Jump to content

Brother's computer is infected again MBAM doesn't work and the browser gets redirected


Havenw
 Share

Recommended Posts

This is probably a continuation of my last issue: http://www.malwarebytes.org/forums/index.php?showtopic=9690

I got that straightened out but had to go off for a week and didn't get a chance to do any of the protection stuff for my brother's computer.

I come back and he's got stuff on it again.

He can't go to websites like malwarebytes or anything like that (it gets redirected)

Malwarebytes itself hangs when you start it (no indication that it's doing anything beyond the process being in the list). Spybot does the same thing.

So...he's got the nasty stuff on there.

Hijack this still works.

Something called ViewMgr.exe (which he believes is used to make his dual monitors work) crashes when you start windows.

Anyway, here's the Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:08:07 PM, on 1/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SysMonitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Razer\Lycosa\razerhid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\drivers\svchost.exe

C:\Program Files\AIM6\aim6.exe

C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe

C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Razer\Lycosa\razertra.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acer Empowering Technology.lnk = ?

O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8007 bytes

Link to post
Share on other sites

Hi there

Please note - During this fix we will be entering into safe mode. Please print out these instructions as your internet connection will not be available to you during this period. You may also copy and paste the fix into a text file and save it in an easy accessable location for reference.

Download SDFix by AndyManchesta and save it to your desktop.

alternate download.

Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix)

Reboot your computer in SAFE MODE.

To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file in your next reply

Now lets try scanning with MBAM once again...

Please update and generate a fresh MBAM log for me

  • Start MalwareBytes AntiMalware
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post the MBAM log back along with a fresh HJT log, and the log from SDFix

Link to post
Share on other sites

Ok. I ran SDFix in safe mode. It found and fixed some stuff. It rebooted the computer and ran again on reboot, then it made a report. It also made it possible to run MBAM again.

Here's the SDfix report:

SDFix: Version 1.240

Run by bwaters on Sun 01/18/2009 at 02:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\svchost.exe - Deleted

C:\WINDOWS\system32\TDSSlxwp.dll - Deleted

C:\WINDOWS\system32\TDSSosvd.dat - Deleted

C:\WINDOWS\system32\TDSStkdv.log - Deleted

Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll

Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll

Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll

Could Not Remove C:\WINDOWS\system32\TDSScfum.dll

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 15:27:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0

disk error: C:\Documents and Settings\bwaters\ntuser.dat, 0

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Steam\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Steam\\steamapps\\14meggedyou\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\14meggedyou\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\WINDOWS\\ehome\\ehshell.exe"="C:\\WINDOWS\\ehome\\ehshell.exe:LocalSubNet:Enabled:Media Center"

"D:\\Steam.exe"="D:\\Steam.exe:*:Enabled:Steam Client"

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

"D:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"="D:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"

"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"

"D:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"="D:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

"D:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"="D:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe:*:Enabled:left4dead"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found

C:\WINDOWS\system32\TDSSnrsr.dll Found

C:\WINDOWS\system32\TDSSriqp.dll Found

C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\AcerDRV\InsD1211.exe"

Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\AcerDRV\InsD1215.exe"

Mon 30 Aug 2004 44,032 A..H. --- "C:\WINDOWS\AcerDRV\rescan.exe"

Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\system32\InsD1211.exe"

Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\system32\InsD1215.exe"

Wed 6 Aug 2003 24,576 A..H. --- "C:\WINDOWS\system32\KCMDNIns.exe"

Thu 17 Nov 2005 24,576 A..HR --- "C:\WINDOWS\system32\Kill1211.exe"

Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIBUN4.dll"

Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK7.dll"

Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIFCD3.dll"

Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMP3.dll"

Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"

Thu 7 Aug 2003 24,576 A..H. --- "C:\WINDOWS\system32\reboot.exe"

Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\system32\RemD1211.exe"

Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\system32\RemD1215.exe"

Mon 30 Aug 2004 44,032 A..H. --- "C:\WINDOWS\system32\rescan.exe"

Mon 24 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 21 Aug 2007 1,977 ...HR --- "C:\Documents and Settings\bwaters\Application Data\SecuROM\UserData\securom_v7_01.bak"

Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\bwaters\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

I updated and ran MBAM. It found more things, deleted what it could and forced me to restart so it could delete 4 more things on reboot.

Here's the first MBAM report:

Malwarebytes' Anti-Malware 1.33

Database version: 1666

Windows 5.1.2600 Service Pack 3

1/18/2009 3:37:43 PM

mbam-log-2009-01-18 (15-37-43).txt

Scan type: Quick Scan

Objects scanned: 62915

Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\TDSSpqxt.sys (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\temp\TDSSfe26.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\TDSSffbc.tmp (Trojan.TDSS) -> Delete on reboot.

