Jump to content

SKYNET trojan problem - hjt log only MBAM freezes


Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:50:29, on 16/08/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18294)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [bTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O13 - Gopher Prefix:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 7233 bytes

Link to post
Share on other sites

Hello snodes and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member snodes only. If you are a casual viewer, do NOT try this on your system!

If you are not snodes and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

=

Go here and download RootRepeal to your Desktop.

Doubleclick to extract the compressed file to it's own folder and

then Right-click on RootRepeal.exe and choose "Run as Administrator"

Click on the Report tab and then click on Scan.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Stealth Objects

Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of Rootrepeal.txt;
  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

OTL logfile created on: 16/08/2009 20:05:01 - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\The Snowdons\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.66% Memory free

4.00 Gb Paging File | 2.70 Gb Available in Paging File | 67.40% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 465.76 Gb Total Space | 410.19 Gb Free Space | 88.07% Space Free | Partition Type: NTFS

Drive D: | 83.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: THESNOWDONS-PC

Current User Name: The Snowdons

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/09/18 00:55:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe

PRC - [2009/03/06 01:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/07/28 16:59:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2007/02/09 17:35:10 | 00,278,608 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

PRC - [2008/08/29 00:53:18 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe

PRC - [2007/02/09 09:35:54 | 00,262,247 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe

PRC - [2007/05/28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

PRC - [2009/07/28 16:59:09 | 00,832,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe

PRC - [2009/07/28 16:59:10 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe

PRC - [2009/07/28 16:59:15 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/07/28 16:59:11 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/07/28 16:59:14 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe

PRC - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

PRC - [2008/01/19 08:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe

PRC - [2007/02/09 17:35:12 | 00,110,677 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

PRC - [2008/10/29 07:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE

PRC - [2009/08/14 01:07:30 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe

PRC - [2007/06/18 09:39:10 | 00,061,440 | ---- | M] () -- C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

PRC - [2009/08/13 11:14:17 | 00,472,064 | ---- | M] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe

PRC - [2009/07/28 16:59:14 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe

PRC - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe

PRC - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe

PRC - [2009/08/16 19:51:41 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/06 01:04:30 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])

SRV - [2009/07/28 16:59:10 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])

SRV - [2009/07/28 16:59:04 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])

SRV - [2007/02/09 17:35:10 | 00,278,608 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])

SRV - [2008/07/27 19:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2007/02/09 17:35:12 | 00,110,677 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])

SRV - [2008/01/19 08:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Running])

SRV - [2006/11/02 13:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Running])

SRV - [2006/11/02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])

SRV - [2008/01/19 08:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])

SRV - [2008/06/20 02:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - [2009/03/24 10:43:16 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])

SRV - [2008/06/20 02:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

SRV - [2008/08/29 00:53:18 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService [Auto | Running])

SRV - [2008/06/20 02:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2008/09/18 00:55:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Running])

SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2007/02/09 09:35:54 | 00,262,247 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])

SRV - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService [Auto | Running])

SRV - [2007/05/28 17:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE [Auto | Running])

SRV - [2008/01/19 08:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])

SRV - [2008/01/19 08:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2007/01/25 19:42:50 | 02,831,232 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Windows\System32\DRIVERS\3xHybrid.sys -- (3xHybrid [On_Demand | Running])

DRV - [2006/11/02 10:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])

DRV - [2006/11/02 10:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])

DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])

DRV - [2006/11/02 10:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])

DRV - [2006/11/02 10:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])

DRV - [2006/11/02 10:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])

DRV - [2006/11/02 10:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])

DRV - [2006/11/02 10:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])

DRV - [2009/07/28 16:59:15 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86 [system | Running])

DRV - [2009/07/28 16:59:15 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [system | Running])

DRV - [2009/04/24 09:24:55 | 00,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86 [boot | Running])

DRV - [2009/04/24 09:24:47 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX [system | Running])

DRV - [2006/11/02 09:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])

DRV - [2006/11/02 09:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])

DRV - [2006/11/02 09:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])

DRV - [2006/11/02 09:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])

DRV - [2006/11/02 09:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])

DRV - [2006/11/02 09:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])

DRV - [2006/11/02 10:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])

DRV - [2006/11/02 08:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])

DRV - [2006/11/02 10:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])

DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

DRV - [2006/11/02 10:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])

DRV - [2006/11/02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])

DRV - [2006/11/02 10:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])

DRV - [2006/11/02 10:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])

DRV - [2006/11/02 10:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])

DRV - [2006/11/02 10:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])

DRV - [2006/11/02 10:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])

DRV - [2006/11/02 10:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])

DRV - [2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])

DRV - [2006/11/02 10:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])

DRV - [2006/11/02 10:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])

DRV - [2007/11/17 02:34:22 | 00,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50 [On_Demand | Stopped])

DRV - [2007/11/17 02:34:22 | 00,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50 [On_Demand | Stopped])

DRV - [2006/11/02 10:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])

DRV - [2006/11/02 08:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])

DRV - [2009/05/09 01:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\DRIVERS\NuidFltr.sys -- (NuidFltr [On_Demand | Running])

DRV - [2008/09/18 00:55:00 | 07,379,872 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\DRIVERS\nvlddmkm.sys -- (nvlddmkm [On_Demand | Running])

DRV - [2006/11/02 10:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])

DRV - [2006/11/02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])

