[koglaa]

Well, here's the problem. I have a dual booting laptop (xp and ubuntu) and something very wrong happened. I think I ended up download some malware which made my comp restart. When the grub loader came up, I selected xp. It carried on to load it as normal; and on the login screen (xp pro) I "turned off". By that I mean the laptop was still on but nothing would happen. It was as the moniter had been turned off and the caps lock/num lock keys weren't working. I haven't been able to boot from a cd but I have managed to access ubuntu. I took a screen shot of "C:\"

Anything wrong there? I'll send/upload extra screenies on request. Thanks alot
~Kog

[evilfantasy]

When was the last time you ran ComboFix? Post that log please.

[koglaa]

It was before that thing happened. I can try running it through wine but I doubt that will work. I'll do if told to.

ComboFix 09-02-21.01 - Administrator 2009-02-22 17:04:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.697 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\recycler\S-9-1-80-100024568-100017358-100020965-2223.com
c:\windows\qmdispatch.dll
c:\windows\system32\drivers\gaopdxltimpqjp.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Drivers\UACyswonyum.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxiewilasw.dll
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACijsauuqg.dll
c:\windows\system32\URLCACHE.DLL
c:\windows\system32\WINCNMDB.DLL
c:\windows\system32\winio.vxd
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 15:59 . 2009-02-22 15:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DivX
2009-02-22 15:50 . 2009-02-22 15:53 <DIR> d-------- c:\program files\Total Video Converter
2009-02-22 15:48 . 2009-02-22 15:48 322 --a------ c:\windows\system32\temp_0000_30046.aok
2009-02-22 15:47 . 2009-02-22 15:47 <DIR> d-------- c:\program files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2009-02-22 15:47 . 2009-02-22 15:47 161 --a------ c:\windows\system32\test.aok
2009-02-22 00:46 . 2009-02-22 00:56 <DIR> d-------- c:\program files\DivX
2009-02-22 00:31 . 2009-02-22 00:31 <DIR> d-------- c:\program files\Veoh Networks
2009-02-22 00:19 . 2009-02-22 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\gtk-2.0
2009-02-22 00:16 . 2009-02-22 00:16 <DIR> d-------- c:\program files\Participatory Culture Foundation
2009-02-22 00:16 . 2009-02-22 00:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation
2009-02-21 20:02 . 2009-02-21 20:04 <DIR> d-------- c:\program files\Maxthon2
2009-02-21 20:02 . 2009-02-22 16:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MxBoost
2009-02-21 19:04 . 2009-02-21 19:04 <DIR> d-------- c:\program files\UseNeXT
2009-02-21 19:04 . 2009-02-22 00:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\UseNeXT
2009-02-21 12:10 . 2009-02-21 12:10 <DIR> d-------- c:\program files\ColorPic 4.1
2009-02-21 12:10 . 2009-01-15 18:52 134,130 --a------ c:\windows\ColorPic Uninstaller.exe.bak
2009-02-21 11:29 . 2009-02-21 11:30 <DIR> d-------- c:\program files\CCleaner
2009-02-20 20:14 . 2008-02-15 12:45 172,032 --a------ c:\windows\system32\igfxres.dll
2009-02-18 23:13 . 2009-02-18 23:13 <DIR> d-------- C:\Intel
2009-02-18 23:13 . 2008-02-15 13:12 5,854,752 --a------ c:\windows\system32\drivers\igxpmp32.sys
2009-02-18 23:13 . 2008-02-15 13:12 2,643,968 --a------ c:\windows\system32\igxpdx32.dll
2009-02-18 23:13 . 2008-02-15 13:12 1,670,144 --a------ c:\windows\system32\igxpdv32.dll
2009-02-18 23:13 . 2008-03-07 12:56 920,088 --a------ c:\windows\system32\igxpun.exe
2009-02-18 23:13 . 2008-02-15 12:49 176,128 --a------ c:\windows\system32\igfxrsky.lrc
2009-02-18 23:13 . 2008-02-15 12:49 172,032 --a------ c:\windows\system32\igfxrslv.lrc
2009-02-18 23:13 . 2008-02-15 13:12 151,040 --a------ c:\windows\system32\igxpgd32.dll
2009-02-18 23:13 . 2008-02-15 13:21 147,456 --a------ c:\windows\system32\igfxCoIn_v4926.dll
2009-02-18 23:13 . 2008-02-15 13:12 57,344 --a------ c:\windows\system32\igxprd32.dll
2009-02-18 23:04 . 2009-02-18 23:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SPORE
2009-02-18 23:01 . 2009-02-18 23:01 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\SecuROM
2009-02-18 23:01 . 2009-02-18 23:01 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-18 22:33 . 2009-02-18 22:33 <DIR> d-------- c:\program files\Electronic Arts
2009-02-15 15:19 . 2009-02-15 15:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Acreon
2009-02-15 14:42 . 2009-02-22 11:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Thinstall
2009-02-14 17:43 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-02-12 21:07 . 2009-02-12 21:07 33,266,824 --a------ c:\program files\TechSmith.zip
2009-02-11 00:13 . 2009-02-11 00:13 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-02-10 18:37 . 2009-02-10 18:37 <DIR> d-------- c:\program files\VB Decompiler Lite