C:\Documents and Settings\bwaters\Local Settings\Temp\TDSSa013.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

I did that and then ran MBAM again. It found and got rid of one more thing.

Here's the second MBAM report:

Malwarebytes' Anti-Malware 1.33

Database version: 1666

Windows 5.1.2600 Service Pack 3

1/18/2009 3:45:34 PM

mbam-log-2009-01-18 (15-45-34).txt

Scan type: Quick Scan

Objects scanned: 63015

Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\bwaters\Local Settings\Temp\TDSS9f0a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I restarted one more time.

Here's the current Hijack this Log after the last restart:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:49:23 PM, on 1/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\SysMonitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Razer\Lycosa\razerhid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM6\aim6.exe

C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe

C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Razer\Lycosa\razertra.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acer Empowering Technology.lnk = ?

O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8046 bytes

Link to post
Share on other sites

Hi Havenw

Good work with the scans. In this next part im going to ask for a couple of more deep scans which will again produce reports for you to post.

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

** Ensure you install the recovery console

Also ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

----------------------------

Once done....

----------------------------

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    th_Gmer_initScan.gif
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop and post it back in your next reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs in your next reply

Link to post
Share on other sites

Alright. Just ran combo fix and GMER.

I ran combofix twice because the first time I apparently didn't have the recovery console installed (and whatever bad things that meant didn't happen because the computer is still working).

Combofix never said I didn't have the recovery console installed until I saw it wasn't installed in the logfile. Either I missed it saying that or whatever.

Anyway here are the two Combofix logs and the GMER log that took place after both Combofix logs.

Combofix log 1

ComboFix 09-01-18.01 - bwaters 2009-01-18 16:09:59.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1632 [GMT -5:00]

Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Mozilla Firefox\plugins\npclntax.dll

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\_004961_.tmp.dll

c:\windows\system32\_004962_.tmp.dll

c:\windows\system32\_004963_.tmp.dll

c:\windows\system32\_004964_.tmp.dll

c:\windows\system32\_004971_.tmp.dll

c:\windows\system32\_004972_.tmp.dll

c:\windows\system32\_004973_.tmp.dll

c:\windows\system32\_004974_.tmp.dll

c:\windows\system32\_004976_.tmp.dll

c:\windows\system32\_004977_.tmp.dll

c:\windows\system32\_004980_.tmp.dll

c:\windows\system32\_004981_.tmp.dll

c:\windows\system32\_004983_.tmp.dll

c:\windows\system32\_004984_.tmp.dll

c:\windows\system32\_004985_.tmp.dll

c:\windows\system32\_004987_.tmp.dll

c:\windows\system32\_004989_.tmp.dll

c:\windows\system32\_004990_.tmp.dll

c:\windows\system32\_004991_.tmp.dll

c:\windows\system32\_004995_.tmp.dll

c:\windows\system32\_004996_.tmp.dll

c:\windows\system32\_004998_.tmp.dll

c:\windows\system32\_005001_.tmp.dll

c:\windows\system32\_005003_.tmp.dll

c:\windows\system32\_005004_.tmp.dll

c:\windows\system32\_005005_.tmp.dll

c:\windows\system32\_005006_.tmp.dll

c:\windows\system32\_005007_.tmp.dll

c:\windows\system32\_005010_.tmp.dll

c:\windows\system32\_005011_.tmp.dll

c:\windows\system32\_005012_.tmp.dll

c:\windows\system32\_005013_.tmp.dll

c:\windows\system32\_005014_.tmp.dll

c:\windows\system32\_005019_.tmp.dll

c:\windows\system32\_005021_.tmp.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

2009-01-18 15:55 . 2009-01-18 15:55 <DIR> d-------- c:\program files\Norton Security Scan

2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT

2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix

2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe

2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe

2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB

2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player

2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe

2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO

2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe

2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe

2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe

2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA

2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies

2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb

2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro

2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll

2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-18 20:55 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-18 17:42 --------- d-s---w c:\program files\Xfire

2009-01-18 17:40 --------- d-----w c:\program files\mIRC

2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire

2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Norton 360

2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-11 20:02 --------- d-----w c:\program files\Google

2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update

2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple

2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire

2008-12-26 05:08 6,301,344 ----a-w c:\windows\system32\drivers\nv4_mini.sys

2008-12-21 22:49 --------- d-----w c:\program files\Diablo II

2008-12-17 16:06 --------- d-----w c:\program files\HLSW

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends

2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat

2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe

2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe

2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll

2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll

2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll

2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat

2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt

2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM

2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk

backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk

backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk

backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]

