

[doldi]

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

This one is in the specified lockation.

[John B.]

So when you search with Start > Search you will find no file called 'DeQuarantine_log.txt'? Did you really drag the CFScript INTO the ComboFix file?

[John B.]

Hi,

The developer of ComboFix asked us to give it another try with the latest version. I already made the CFScript myself so you will only have to download it and drag it into a NEW version of ComboFix. Take a good look at the picture below!

You will need to click on the CFScript and while holding the left mouse button move it into ComboFix.exe and when it is on ComboFix.exe release the left mouse button and ComboFix will run.

Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now download the CFScript that I attached to this post. Save this as CFScript.txt, in the same location as ComboFix.exe

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Before disabling your security program disconnect from the internet as you can get infected very easily with your security disabled.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report is called DeQuarantine_log.txt. Please post this log. If you cannot find it please do a search for it as I really want to see it. It should not make a normal ComboFix log, just the DeQuarantine log.

Note: Remember reconnect and re-enable your anti virus and anti malware programs.

Greets, John.

[doldi]

Hi John,

Post:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll
6 File(s) copied

[John B.]

Hi,

Logs is perfect now

This is my normal post for when you are clear - which you now are - or seem to be.
Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are optional (beginning with Spybot S &D).

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:

• Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.
  
  • Go to Start
  • Click on Run
  • Type ComboFix /u (Note: This command is case sensitive.)
  After doing that with ComboFix, do this with OTCleanIt to remove the tools not removed by ComboFix.
  
  • Download OTCleanIt from http://download.bleepingcomputer.com/ol ... leanIt.exe to your desktop.
  • Click the OTCleanIt icon on your desktop.
  • Click the CleanUp button.
  • If you get any pop ups asking if it is OK let the program proceed.
  • At the end the program will ask to let it reboot the computer. Let it do so.
  You may delete any logs left on the desktop.
  
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  
• Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
  Tutorail for Spybot S & D
  
• Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here:
  SpywareBlaster
  
• Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
  WinPatrol
  The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.
  
• Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  For information on how to download and install, please read this tutorial here:
  WinHelp2002
  Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
  
• Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
  Firefox << Most used, I use this one myself.
  Opera
  
• Bookmark general cleanup link - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly, check (so now bookmark) this link for tips & tricks:
  What to do if your Computer's running slowly
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. You must register to pst your complaint. You had the following infection:
Vundo

>> Here << you can see how you can help us.

May your God go with you..

John.