[help!] virus? - MMOwned - World of Warcraft Exploits, Hacks, Bots and Guides

khaled1994 · #1 11-20-2008

guys i dont know if this is right place to post..

guys i am asking 1thing i downloaded [Only registered and activated users can see links. ] i i run it and nothing happened
and then i scan it and no virus.. but is it a server that can control the pc or somethin?(just asking)

so might something happen?

sorry if wrong thread and place just asking for help..

Ryoushi. · #2 11-20-2008

It's a botnet / RAT client. I decompiled it and I can see things like:

"Pwz sent" (Obviously sending logs)
"Breakdalaw"
"Turnoffinternet"
"Killsite"

It could be at:
C:\Windows\PeerNet?
Unless it's using that to connect, I don't know. But it's involved.

What I suggest you do is go to Start > Run > Cmd and type in: Netstat -b
Then take a screenshot and paste it here.

khaled1994 · #3 11-20-2008

Quote:

Originally Posted by Ryoushi.

It's a botnet / RAT client. I decompiled it and I can see things like:

"Pwz sent" (Obviously sending logs)
"Breakdalaw"
"Turnoffinternet"
"Killsite"

It could be at:
C:\Windows\PeerNet?
Unless it's using that to connect, I don't know. But it's involved.

What I suggest you do is go to Start > Run > Cmd and type in: Netstat -b
Then take a screenshot and paste it here.

like this? i dont know if i am doing it right

Ryoushi. · #4 11-20-2008

Look for "HijackThis" and download it.
Scan and press 'save log' then paste that log here.

It'll take two minutes.

khaled1994 · #5 11-20-2008

k will download it in a sec

khaled1994 · #6 11-20-2008

here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:44:36, on 21/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Users\Nighty\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Users\Nighty\AppData\Local\Temp\Rar$EX00.170\Installer.exe
C:\Program Files\Auslogics\AusLogics BoostSpeed\BoostSpeed.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [Only registered and activated users can see links. ]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Only registered and activated users can see links. ]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Only registered and activated users can see links. ]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [Only registered and activated users can see links. ]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Only registered and activated users can see links. ]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Only registered and activated users can see links. ]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=91.193.208.7:8080;http=91.193.208.7:8080;https=91.193.208.7:8080;socks=91.19 3.208.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 myspace.com
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 imvu.com
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 vampirefreaks.com
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 facebook.com
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 piczo.com
O1 - Hosts: 1.1.1.1 [Only registered and activated users can see links. ]
O1 - Hosts: 1.1.1.1 hi5.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Auslogics BoostSpeed 4] C:\Program Files\Auslogics\AusLogics BoostSpeed\boostspeed.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nighty\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [RegistryDefrag] C:\Program Files\Auslogics\AusLogics BoostSpeed\RegDefrag.exe /r
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [Only registered and activated users can see links. ]
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.d ll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloeh k.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 9976 bytes

Ryoushi. · #7 11-20-2008

C:\Users\Nighty\AppData\Local\Temp\Rar$EX00.170\Installer.exe
Go to Start > Run > %temp% and delete the 'installer.exe' from the Rar$ folder.

Reboot and do another scan.

khaled1994 · #8 11-20-2008

there is no installer.exe just 081121002349971-000117.rsc_tmp inside the Rar$EX00.170 folder

Ryoushi. · #9 11-20-2008

Well delete everything in the folder that you can.. And then reboot and do the scan.

Sorry, but I have to go now. You can PM me if you want and I'll carry on helping you out tomorrow.
Try looking for "ComboFix" if you're desperate tonight.

khaled1994 · #10 11-20-2008

k thx for help <3 i will wait for you

khaled1994 · #11 11-21-2008

here is the combofix scan there was viruses detected when it was scaning here is the log:

ComboFix 08-11-20.02 - Nighty 2008-11-21 12:36:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1860 [GMT 3:00]
Running from: c:\users\Nighty\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-21 01:43 . 2008-11-21 01:43 <DIR> d-------- c:\program files\Trend Micro
2008-11-20 23:51 . 2008-11-21 00:34 <DIR> d-------- c:\program files\Google
2008-11-17 21:27 . 2008-11-17 21:26 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-15 11:43 . 2008-11-15 11:50 <DIR> d-------- C:\GC
2008-11-15 11:03 . 2008-11-15 11:03 <DIR> d-------- c:\program files\Turbo Tube
2008-11-15 11:00 . 2008-11-15 11:08 <DIR> d-------- c:\program files\RegCleaner
2008-11-14 17:48 . 2008-11-14 17:48 <DIR> d-------- c:\users\Nighty\AppData\Roaming\Screaming Bee
2008-11-13 10:14 . 2008-09-10 06:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-13 10:14 . 2008-09-05 08:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-13 10:14 . 2008-08-27 04:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-09 22:08 . 2008-11-14 11:26 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-11-09 19:01 . 2008-11-09 19:01 <DIR> d-------- c:\users\All Users\WLInstaller
2008-11-09 19:01 . 2008-11-09 19:01 <DIR> d-------- c:\programdata\WLInstaller
2008-11-09 19:01 . 2008-11-09 19:01 <DIR> d-------- c:\program files\Windows Live
2008-11-09 19:01 . 2008-11-09 19:01 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-09 17:24 . 2008-11-09 17:24 <DIR> d-------- c:\users\Nighty\AppData\Roaming\URSoft
2008-11-09 17:23 . 2008-11-09 19:02 <DIR> d-------- c:\program files\Your Uninstaller 2008
2008-11-09 16:25 . 2008-11-21 02:26 1,752 --a------ c:\windows\System32\%LocalXml%
2008-11-07 13:23 . 2008-11-07 13:24 <DIR> d-------- c:\users\CQsi213oerp\AppData\Roaming\7Wonders
2008-11-07 12:51 . 2008-11-07 12:51 <DIR> d-------- c:\users\CQsi213oerp\AppData\Roaming\iWin
2008-11-07 12:49 . 2008-11-07 12:49 <DIR> d-------- c:\users\CQsi213oerp\AppData\Roaming\WildTangent
2008-11-05 22:43 . 2008-11-05 22:43 <DIR> d-------- c:\program files\Serials 2000 7.1 Plus
2008-11-05 22:08 . 2008-08-30 01:53 151,552 --a------ c:\windows\System32\securenet.dll
2008-11-03 16:40 . 2008-11-03 17:15 96,976 --a------ c:\windows\System32\drivers\klin.dat
2008-11-03 16:40 . 2008-11-03 16:40 87,855 --a------ c:\windows\System32\drivers\klick.dat
2008-11-03 16:39 . 2008-11-21 12:42 5,587,488 --ahs---- c:\windows\System32\drivers\fidbox.dat
2008-11-03 16:39 . 2008-11-21 12:44 688,160 --ahs---- c:\windows\System32\drivers\fidbox2.dat
2008-11-03 16:39 . 2008-11-21 12:42 46,828 --ahs---- c:\windows\System32\drivers\fidbox.idx
2008-11-03 16:39 . 2008-11-21 12:44 4,480 --ahs---- c:\windows\System32\drivers\fidbox2.idx
2008-11-03 16:37 . 2008-11-03 16:37 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2008-11-03 16:37 . 2008-11-03 16:37 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2008-11-03 16:08 . 2008-08-05 12:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-11-03 16:08 . 2008-08-05 12:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-11-03 16:08 . 2008-08-05 12:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-11-03 16:08 . 2008-08-05 12:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-11-03 16:08 . 2008-08-05 12:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-29 22:09 . 2008-10-29 22:09 <DIR> d-------- c:\program files\portalgraphics
2008-10-29 15:09 . 2008-08-12 06:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-29 15:09 . 2008-09-18 07:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-29 15:09 . 2008-09-18 07:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-28 14:16 . 2008-10-28 14:16 <DIR> d-------- c:\users\All Users\HeidiSQL
2008-10-28 14:16 . 2008-10-28 14:16 <DIR> d-------- c:\programdata\HeidiSQL
2008-10-28 14:16 . 2008-10-28 14:16 <DIR> d-------- c:\program files\HeidiSQL
2008-10-22 15:15 . 2008-10-22 15:15 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 09:50 --------- d-----w c:\programdata\Kaspersky Lab
2008-11-21 09:22 --------- d---a-w c:\programdata\TEMP
2008-11-21 09:14 --------- d-----w c:\users\Nighty\AppData\Roaming\tor
2008-11-21 09:05 --------- d-----w c:\users\Nighty\AppData\Roaming\Vidalia
2008-11-20 21:36 --------- d-----w c:\program files\'Full Speed' Internet Booster + Performance Tests
2008-11-20 20:09 --------- d-----w c:\program files\Sony Setup
2008-11-19 13:20 27,934 ----a-w c:\users\Nighty\AppData\Roaming\nvModes.dat
2008-11-17 18:26 --------- d-----w c:\program files\Java
2008-11-07 10:26 28,409 ----a-w c:\users\CQsi213oerp\AppData\Roaming\nvModes.dat
2008-11-07 10:22 --------- d-----w c:\programdata\WildTangent
2008-11-05 19:01 --------- d-----w c:\users\Nighty\AppData\Roaming\Auslogics
2008-11-03 13:39 --------- d-----w c:\program files\Kaspersky Lab
2008-11-01 08:39 652 ----a-w c:\users\Nighty\AppData\Roaming\wklnhst.dat