DRV - [2007/04/03 11:43:28 | 01,131,136 | ---- | M] (Philips Semiconductors GmbH) -- C:\Windows\System32\DRIVERS\Ph3xIB32.sys -- (Ph3xIB32 [On_Demand | Stopped])

DRV - [2004/04/27 00:31:04 | 00,474,304 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\DRIVERS\LVCD.sys -- (QCDonner [On_Demand | Stopped])

DRV - [2006/11/02 10:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])

DRV - [2006/11/02 10:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])

DRV - [2006/11/02 08:30:56 | 00,044,544 | ---- | M] (Realtek Corporation) -- C:\Windows\System32\DRIVERS\Rtlh86.sys -- (RTL8169 [On_Demand | Running])

DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [system | Running])

DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])

DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [system | Running])

DRV - [2006/11/02 07:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])

DRV - [2006/11/02 10:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])

DRV - [2006/11/02 10:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])

DRV - [2009/04/14 15:41:49 | 00,717,296 | ---- | M] () -- C:\Windows\System32\Drivers\sptd.sys -- (sptd [boot | Running])

DRV - [2007/06/21 10:45:08 | 00,029,696 | ---- | M] (Service & Quality Technology.) -- C:\Windows\System32\Drivers\Capt913D.sys -- (SQTECH913D [On_Demand | Stopped])

DRV - [2006/11/02 10:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])

DRV - [2006/11/02 10:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])

DRV - [2006/11/02 10:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])

DRV - [2006/11/02 10:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])

DRV - [2006/11/02 10:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])

DRV - [2006/11/02 10:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])

DRV - [2009/03/06 00:59:00 | 00,036,864 | ---- | M] (Apple, Inc.) -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

DRV - [2006/11/02 10:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])

DRV - [2006/11/02 10:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/14 09:05:24 | 00,000,000 | ---D | M]

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKCU..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)

O4 - HKCU..\Run: [bTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/16 20:03:40 | 00,177,664 | ---- | C] () -- C:\Users\The Snowdons\Documents\snodes root repeal scan.doc

[2009/08/16 19:52:01 | 00,838,010 | ---- | C] () -- C:\Users\The Snowdons\Desktop\SecurityCheck.exe

[2009/08/16 19:51:31 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe

[2009/08/16 19:36:46 | 00,465,298 | ---- | C] () -- C:\Users\The Snowdons\Desktop\RootRepeal.rar

[2009/08/16 19:34:41 | 00,000,000 | ---- | C] () -- C:\Users\The Snowdons\Desktop\settings.dat

[2009/08/16 19:34:35 | 00,472,064 | ---- | C] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe

[2009/08/16 18:50:07 | 00,001,874 | ---- | C] () -- C:\Users\The Snowdons\Desktop\HijackThis.lnk

[2009/08/16 18:50:06 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/08/16 18:42:35 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\The Snowdons\Desktop\mbam-setup.exe

[2009/08/16 17:15:41 | 01,718,504 | ---- | C] () -- C:\Users\The Snowdons\Documents\Resident Shield File.csv

[2009/08/14 09:06:32 | 01,256,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll

[2009/08/14 09:06:32 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kerberos.dll

[2009/08/14 09:06:32 | 00,439,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecdd.sys

[2009/08/14 09:06:32 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll

[2009/08/14 09:06:32 | 00,213,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msv1_0.dll

[2009/08/14 09:06:32 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wdigest.dll

[2009/08/14 09:06:32 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secur32.dll

[2009/08/14 09:06:32 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsass.exe

[2009/08/13 00:07:58 | 00,001,267 | ---- | C] () -- C:\Windows\wininit.ini

[2009/08/12 22:31:40 | 00,123,416 | ---- | C] () -- C:\MGlogs.zip

[2009/08/12 22:31:38 | 00,000,000 | ---D | C] -- C:\MGtools

[2009/08/12 22:29:25 | 00,000,000 | ---D | C] -- C:\Users\The Snowdons\AppData\Roaming\Malwarebytes

[2009/08/12 22:29:22 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/08/12 22:29:20 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/08/12 22:29:19 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/08/12 22:29:19 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2009/08/12 22:29:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/08/12 22:28:26 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com

[2009/08/12 22:28:16 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/12 22:28:15 | 00,000,000 | ---D | C] -- C:\Users\The Snowdons\AppData\Roaming\SUPERAntiSpyware.com

[2009/08/12 22:28:15 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2009/08/12 22:27:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2009/08/12 18:56:35 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl.dll

[2009/08/12 18:56:33 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wkssvc.dll

[2009/08/12 18:56:32 | 02,066,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstscax.dll

[2009/08/12 18:56:30 | 00,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll

[2009/08/12 18:56:26 | 10,626,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll

[2009/08/12 18:56:25 | 00,313,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpdxm.dll

[2009/08/12 18:56:25 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll

[2009/08/12 18:56:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx

[2009/08/12 18:56:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll

[2009/08/12 18:56:17 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL

[2009/08/12 18:56:17 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.tlb

[2009/08/12 18:56:17 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amcompat.tlb

[2009/08/07 17:47:35 | 00,622,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe

[2009/08/07 17:47:35 | 00,105,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll

[2009/08/07 17:47:35 | 00,097,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll

[2009/08/07 17:47:35 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll

[2009/08/07 17:47:35 | 00,037,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl

[2009/08/07 17:47:35 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll

[2009/08/07 17:47:34 | 00,781,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll

[2009/08/07 17:47:33 | 00,326,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe

[2009/08/07 17:41:07 | 00,096,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dfshim.dll

[2009/08/07 17:41:06 | 00,282,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscoree.dll

[2009/08/07 17:41:05 | 00,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll

[2009/08/07 17:40:54 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscorier.dll

[2009/08/07 17:40:51 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscories.dll

[2009/07/29 16:52:59 | 03,583,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll

[2009/07/29 16:52:58 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll

[2009/07/29 16:52:58 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll

[2009/07/29 16:52:57 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll

[2009/07/29 16:52:57 | 00,827,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll

[2009/07/29 16:52:57 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2009/07/29 16:52:57 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2009/07/29 16:52:57 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll

[2009/07/29 16:52:56 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2009/07/29 16:52:56 | 00,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec

[2009/07/29 16:52:56 | 00,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll

[2009/07/29 16:52:56 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll

[2009/07/29 16:52:56 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2009/07/29 16:52:56 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2009/07/29 16:52:55 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2009/06/24 15:39:39 | 00,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini

[2009/06/24 15:35:11 | 00,000,025 | ---- | C] () -- C:\Windows\CDE SX200DEFGIPS.ini

[2009/04/14 15:41:49 | 00,717,296 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys

[2009/02/12 17:35:29 | 00,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll

[2008/12/05 21:29:19 | 00,000,000 | ---- | C] () -- C:\Windows\PTWebCam.INI

[2008/03/04 18:17:58 | 00,001,265 | ---- | C] () -- C:\Windows\disney.ini

[2008/01/17 00:17:23 | 00,164,352 | ---- | C] () -- C:\Windows\System32\unrar.dll

[2008/01/17 00:17:20 | 01,559,040 | ---- | C] () -- C:\Windows\System32\xvidcore.dll

[2008/01/17 00:17:20 | 00,282,624 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll

[2008/01/17 00:17:19 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll

[2008/01/17 00:17:18 | 00,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2008/01/17 00:17:18 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2008/01/16 21:09:55 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI

[2006/11/02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 11:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini

[2006/11/02 11:23:31 | 00,000,168 | ---- | C] () -- C:\Windows\win.ini

[2006/11/02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2004/03/26 10:56:40 | 00,017,191 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\*.tmp files]

[2009/08/16 20:03:41 | 00,177,664 | ---- | M] () -- C:\Users\The Snowdons\Documents\snodes root repeal scan.doc

[2009/08/16 19:52:13 | 00,838,010 | ---- | M] () -- C:\Users\The Snowdons\Desktop\SecurityCheck.exe

[2009/08/16 19:51:41 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\The Snowdons\Desktop\OTL.exe

[2009/08/16 19:48:21 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/08/16 19:48:21 | 00,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/08/16 19:48:21 | 00,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/08/16 19:43:43 | 00,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job

[2009/08/16 19:41:19 | 00,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/08/16 19:41:19 | 00,004,176 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/08/16 19:41:17 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/08/16 19:41:15 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/08/16 19:38:04 | 03,934,607 | -H-- | M] () -- C:\Users\The Snowdons\AppData\Local\IconCache.db

[2009/08/16 19:36:55 | 00,465,298 | ---- | M] () -- C:\Users\The Snowdons\Desktop\RootRepeal.rar

[2009/08/16 19:34:41 | 00,000,000 | ---- | M] () -- C:\Users\The Snowdons\Desktop\settings.dat

[2009/08/16 18:50:07 | 00,001,874 | ---- | M] () -- C:\Users\The Snowdons\Desktop\HijackThis.lnk

[2009/08/16 18:43:36 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/08/16 18:42:53 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\The Snowdons\Desktop\mbam-setup.exe

[2009/08/16 17:38:46 | 39,893,964 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm

[2009/08/16 17:17:27 | 00,000,432 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{503AD6C4-E33D-4F0D-9A98-6601BC6AF1EF}.job

[2009/08/16 17:15:42 | 01,718,504 | ---- | M] () -- C:\Users\The Snowdons\Documents\Resident Shield File.csv

[2009/08/15 17:36:35 | 00,065,360 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg

[2009/08/14 23:28:42 | 00,001,267 | ---- | M] () -- C:\Windows\wininit.ini

[2009/08/13 20:36:41 | 00,001,085 | ---- | M] () -- C:\Users\The Snowdons\Desktop\Spybot - Search & Destroy.lnk

[2009/08/13 11:14:17 | 00,472,064 | ---- | M] ( ) -- C:\Users\The Snowdons\Desktop\RootRepeal.exe

[2009/08/12 22:35:43 | 00,123,416 | ---- | M] () -- C:\MGlogs.zip

[2009/08/12 22:28:16 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

[2009/08/11 22:35:59 | 00,007,592 | ---- | M] () -- C:\Users\The Snowdons\AppData\Local\d3d9caps.dat

[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/07/30 01:49:14 | 24,281,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe

[2009/07/28 16:59:15 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys

[2009/07/28 16:59:15 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys

[2009/07/28 16:59:15 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll

[2009/07/18 17:06:20 | 00,827,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll

[2009/07/18 17:06:05 | 01,166,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll

[2009/07/18 17:04:41 | 00,146,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\occache.dll

[2009/07/18 17:03:16 | 00,671,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll

[2009/07/18 17:02:53 | 03,583,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll

[2009/07/18 17:02:50 | 00,458,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll

[2009/07/18 17:02:05 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2009/07/18 17:01:49 | 06,069,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll

[2009/07/18 17:01:49 | 00,270,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll

[2009/07/18 17:01:48 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll

[2009/07/18 17:01:48 | 00,230,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll

[2009/07/18 17:01:48 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll

[2009/07/18 11:16:01 | 00,389,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec

[2009/07/18 10:46:14 | 00,026,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2009/07/18 10:45:19 | 01,383,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

========== LOP Check ==========

[2009/08/12 22:29:25 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming

[2008/04/30 18:07:00 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\BT

[2009/02/12 18:05:28 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\CyberLink

[2009/06/25 19:38:16 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\EPSON

[2009/03/02 14:23:42 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\GetRightToGo

[2009/08/14 01:12:53 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\LimeWire

[2006/11/02 13:37:34 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Media Center Programs

[2008/12/10 21:03:58 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Motive

[2008/12/23 11:13:38 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\OpenOffice.org

[2008/12/22 20:18:52 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\OpenOffice.org2

[2009/06/08 10:52:23 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Snapfish

[2009/07/03 20:31:46 | 00,000,000 | ---D | M] -- C:\Users\The Snowdons\AppData\Roaming\Spotify

[2009/08/16 19:43:43 | 00,000,868 | ---- | M] () -- C:\Windows\Tasks\Google Software Updater.job

[2009/08/16 19:41:17 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT

[2009/08/16 19:40:05 | 00,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/08/16 17:17:27 | 00,000,432 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{503AD6C4-E33D-4F0D-9A98-6601BC6AF1EF}.job

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 16/08/2009 20:05:01 - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\The Snowdons\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.66% Memory free

4.00 Gb Paging File | 2.70 Gb Available in Paging File | 67.40% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 465.76 Gb Total Space | 410.19 Gb Free Space | 88.07% Space Free | Partition Type: NTFS

Drive D: | 83.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: THESNOWDONS-PC

Current User Name: The Snowdons

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UacDisableNotify" = 0

"InternetSettingsDisableNotify" = 0

"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3188036164-2254565855-3087354152-1000]

"EnableNotifications" = 1

"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1CEAF944-7E3A-47BD-8E1E-4D439FEBE76D}" = protocol=17 | dir=in | app=c:\program files\ea games\battlefield 2\bf2.exe |

"{219DB089-D827-4C65-9A15-1C86053AEDE5}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{21AC4FE9-076F-4558-8374-ED4C7A8A158E}" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |

"{25A547BA-99D5-4963-8937-D8D1A3A5AB75}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

"{56CEA54E-4BA2-42AE-80C3-0CCB5D0F8AB0}" = protocol=17 | dir=in | app=c:\program files\electronic arts\battlefield 2142\bf2142.exe |

"{5EA0D9DA-E4F4-4A01-8A7C-2A430CAA1DBB}" = protocol=6 | dir=in | app=c:\program files\electronic arts\battlefield 2142\bf2142.exe |

"{6365E6D3-4AAC-4776-BE1B-ECD6BB8A6DB8}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |

"{68EDB13D-55FA-4FAD-BC20-11BDC8C44849}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{6F2D15E3-5642-42B2-9BD7-A1A0914E5F8D}" = protocol=6 | dir=in | app=c:\program files\ea games\battlefield 2\bf2.exe |

"{716C83A0-25CC-425C-BA04-2A2D737D448C}" = dir=in | app=c:\program files\cyberlink\powercinema\powercinema.exe |

"{71C7E107-E1CF-4265-B619-2DE95CD57826}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{721B0B3F-7746-4452-9A9E-CCB6F66AC7CC}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{8B5A8E22-05AB-4DC0-AABF-DE647AF9C6A8}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |

"{9798BBC5-E88C-465C-A38E-08B186510FC9}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{9813F34A-5025-447B-B7EE-3CDFD0974FE5}" = dir=in | app=c:\program files\cyberlink\powercinema\pcmservice.exe |

"{9BBE6F3C-38AB-443B-9D6B-D662D12B456E}" = dir=in | app=c:\program files\cyberlink\powercinema\kernel\dms\clmsservice.exe |

"{A9E9F58C-5E3E-4A1A-BFF4-A7347FEC42A2}" = dir=in | app=c:\program files\avg\avg8\avgnsx.exe |

"{AD407AA1-7ABB-4615-827A-0B38E4766EA2}" = dir=in | app=c:\program files\cyberlink\powercinema\kernel\dmp\clbrowserengine.exe |

"{B5A3D751-363D-4DBB-B401-EE420DAB0ECA}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

"{E7EF44B8-3A81-4DF2-BBAF-D2097C2F01AE}" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |

"{F140A53D-01F0-4CC3-89C0-DED733A573E0}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{F49030BC-7E6A-4771-9328-DB2E2F9F8F6C}" = dir=in | app=c:\program files\avg\avg8\avgemc.exe |

"{FFF463A2-F558-40AE-A9AB-A59CE5B03199}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |

"TCP Query User{2F343A53-4F11-40C9-B34F-FA084B1D0B74}C:\program files\activision\call of duty 2\cod2mp_s.exe" = protocol=6 | dir=in | app=c:\program files\activision\call of duty 2\cod2mp_s.exe |

"TCP Query User{7CC2F55B-2B39-4C6F-997F-7EE3E9C145EC}C:\program files\real alternative\media player classic\mplayerc.exe" = protocol=6 | dir=in | app=c:\program files\real alternative\media player classic\mplayerc.exe |

"TCP Query User{DCE2FB4E-F9E6-4637-8D2E-B1127B2931FD}C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe" = protocol=6 | dir=in | app=c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe |

"TCP Query User{DEB03E3A-EF24-4208-B8A1-25BDCA49867D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"TCP Query User{DEF038C6-43F8-4689-B85D-F1C3FB7C1836}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"UDP Query User{2B0B04DC-3671-4EC4-BBDA-38C0EFDD3DE3}C:\program files\activision\call of duty 2\cod2mp_s.exe" = protocol=17 | dir=in | app=c:\program files\activision\call of duty 2\cod2mp_s.exe |

"UDP Query User{A56CE644-C614-4E8D-9BE9-C6F6BEDB10D4}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"UDP Query User{AC179E22-99A3-4121-8BBA-1B1AF801D1A4}C:\program files\real alternative\media player classic\mplayerc.exe" = protocol=17 | dir=in | app=c:\program files\real alternative\media player classic\mplayerc.exe |

"UDP Query User{AD228BD7-82A8-4920-8D5E-4D1BBF4E747A}C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe" = protocol=17 | dir=in | app=c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe |

"UDP Query User{E10CA6EE-A3E8-4150-B2B4-ACE5FBD870AC}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2

"{062BFFA1-0CCC-400B-B840-F162328D8C00}" = winLAME prerelease4

"{10631C28-62E5-477C-9B40-40C5EA8219BE}" = Black & White

Link to post
Share on other sites

Hi Maurice,

Only OTL would run - Rootrepeal froze when scanning and Security check wouldn't because an error message relating to the malware kept spooling. I took screen prints of where root repeal got to and the error message on Security check - root repeal one attached here and I'll see if I can get the size of the securoity check one down so that can be attached.

snodes_root_repeal_scan.doc

Link to post
Share on other sites

Howdy,

That was a handy screen capture you made. Let's see if we can quash just enough of the SKYNET rootkit so we can go forward.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • RIGHT-click on avenger.exe and select Run As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\Windows\System32\drivers\SKYNETpfnobsxb.sys
    C:\Windows\System32\SKYNETitmhrfex.dat
    C:\Windows\System32\SKYNETriwdkeye.dll
    C:\Windows\System32\SKYNETvpjedeqn.dll
    C:\Windows\System32\SKYNETxpoiqjup.dat
    C:\Windows\Temp\ReadyBoot.etl

    Drivers to delete:
    SKYNETserv
    SKYNET
    SKYNETpfnobsxb.sys
    tdss
    tdssserv
    TDSSserv.SYS

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

=

Reply with copy of C:\Avenger.txt

and the Gmer.txt

Link to post
Share on other sites

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-17 22:29:36

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

INT 0x52 ? 84C69F00

INT 0x62 ? 84C69F00

INT 0x72 ? 84C69F00

INT 0x82 ? 84C69F00

INT 0x82 ? 84C69F00

INT 0x82 ? 84C69F00

INT 0x82 ? 84C69F00

INT 0xA2 ? 83C5ABF8

INT 0xB2 ? 83C5ABF8

INT 0xB2 ? 83C5ABF8

INT 0xB2 ? 84C69F00

INT 0xB2 ? 83C5ABF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spls.sys The system cannot find the path specified. !

.text USBPORT.SYS!DllUnload 8813A46F 5 Bytes JMP 84C694E0

.text a9vh0ccg.SYS 881A3000 22 Bytes [26, E2, 1C, 82, 10, E1, 1C, ...]

.text a9vh0ccg.SYS 881A3017 78 Bytes [00, 32, 67, B9, 87, 3D, 65, ...]

.text a9vh0ccg.SYS 881A3066 66 Bytes [E1, 81, C8, 4B, E6, 81, 30, ...]

.text a9vh0ccg.SYS 881A30A9 35 Bytes [10, E6, 81, A0, 07, E6, 81, ...]

.text a9vh0ccg.SYS 881A30CE 10 Bytes [00, 00, 00, 00, 00, 00, 6D, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; INSD ; POPF ; SCASB ; DEC EAX}

.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [87A8D6D2] \SystemRoot\System32\Drivers\spls.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [87A8D040] \SystemRoot\System32\Drivers\spls.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [87A8D7FC] \SystemRoot\System32\Drivers\spls.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [87A8D0BE] \SystemRoot\System32\Drivers\spls.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [87A8D13C] \SystemRoot\System32\Drivers\spls.sys

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortNotification] 009E840F

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortUchar] 8B660000

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortUlong] 89662448

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 4D8BE84D

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 02C183E8

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetScatterGatherList] EA4D8966

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortUchar] 0320488B

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortStallExecution] 08458DC8

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetParentBusType] 8D575750

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortRequestCallback] 6850F045

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortWritePortBufferUshort] B0020000

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 50E8458D

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortCompleteRequest] 8FBC35FF