--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LiveUpdate Notice Service"=2 (0x2)

"LiveUpdate Notice Ex"=2 (0x2)

"LiveUpdate"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"CLTNetCnService"=2 (0x2)

"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\Steam.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]

S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]

S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]

S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]

S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-18 c:\windows\Tasks\Norton Security Scan for bwaters.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

MSConfigStartUp-ares - c:\program files\Ares\Ares.exe

MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe

MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe

MSConfigStartUp-wclock - c:\documents and settings\bwaters\Application Data\Google\yfijv17721328.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stub.ocx - O16 -: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C}

hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab

c:\windows\Downloaded Program Files\stub.inf

FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\

FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 16:13:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,

f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\

"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\acer\Empowering Technology\ePerformance\MemCheck.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\ehome\RMSvc.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\dllhost.exe

c:\program files\Razer\Lycosa\razertra.exe

c:\windows\system32\wscntfy.exe

c:\program files\Razer\DeathAdder\razerofa.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-01-18 16:16:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-18 21:16:03

Pre-Run: 153,119,903,744 bytes free

Post-Run: 153,166,688,256 bytes free

355 --- E O F --- 2009-01-14 08:02:04

ComboFix log 2

ComboFix 09-01-18.01 - bwaters 2009-01-18 16:37:38.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT -5:00]

Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

2009-01-18 15:55 . 2009-01-18 15:55 <DIR> d-------- c:\program files\Norton Security Scan

2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT

2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix

2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe

2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe

2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB

2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player

2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe

2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO

2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe

2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe

2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe

2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA

2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies

2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb

2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro

2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll

2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-18 20:55 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-18 17:42 --------- d-s---w c:\program files\Xfire

2009-01-18 17:40 --------- d-----w c:\program files\mIRC

2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire

2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Norton 360

2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-11 20:02 --------- d-----w c:\program files\Google

2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update

2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple

2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire

2008-12-24 02:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

2008-12-21 22:49 --------- d-----w c:\program files\Diablo II

2008-12-17 16:06 --------- d-----w c:\program files\HLSW

2008-12-11 20:37 42,320 ----a-w c:\windows\system32\xfcodec.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat

2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe

2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe

2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll

2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll

2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll

2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat

2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt

2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM

2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-18_16.15.15.79 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-07-14 22:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk

backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk

backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk

backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]

--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LiveUpdate Notice Service"=2 (0x2)

"LiveUpdate Notice Ex"=2 (0x2)

"LiveUpdate"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"CLTNetCnService"=2 (0x2)

"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\Steam.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]

S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]

S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]

S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]

S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-18 c:\windows\Tasks\Norton Security Scan for bwaters.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stub.ocx - O16 -: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C}

hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab

c:\windows\Downloaded Program Files\stub.inf

FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\

FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 16:38:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,

f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\

"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74

.

Completion time: 2009-01-18 16:40:34

ComboFix-quarantined-files.txt 2009-01-18 21:39:59

ComboFix2.txt 2009-01-18 21:16:31

Pre-Run: 153,172,746,240 bytes free

Post-Run: 153,154,125,824 bytes free

288 --- E O F --- 2009-01-14 08:02:04

GMER

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-18 16:50:22

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]

SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]

SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]

SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]

SSDT sptd.sys ZwQueryKey [0xB9EC4418]

SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]

SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A7C51E8

AttachedDevice \FileSystem\Ntfs \Ntfs psdfilter.sys (PSD Filter Driver/HiTRUST)

Device \FileSystem\Fastfat \FatCdrom 8A42C2B8

Device \Driver\usbohci \Device\USBPDO-0 8A5BE790

Device \Driver\NetBT \Device\NetBT_Tcpip_{740880D2-C2C2-43C3-8A59-84596189BADD} 88F4B1E8

Device \Driver\usbehci \Device\USBPDO-1 8A5CC1E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7C71E8

Device \Driver\dmio \Device\DmControl\DmConfig 8A7C71E8

Device \Driver\dmio \Device\DmControl\DmPnP 8A7C71E8

Device \Driver\dmio \Device\DmControl\DmInfo 8A7C71E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7561E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7561E8

Device \Driver\Cdrom \Device\CdRom0 8A5141E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7561E8

Device \Driver\NetBT \Device\NetBt_Wins_Export 88F4B1E8

Device \Driver\NetBT \Device\NetbiosSmb 88F4B1E8

Device \Driver\USBSTOR \Device\00000094 89CBB790

Device \Driver\USBSTOR \Device\00000095 89CBB790

Device \Driver\USBSTOR \Device\00000088 89CBB790

Device \Driver\USBSTOR \Device\00000096 89CBB790

Device \Driver\USBSTOR \Device\00000097 89CBB790

Device \Driver\usbohci \Device\USBFDO-0 8A5BE790

Device \Driver\usbehci \Device\USBFDO-1 8A5CC1E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88ECC1E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 88ECC1E8