2009-02-10 18:14 . 2009-02-10 18:16 <DIR> d-------- C:\ruby
2009-02-09 19:03 . 2002-12-12 00:14 46,592 --a------ c:\windows\system32\dxdllreg.exe
2009-02-09 19:03 . 2002-08-29 03:41 31,744 --a--c--- c:\windows\system32\dllcache\pid.dll
2009-02-08 15:51 . 2009-02-08 15:52 <DIR> d-------- c:\program files\Pokemon Mystery Universe
2009-02-07 18:37 . 2009-02-07 18:39 <DIR> d-------- C:\World of Padman
2009-02-07 16:34 . 2009-02-07 16:34 <DIR> d-------- c:\documents and settings\Palu Vedd\Application Data\MEGAUPLOADTOOLBAR
2009-02-07 16:34 . 2009-02-07 16:34 <DIR> d-------- c:\documents and settings\Palu Vedd\Application Data\EmailNotifier
2009-02-06 22:52 . 2009-02-06 22:52 <DIR> d-------- c:\windows\Downloaded Installations
2009-02-06 11:38 . 2009-02-06 11:38 <DIR> d-------- C:\stuff
2009-02-06 11:38 . 2009-02-06 11:38 <DIR> d-------- c:\program files\stuff
2009-02-06 01:24 . 2009-02-06 01:24 <DIR> d-------- c:\program files\GIF Movie Gear
2009-02-05 12:28 . 2007-04-22 16:04 36,864 --a------ c:\windows\system32\yacxeb.dll
2009-02-05 12:15 . 2009-02-05 12:15 <DIR> d-------- c:\program files\Game Gears
2009-02-05 12:14 . 2009-02-14 23:26 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-02 17:58 . 2009-02-02 18:03 <DIR> d-------- c:\documents and settings\Administrator\.idlerc
2009-02-02 17:57 . 2009-02-02 17:57 <DIR> d-------- C:\Python25
2009-02-02 17:57 . 2008-07-27 23:27 339,968 --a------ c:\windows\system32\pythoncom25.dll
2009-02-02 17:57 . 2008-07-27 23:23 114,688 --a------ c:\windows\system32\pywintypes25.dll
2009-02-02 17:05 . 2009-02-02 17:05 <DIR> d-------- c:\program files\bobyte
2009-02-02 13:06 . 2009-02-02 13:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\program files\MegauploadToolbar
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\program files\Megaupload
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Megaupload
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier
2009-02-02 12:58 . 2009-02-18 21:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MegauploadToolbar
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Megaupload
2009-02-02 12:58 . 2009-02-02 12:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\EmailNotifier
2009-02-02 12:57 . 2009-02-02 12:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-02-02 12:35 . 2009-02-02 12:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Talkback
2009-02-02 12:15 . 2009-02-02 12:15 <DIR> d-------- c:\program files\M2S
2009-02-02 11:50 . 2009-02-02 11:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Alien Skin
2009-02-02 11:40 . 2009-02-02 11:40 <DIR> d-------- c:\program files\Teorex
2009-02-02 11:15 . 2009-02-02 11:15 1,068 --a------ c:\windows\AZPR3.INI
2009-02-02 11:14 . 2009-02-02 11:16 1,216 --a------ c:\windows\ARPR.INI
2009-02-01 15:25 . 2009-02-08 13:00 <DIR> d-------- c:\program files\GameSpy Arcade
2009-02-01 15:17 . 2009-02-01 15:17 <DIR> d-------- c:\program files\The Creative Assembly
2009-02-01 14:01 . 2009-02-01 14:01 37 --a------ c:\windows\wininit.ini
2009-01-31 22:20 . 2009-01-31 22:20 <DIR> d--h----- c:\windows\PIF
2009-01-31 15:19 . 2009-01-31 15:19 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-01-27 20:14 . 2009-01-27 20:14 14,336 --a------ c:\program files\Common Files\InstallSupport.dll
2009-01-23 21:18 . 2009-02-07 23:50 <DIR> d-------- c:\program files\MessengerDiscovery
2009-01-23 21:18 . 2009-01-23 21:18 268 --ah----- C:\sqmdata02.sqm
2009-01-23 21:18 . 2009-01-23 21:18 244 --ah----- C:\sqmnoopt02.sqm
2009-01-23 19:08 . 2009-01-23 19:13 <DIR> d-------- c:\documents and settings\Palu Vedd\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-22 16:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 12:10 134,138 ----a-w c:\windows\ColorPic Uninstaller.exe
2009-02-20 20:12 --------- d-----w c:\program files\Xfire
2009-02-18 22:33 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 21:58 --------- d-----w c:\documents and settings\Administrator\Application Data\HPAppData
2009-02-14 21:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Xfire
2009-02-08 15:51 2,012 ----a-w c:\program files\Common Files\InstallSupport.InstallState
2009-02-03 20:55 --------- d-----w c:\program files\SpeederXP
2009-02-01 23:04 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\HPAppData
2009-01-31 15:19 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2009-01-31 10:55 --------- d-----w c:\program files\Cheat Engine
2009-01-30 00:33 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\Thinstall
2009-01-28 21:14 --------- d-----w c:\program files\CrossLoop
2009-01-27 19:03 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 23:42 --------- d-----w c:\program files\Shoddy Battle Server