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortMoveMemory] 4D89881C

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 45C757EC

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 000001F0

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] E5FEE800

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortUshort] C73B0001

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C8A14675

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortInitialize] 6A881C8F

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortGetDeviceBase] 9A888D52

IAT \SystemRoot\System32\Drivers\a9vh0ccg.SYS[ataport.SYS!AtaPortDeviceStateChange] 83000000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A1E1F8

Device \Driver\volmgr \Device\VolMgrControl 83C5C1F8

Device \Driver\usbuhci \Device\USBPDO-0 84E3D1F8

Device \Driver\usbuhci \Device\USBPDO-1 84E3D1F8

Device \Driver\usbuhci \Device\USBPDO-2 84E3D1F8

Device \Driver\PCI_PNP1904 \Device\00000046 spls.sys

Device \Driver\usbuhci \Device\USBPDO-3 84E3D1F8

Device \Driver\USBSTOR \Device\00000061 84D1D1F8

Device \Driver\usbehci \Device\USBPDO-4 84D293A0

Device \Driver\USBSTOR \Device\00000062 84D1D1F8

Device \Driver\usbuhci \Device\USBPDO-5 84E3D1F8

Device \Driver\USBSTOR \Device\00000063 84D1D1F8

Device \Driver\usbuhci \Device\USBPDO-6 84E3D1F8

Device \Driver\volmgr \Device\HarddiskVolume1 83C5C1F8

Device \Driver\USBSTOR \Device\00000064 84D1D1F8

Device \Driver\usbehci \Device\USBPDO-7 84D293A0

Device \Driver\cdrom \Device\CdRom0 84DAC1F8

Device \Driver\volmgr \Device\HarddiskVolume2 83C5C1F8

Device \Driver\USBSTOR \Device\00000065 84D1D1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A1D1F8

Device \Driver\atapi \Device\Ide\IdePort0 84A1D1F8

Device \Driver\atapi \Device\Ide\IdePort1 84A1D1F8

Device \Driver\atapi \Device\Ide\IdePort2 84A1D1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84A1D1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-1 84A1D1F8

Device \Driver\cdrom \Device\CdRom1 84DAC1F8

Device \Driver\volmgr \Device\HarddiskVolume3 83C5C1F8

Device \Driver\cdrom \Device\CdRom2 84DAC1F8

Device \Driver\volmgr \Device\HarddiskVolume4 83C5C1F8

Device \Driver\volmgr \Device\HarddiskVolume5 83C5C1F8

Device \Driver\volmgr \Device\HarddiskVolume6 83C5C1F8

Device \Driver\iScsiPrt \Device\RaidPort0 84DB21F8

Device \Driver\USBSTOR \Device\0000006a 84D1D1F8

Device \Driver\usbuhci \Device\USBFDO-0 84E3D1F8

Device \Driver\USBSTOR \Device\0000006c 84D1D1F8

Device \Driver\usbuhci \Device\USBFDO-1 84E3D1F8

Device \Driver\usbuhci \Device\USBFDO-2 84E3D1F8

Device \Driver\usbuhci \Device\USBFDO-3 84E3D1F8

Device \Driver\usbehci \Device\USBFDO-4 84D293A0

Device \Driver\sptd \Device\2960055654 spls.sys

Device \Driver\usbuhci \Device\USBFDO-5 84E3D1F8

Device \Driver\usbuhci \Device\USBFDO-6 84E3D1F8

Device \Driver\usbehci \Device\USBFDO-7 84D293A0

Device \Driver\a9vh0ccg \Device\Scsi\a9vh0ccg1 84DAD1F8

Device \Driver\a9vh0ccg \Device\Scsi\a9vh0ccg1Port4Path0Target0Lun0 84DAD1F8

Device \FileSystem\cdfs \Cdfs 8509B500

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\SKYNETpfnobsxb.sys (*** hidden *** ) [sYSTEM] SKYNETstglbkdq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq@imagepath \systemroot\system32\drivers\SKYNETpfnobsxb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@aid 10002

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@sid 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpfnobsxb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETriwdkeye.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETlog.dat \systemroot\system32\SKYNETitmhrfex.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETvpjedeqn.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETstglbkdq\modules@SKYNET.dat \systemroot\system32\SKYNETxpoiqjup.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@start 1

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@type 1

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@group file system

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq@imagepath \systemroot\system32\drivers\SKYNETpfnobsxb.sys

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@aid 10002

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@sid 1

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\injector@* SKYNETwsp.dll

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpfnobsxb.sys

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETriwdkeye.dll

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETlog.dat \systemroot\system32\SKYNETitmhrfex.dat

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETvpjedeqn.dll

Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETstglbkdq\modules@SKYNET.dat \systemroot\system32\SKYNETxpoiqjup.dat

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Thanks or your ongoing help Maurice.

As some supplementary info, the first time I rebooted after running Avenger I still had the same messages about Skynet coming up from Windows and my AVG resident shield. I then ran GMER which had a blue screen error and crashed, my PC restarted and I chose safe mode, ran it again to get the above txt and the the SKYNET messages seem to have gone now I've rebooted normally.

Link to post
Share on other sites

You've done well. That is good information from the Gmer log and you recovered well.

I want to follow up with a bit more cleaning for this rootkit.