2008-10-21 16:08 --------- d-----w c:\program files\Electronic Arts
2008-10-21 14:51 --------- d-----w c:\program files\SIPY
2008-10-21 12:49 --------- d-----w c:\program files\World of Warcraft
2008-10-19 19:26 --------- d-----w c:\programdata\Blizzard
2008-10-18 21:28 --------- d-----w c:\users\Nighty\AppData\Roaming\MozillaControl
2008-10-18 20:14 --------- d-----w c:\program files\Auslogics
2008-10-18 19:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-18 19:27 --------- d-----w c:\program files\CCleaner
2008-10-18 19:26 --------- d-----w c:\program files\Yahoo!
2008-10-16 11:32 --------- d-----w c:\program files\Common Files\Adobe
2008-10-16 05:19 --------- d-----w c:\program files\Windows Mail
2008-10-13 21:52 3,348 ----a-w c:\windows\System32\ealregsnapshot1.reg
2008-10-13 21:52 --------- d-----w c:\programdata\Electronic Arts
2008-10-13 21:48 --------- d-----w c:\programdata\Media Center Programs
2008-10-09 11:44 --------- d-----w c:\program files\Sigmatel
2008-10-08 20:30 --------- d-----w c:\program files\NADAsoft Inc
2008-10-08 12:43 --------- d-----w c:\users\Nighty\AppData\Roaming\Hewlett-Packard
2008-10-08 12:42 --------- d-----w c:\program files\Hewlett-Packard
2008-10-07 15:32 --------- d-----w c:\program files\Vidalia Bundle
2008-10-06 22:58 --------- d-----w c:\users\Guest\AppData\Roaming\Macrovision
2008-10-06 22:57 --------- d-----w c:\users\Guest\AppData\Roaming\DigitalPersona
2008-10-06 22:57 --------- d-----w c:\programdata\NVIDIA
2008-10-04 19:27 --------- d-----w c:\users\Nighty\AppData\Roaming\timtux
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 13:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-30 00:45 --------- d-----w c:\program files\gg
2008-09-29 16:51 --------- d-----w c:\program files\mario kitty hard game trap
2008-09-29 01:28 --------- d-----w c:\program files\mupen64 0.5
2008-09-29 01:00 --------- d-----w c:\program files\Mupen64K 0.7.9
2008-09-29 00:19 --------- d-----w c:\program files\supersmash
2008-09-29 00:19 --------- d-----w c:\program files\New Folder
2008-09-28 21:14 --------- d-----w c:\program files\Project64 1.6
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-06 17:43 0 ----a-w c:\users\Nighty\jagex_runescape_preferences.dat
2008-08-03 19:28 174 --sha-w c:\program files\desktop.ini
2008-07-13 12:14 3,411,205 ----a-w c:\users\Nighty\trap game.exe
2008-05-30 21:05 32 ----a-r c:\users\All Users\hash.dat
2008-05-30 21:05 32 ----a-r c:\programdata\hash.dat
2008-05-02 05:39 8,457,091 ----a-w c:\program files\FullSpeed.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-25 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-11-27 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 184320]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-09 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-17 136600]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-13 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-13 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll,c:\progra~1\KASPER~1\KAS PER~1\mzvkbd3.dll,c:\progra~1\KASPER~1\KASPER~1\adialhk.dll,c:\progra~1\KASPER~1 \KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C4C0878E-1993-4A2B-B453-25DAEDD10BCE}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8108A118-F5A1-4B50-9ACF-5B27C2473380}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{61CC9F71-ABBA-4219-A465-0C7CAE9EEEE6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{4C31A290-CB6D-4F62-A5F3-07E911A17178}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{2E554823-F3FD-482B-AA90-DF5B137D0147}c:\\kav\\kav7.0\\english\\setup.exe"= UDP:c:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{FDEBC310-1165-42D9-A713-DE3D7AA6B226}c:\\kav\\kav7.0\\english\\setup.exe"= TCP:c:\kav\kav7.0\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"{6F0FB3BE-68F1-4C38-8F93-78B6B7B51C99}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:Blizzard Downloader
"{CE5D0D64-3FE0-42C0-935A-A7F15570ADF0}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:Blizzard Downloader
"{E1C8A1F2-7BEA-49DF-8DC7-3C572779FB83}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{FC891DE7-B73E-4633-AADE-C346360F649B}d:\\wowz\\gunzmos repack\\database\\database\\bin\\mysqld-nt.exe"= UDP:d:\wowz\gunzmos repack\database\database\bin\mysqld-nt.exe:mysqld-nt
"UDP Query User{34F3E017-FF27-4FB5-8B81-5FAA03221E70}d:\\wowz\\gunzmos repack\\database\\database\\bin\\mysqld-nt.exe"= TCP:d:\wowz\gunzmos repack\database\database\bin\mysqld-nt.exe:mysqld-nt
"TCP Query User{2D82ECA9-9310-46F3-833F-EBC2401EE34C}d:\\wowz\\gunzmos repack\\server\\mangosd.exe"= UDP:d:\wowz\gunzmos repack\server\mangosd.exe:mangosd
"UDP Query User{B0251DD5-F127-484F-B867-4983E82D8BF7}d:\\wowz\\gunzmos repack\\server\\mangosd.exe"= TCP:d:\wowz\gunzmos repack\server\mangosd.exe:mangosd