2009-01-16 19:37 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2009-01-16 19:37 --------- d-----w c:\program files\DAP
2009-01-16 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Speedbit
2009-01-15 19:10 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\scriptocean
2009-01-15 18:48 --------- d-----w c:\documents and settings\Administrator\Application Data\scriptocean
2009-01-13 21:45 --------- d-----w c:\program files\Sol Edit
2009-01-12 12:28 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-01-12 10:34 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-01-12 10:33 --------- d-----w c:\program files\TechSmith
2009-01-12 10:33 --------- d-----w c:\program files\Common Files\TechSmith Shared
2009-01-11 19:14 --------- d-----w c:\program files\SpeedBit Video Accelerator
2009-01-11 19:11 --------- d-----w c:\program files\Speed Gear
2009-01-11 16:39 724,992 ----a-w c:\windows\iun6002.exe
2009-01-11 16:39 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\ezVAD
2009-01-11 16:39 --------- d-----w c:\documents and settings\Administrator\Application Data\ezVAD
2009-01-11 14:33 --------- d-----w c:\documents and settings\Dhara\Application Data\OpenOffice.org
2009-01-11 14:27 --------- d-----w c:\documents and settings\Dhara\Application Data\Intel
2009-01-11 01:54 --------- d-----w c:\program files\Virtools
2009-01-09 22:43 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\vlc
2009-01-09 22:38 --------- d-----w c:\program files\VideoLAN
2009-01-07 23:40 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\SecondLife
2009-01-05 21:25 --------- d-----w c:\program files\Cool Screen Capture
2009-01-05 20:09 --------- d-----w c:\documents and settings\NetworkService\Application Data\SecondLife
2009-01-05 19:22 --------- d-----w c:\documents and settings\NetworkService\Application Data\OpenOffice.org
2009-01-04 21:23 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-04 21:23 --------- d-----w c:\program files\Windows Live
2009-01-04 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-04 21:17 --------- d-----w c:\documents and settings\Administrator\Application Data\Yahoo!
2009-01-04 21:00 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-04 20:55 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-04 14:41 --------- d-----w c:\documents and settings\Administrator\Application Data\HP
2009-01-03 10:15 --------- d-----w c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-02 18:56 --------- d-----w c:\program files\SecondLife
2009-01-02 18:47 --------- d-----w c:\documents and settings\Administrator\Application Data\SecondLife
2008-12-31 18:49 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\OpenOffice.org
2008-12-30 01:51 --------- d-----w c:\program files\Download Direct
2008-12-30 01:20 --------- d-----w c:\program files\AutoIt3
2008-12-30 01:14 --------- d-----w c:\program files\ActMak
2008-12-30 00:55 --------- d-----w c:\program files\AutoHotkey
2008-12-30 00:51 --------- d-----w c:\program files\Net Tools
2008-12-30 00:21 --------- d-----w c:\program files\WinPcap
2008-12-29 20:15 --------- d-----w c:\program files\Google Hacks
2008-12-29 19:04 --------- d-----w c:\program files\Perfect Macro Recorder
2008-12-28 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\Channel4
2008-12-28 12:21 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\Alien Skin
2008-12-27 21:12 --------- d-----w c:\documents and settings\NetworkService\Application Data\Alien Skin
2008-12-27 20:39 --------- d-----w c:\documents and settings\NetworkService\Application Data\HPAppData
2008-12-27 20:36 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-12-27 20:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Nero
2008-12-27 20:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Intel
2008-12-27 02:28 --------- d-----w c:\documents and settings\Palu Vedd\Application Data\Nero
2008-12-26 17:36 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-26 17:36 249,856 ------w c:\windows\Setup1.exe
2008-12-26 15:57 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-26 15:56 --------- d-----w c:\program files\DAEMON Tools Toolbar
2008-12-26 15:56 --------- d-----w c:\program files\DAEMON Tools Lite
2008-12-25 22:00 --------- d-----w c:\program files\Common Files\Nero
2008-12-25 21:59 --------- d-----w c:\program files\Nero
2008-12-25 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-25 20:26 --------- d-----w c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-25 18:11 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-25 18:03 --------- d-----w c:\program files\Paragon Software
2008-12-23 15:10 2,117,632 ----a-w c:\windows\system32\python25.dll
2008-12-15 20:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-08-25 05:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080 826\index.dat
.