  • RIGHT-click on avenger.exe and select Run As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\Windows\system32\drivers\SKYNETpfnobsxb.sys
    C:\Windows\system32\SKYNETriwdkeye.dll
    C:\Windows\system32\SKYNETitmhrfex.dat
    C:\Windows\system32\SKYNETvpjedeqn.dll
    C:\Windows\system32\SKYNETxpoiqjup.dat
    C:\Windows\system32\SKYNETwsp.dll
    C:\Windows\System32\drivers\a285ucso.sys

    Drivers to delete:
    SKYNETstglbkdq
    a285ucso


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Next, a new run of Gmer

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

=

Reply with copy of C:\Avenger.txt

and the Gmer.txt

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\Windows\system32\drivers\SKYNETpfnobsxb.sys" deleted successfully.

File "C:\Windows\system32\SKYNETriwdkeye.dll" deleted successfully.

File "C:\Windows\system32\SKYNETitmhrfex.dat" deleted successfully.

File "C:\Windows\system32\SKYNETvpjedeqn.dll" deleted successfully.

File "C:\Windows\system32\SKYNETxpoiqjup.dat" deleted successfully.

Error: file "C:\Windows\system32\SKYNETwsp.dll" not found!

Deletion of file "C:\Windows\system32\SKYNETwsp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\System32\drivers\a285ucso.sys" not found!

Deletion of file "C:\Windows\System32\drivers\a285ucso.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "SKYNETstglbkdq" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\a285ucso" not found!

Deletion of driver "a285ucso" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-18 19:16:05

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

INT 0x52 ? 86025BF8

INT 0x62 ? 86025BF8

INT 0x62 ? 86025BF8

INT 0x62 ? 86025BF8

INT 0x62 ? 86025BF8

INT 0x82 ? 86025BF8

INT 0xA2 ? 8428DBF8

INT 0xA3 ? 86025BF8

INT 0xB2 ? 8428DBF8

INT 0xB2 ? 8428DBF8

INT 0xB2 ? 86025BF8

INT 0xB2 ? 8428DBF8

INT 0xB3 ? 86025BF8

---- Kernel code sections - GMER 1.0.15 ----

? system32\drivers\qtlt.sys The system cannot find the path specified. !

? System32\Drivers\spxq.sys The system cannot find the path specified. !

.text USBPORT.SYS!DllUnload 8814446F 5 Bytes JMP 860251D8

.text akvuxe3p.SYS 8CD75000 22 Bytes [26, E2, E0, 81, 10, E1, E0, ...]

.text akvuxe3p.SYS 8CD75017 67 Bytes [00, 32, 17, 7A, 80, 3D, 15, ...]

.text akvuxe3p.SYS 8CD7505B 77 Bytes [82, A9, E4, 02, 82, F0, C2, ...]

.text akvuxe3p.SYS 8CD750A9 35 Bytes CALL 759EF12F

.text akvuxe3p.SYS 8CD750CE 10 Bytes [00, 00, 00, 00, 00, 00, 6D, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; INSD ; POPF ; SCASB ; DEC EAX}

.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxIndirectParamW 76DCBD25 5 Bytes JMP 6D290696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxParamW 76DE1FD5 5 Bytes JMP 6D290620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxParamA 76E080B2 5 Bytes JMP 6D29065B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!DialogBoxIndirectParamA 76E083DD 5 Bytes JMP 6D2906D1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxIndirectA 76E1D471 5 Bytes JMP 6D2905DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxIndirectW 76E1D56B 5 Bytes JMP 6D290598 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxExA 76E1D5D1 5 Bytes JMP 6D29055E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] USER32.dll!MessageBoxExW 76E1D5F5 5 Bytes JMP 6D290524 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3660] ole32.dll!OleLoadFromStream 760A9726 5 Bytes JMP 6D290893 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806986D2] \SystemRoot\System32\Drivers\spxq.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80698040] \SystemRoot\System32\Drivers\spxq.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806987FC] \SystemRoot\System32\Drivers\spxq.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806980BE] \SystemRoot\System32\Drivers\spxq.sys

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069813C] \SystemRoot\System32\Drivers\spxq.sys

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortNotification] 009E840F

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortUchar] 8B660000

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortUlong] 89662448

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 4D8BE84D

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 02C183E8

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetScatterGatherList] EA4D8966

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortUchar] 0320488B

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortStallExecution] 08458DC8

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetParentBusType] [8D575750] \SystemRoot\system32\drivers\luafv.sys (LUA File Virtualization Filter Driver/Microsoft Corporation)

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortRequestCallback] 6850F045

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortWritePortBufferUshort] B0020000

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 50E8458D

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortCompleteRequest] AFBC35FF

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortMoveMemory] 4D898CD9

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 45C757EC

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 000001F0

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] E5FEE800

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortUshort] C73B0001

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C8A14675

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortInitialize] 6A8CD9AF

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortGetDeviceBase] 9A888D52

IAT \SystemRoot\System32\Drivers\akvuxe3p.SYS[ataport.SYS!AtaPortDeviceStateChange] 83000000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84C1B1F8

Device \Driver\volmgr \Device\VolMgrControl 8428F1F8

Device \Driver\usbuhci \Device\USBPDO-0 85EDF1F8

Device \Driver\usbuhci \Device\USBPDO-1 85EDF1F8

Device \Driver\usbuhci \Device\USBPDO-2 85EDF1F8

Device \Driver\usbuhci \Device\USBPDO-3 85EDF1F8

Device \Driver\PCI_PNP9696 \Device\00000047 spxq.sys

Device \Driver\usbehci \Device\USBPDO-4 85EE01F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 85EDF1F8