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2007-05-07 210736]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-05-27 14:33:55 41456]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2008-05-27 271760]
R3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/DVB-T/FM);c:\windows\system32\drivers\averhbtv.sys [2008-05-27 305152]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-05-27 49664]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S2 QPSched;QuickPlay Task Scheduler (QTS);"c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2008-05-27 112016]
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-06 165416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Nighty\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 12:02]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\CQsi213oerp\AppData\Roaming\Mozilla\Firefox\Profiles\7rccik98.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Only registered and activated users can see links. ]
Rootkit scan 2008-11-21 12:50:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-21 12:54:16 - machine was rebooted [CQsi213oerp]
ComboFix-quarantined-files.txt 2008-11-21 09:54:02

Pre-Run: 110,083,276,800 bytes free
Post-Run: 109,962,014,720 bytes free

206 --- E O F --- 2008-11-14 23:25:10

Ryoushi. · #12 11-21-2008

Well I can't seem to see it running.. Atleast I don't think I can.
I'm guessing KBL.Log would be some sort of keylogger log.

Maybe it's gone, or maybe it's just damn hard to find.
You could download and try out "MBAM" but it probably won't find it.

khaled1994 · #13 11-21-2008

Scaning rightnow

i hope i will be removed..

Ryoushi. · #14 11-21-2008

c:\windows\system32\KBL.LOG

Check if that's there and perhaps see what's inside.

khaled1994 · #15 11-21-2008

there is no c:\windows\system32\KBL.LOG
lol