------- Sigcheck -------

2009-01-31 15:19 361600 1f39c7bdba4c5f3f01c4eabf7edbf4b3 c:\windows\system32\dllcache\TCPIP.SYS
2009-01-31 15:19 361600 1f39c7bdba4c5f3f01c4eabf7edbf4b3 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
2008-08-04 20:44 1947080 --a------ c:\progra~1\MEGAUP~2\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-12-10 929224]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~2\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOL BAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~2\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOL BAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WinBoss"="c:\program files\bobyte\WinBoss classic\WinBoss.exe" [2006-04-02 797696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-02-21 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-03-14 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-11-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 569413]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-02-15 131072]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2008-04-14 169984]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\Dhara\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\Palu Vedd\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ntbpalhze.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ntbpalhze.lnk
backup=c:\windows\pss\ntbpalhze.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-10-23 14:18 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
--a------ 2007-09-06 10:54 1343488 c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M2SAtualiza]
--a------ 2008-04-24 20:49 90112 c:\program files\M2S\Instalação M2S\M2SAtualiza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 08:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMR]
--a------ 2007-09-20 08:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinBoss]
--a------ 2006-04-02 21:25 797696 c:\program files\bobyte\WinBoss classic\WinBoss.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Documents and Settings\\Palu Vedd\\Desktop\\pwo\\Pokemon Game.exe"=
"c:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\PWO\\Pokemon Game.exe"=
"c:\\World of Padman\\wop.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotc ore3.sys [2008-12-25 39472]
R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.s ys [2008-08-25 9867]
R2 shoddybattle;Shoddy Battle Server;c:\program files\Shoddy Battle Server\bin\wrapper.exe [2009-01-16 204800]
S1 mailKmd;mailKmd; [x]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutto n.sys --> c:\windows\system32\drivers\Wbutton.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f9a6f080-f0fc-11dd-a66f-001b770816d4}]
\Shell\AutoRun\command - F:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f9a6f081-f0fc-11dd-a66f-001b770816d4}]
\Shell\AutoRun\command - G:\LOCKV223.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ezVAD.exe - c:\program files\Easy Video Accelerator Downloader\ezVAD.exe


.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 17:09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:43,f1,9a,e2,a4,08,b3,f5,ca,99,9a,df ,96,58,fb,ba,d1,77,1b,29,4a,
35,52,ac,a1,02,17,74,5a,bd,27,63,7b,d1,b7,b6,d8,1c ,66,18,a8,c4,bb,c4,55,a6,\
"rkeysecu"=hex:b4,90,22,e7,58,38,af,f9,3c,78,65,af ,d5,c4,7f,a8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\java.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\MessengerDiscovery\MessengerDiscovery Live.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
************************************************** ************************
.
Completion time: 2009-02-22 17:13:11 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-02-22 17:12:16

Pre-Run: 39,512,174,592 bytes free
Post-Run: 39,813,795,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
redirect=/default
redirectbaudrate=
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

393

[evilfantasy]

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[koglaa]

Scanning now, hope this works...
Running in linux so...

[Marlier]

Did that help at all? There's a few other things that it could be. The assumption was that you were running linux.

[Hybr!d]

Quote:

Originally Posted by Marlier

Did that help at all? There's a few other things that it could be. The assumption was that you were running linux.

Leave malware removal log threads to the malware team. Thanks.

[evilfantasy]

Agreed. If it turns out to be non-malware we will move it to the appropriate forum.

You still with us koglaa?

[koglaa]

Sorry for the REALLY late reply, something turned up. Anyway, dr web keeps crashing when it is about 3/4 way through the scan. Still it doesn't seem to help. I really think this is malware as it happended after I downloaded something... got BSOD and thats it. More help is greatly appreciated (windows ftw!)

[evilfantasy]

Delete your current version of ComboFix and download it again!

Download Combofix by sUBs from one of the below links.

• Link #1
• Link #2

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Click this link to see a list of security programs that should be disabled and how to disable them.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log.
• Please save that log to post in your next reply.
• Re-enable all of your security programs that were disabled during the running of ComboFix.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.[/LIST]

Remember to re-enable your antivirus and antispyware protection.