Device \Driver\usbuhci \Device\USBPDO-6 85EDF1F8

Device \Driver\USBSTOR \Device\00000063 8647F1F8

Device \Driver\volmgr \Device\HarddiskVolume1 8428F1F8

Device \Driver\netbt \Device\NetBT_Tcpip_{7E145A8F-A9BB-460D-BBBF-60406E8A32F3} 864241F8

Device \Driver\USBSTOR \Device\00000064 8647F1F8

Device \Driver\usbehci \Device\USBPDO-7 85EE01F8

Device \Driver\volmgr \Device\HarddiskVolume2 8428F1F8

Device \Driver\cdrom \Device\CdRom0 8614C1F8

Device \Driver\USBSTOR \Device\00000065 8647F1F8

Device \Driver\volmgr \Device\HarddiskVolume3 8428F1F8

Device \Driver\cdrom \Device\CdRom1 8614C1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C1A1F8

Device \Driver\atapi \Device\Ide\IdePort0 84C1A1F8

Device \Driver\atapi \Device\Ide\IdePort1 84C1A1F8

Device \Driver\atapi \Device\Ide\IdePort2 84C1A1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84C1A1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 84C1A1F8

Device \Driver\USBSTOR \Device\00000066 8647F1F8

Device \Driver\volmgr \Device\HarddiskVolume4 8428F1F8

Device \Driver\cdrom \Device\CdRom2 8614C1F8

Device \Driver\USBSTOR \Device\00000067 8647F1F8

Device \Driver\USBSTOR \Device\00000074 8647F1F8

Device \Driver\volmgr \Device\HarddiskVolume5 8428F1F8

Device \Driver\volmgr \Device\HarddiskVolume6 8428F1F8

Device \Driver\USBSTOR \Device\00000076 8647F1F8

Device \Driver\netbt \Device\NetBt_Wins_Export 864241F8

Device \Driver\Smb \Device\NetbiosSmb 864011F8

Device \Driver\iScsiPrt \Device\RaidPort0 85ECF1F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\sptd \Device\3328369696 spxq.sys

Device \Driver\usbuhci \Device\USBFDO-0 85EDF1F8

Device \Driver\usbuhci \Device\USBFDO-1 85EDF1F8

Device \Driver\usbuhci \Device\USBFDO-2 85EDF1F8

Device \Driver\usbuhci \Device\USBFDO-3 85EDF1F8

Device \Driver\usbehci \Device\USBFDO-4 85EE01F8

Device \Driver\usbuhci \Device\USBFDO-5 85EDF1F8

Device \Driver\usbuhci \Device\USBFDO-6 85EDF1F8

Device \Driver\usbehci \Device\USBFDO-7 85EE01F8

Device \Driver\akvuxe3p \Device\Scsi\akvuxe3p1Port4Path0Target0Lun0 85ECD1F8

Device \Driver\akvuxe3p \Device\Scsi\akvuxe3p1 85ECD1F8

Device \FileSystem\cdfs \Cdfs 847B41F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x03 0x7A 0x2A 0x1D ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x31 0xE8 0xE5 ...

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x10 0x4C 0xF9 0x01 ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x77 0xF6 0x4D 0x43 ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello, please go forward & run the following:

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not snodes and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin Combofix

C:\Users\The Snowdons\Desktop\Combo-Fix.exe

and press Enter key

  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once without asking me first.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Link to post
Share on other sites

I highly suggest you de-install LimeWire and any other filesharing peer-to-peer program.

Downloading from such apps very very often leads to malware infections.

The result from Combofix is very encouraging. The rootkit is past history.

We need to check your system thru MBAM and then a virus check.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and SAVE Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
    Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator
    At the command-prompt window, type in the following to start Sysclean
    C:\DCE\sysclean.com
    and press ENTER
    and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Next, start HijackThis. Do a Scan and save log.

Reply with copy of the latest MBAM scan log

the Sysclean log

and the new HJT log

and tell me, How is your system now?

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:18:43, on 29/08/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18294)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?&.s...ntl=uk&rl=1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [bTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 6324 bytes

Malwarebytes' Anti-Malware 1.40

Database version: 2712

Windows 6.0.6001 Service Pack 1

29/08/2009 13:17:52

mbam-log-2009-08-29 (13-17-52).txt

Scan type: Quick Scan

Objects scanned: 90770

Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-08-28, 19:48:33, Auto-clean mode specified.

2009-08-28, 19:48:33, Running scanner "C:\DCE\TSC.BIN"...

2009-08-28, 19:48:44, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-08-28, 19:48:44, TSC Log:

Link to post
Share on other sites

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=41698

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it.

De-install your Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.

The "/u" in the command line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

Enter (or Copy & Paste) the following in the command prompt window

c:\users\The Snowdons\Desktop\Combo-Fix.exe /u

and press ENTER key

Close /exit command prompt.

  • Please RIGHT-click OTL.exe otlDesktopIcon.png and select Run as Administrator to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites

You are welcome. Stay safe.

I am closing this thread. If you run into a hitch, or need this re-opened, send me a PM.

For all casual viewers with similar issues, start your own New topic. The procedures used here are only for this system. Do NOT use them on any other.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.