Device \Driver\Ftdisk \Device\FtControl 8A7561E8

Device \FileSystem\Fastfat \Fat 8A42C2B8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat psdfilter.sys (PSD Filter Driver/HiTRUST)

Device \FileSystem\Cdfs \Cdfs 8A403790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Hi there

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

File::

c:\windows\system32\prunnet.exe

FileLook::

c:\windows\setupupd\temp\wsdueng.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"prunnet"=-

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

CFScript.gif

Combofix will then execute the script and produce a fresh log.

Next......

Download and scan with CCleaner Slim

1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:

  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

4. Click the "Run Cleaner" button.

5. A pop up box will appear advising this process will permanently delete files from your system.

6. Click "OK" and it will scan and clean your system.

7. Click "exit" when done.

Next......

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back in your next reply with the log from combofix and the kaspersky results

Link to post
Share on other sites

Alright. Kaspersky took over 2 hours but it's finally done.

I did all three things. Here's the combofix log.

ComboFix 09-01-19.01 - bwaters 2009-01-19 12:43:03.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1591 [GMT -5:00]

Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\bwaters\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\system32\prunnet.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-18 16:41 . 2009-01-18 16:41 250 --a------ c:\windows\gmer.ini

2009-01-18 15:55 . 2009-01-18 18:00 <DIR> d-------- c:\program files\Norton Security Scan

2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT

2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix

2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe

2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe

2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB

2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player

2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe

2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO

2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe

2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe

2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe

2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA

2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP

2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies

2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb

2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro

2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll

2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 08:19 --------- d-----w c:\program files\mIRC

2009-01-18 23:03 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-18 17:42 --------- d-s---w c:\program files\Xfire

2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire

2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Symantec

2009-01-11 22:56 --------- d-----w c:\program files\Norton 360

2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-11 20:02 --------- d-----w c:\program files\Google

2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update

2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple

2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire

2008-12-24 02:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

2008-12-21 22:49 --------- d-----w c:\program files\Diablo II

2008-12-17 16:06 --------- d-----w c:\program files\HLSW

2008-12-11 20:37 42,320 ----a-w c:\windows\system32\xfcodec.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat

2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe

2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe

2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll

2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll

2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll

2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat

2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt

2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM

2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- c:\windows\setupupd\temp\wsdueng.dll ----

Company: Microsoft Corporation

File Description: Windows Update Dynamic Update Engine

File Version: 5.4.2517.0 (main.010713-1717)

Product Name: Microsoftr Windowsr Operating System

Copyright: c Microsoft Corporation. All rights reserved.

Original file name: wsdueng.dll

MD5: 3eb0f65bc9220b25f9234afe0e43df87

((((((((((((((((((((((((((((( snapshot@2009-01-18_16.15.15.79 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-18 21:41:43 884,736 ----a-w c:\windows\gmer.dll

+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe

+ 2001-07-14 22:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll

+ 2009-01-18 21:41:43 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

+ 2009-01-19 17:23:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_c30.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk

backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk

backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk

backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk

backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]

--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LiveUpdate Notice Service"=2 (0x2)

"LiveUpdate Notice Ex"=2 (0x2)

"LiveUpdate"=3 (0x3)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"CLTNetCnService"=2 (0x2)

"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\Steam.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]

S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]

S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]

S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]

S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-19 c:\windows\Tasks\Norton Security Scan for bwaters.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab

FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\

FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-19 12:45:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,

f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\

"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74

.

Completion time: 2009-01-19 12:46:46

ComboFix-quarantined-files.txt 2009-01-19 17:46:11

ComboFix2.txt 2009-01-18 21:16:31

Pre-Run: 152,861,212,672 bytes free

Post-Run: 152,889,839,616 bytes free

303 --- E O F --- 2009-01-14 08:02:04

Here's the Kaspersky report.

*KASPERSKY ONLINE SCANNER 7 REPORT*

Monday, January 19, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3

(build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Monday, January 19, 2009 17:10:23

Records in database: 1648886

*Scan settings*

Scan using the following database extended

Scan archives yes

Scan mail databases yes

*Scan area* My Computer

C:\

D:\

E:\

G:\

H:\

I:\

J:\

*Scan statistics*

Files scanned 121838

Threat name 8

Infected objects 12

Suspicious objects 0

Duration of the scan 02:06:37

*File name* *Threat name* *Threats count*

C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip

Infected: not-a-virus:AdWare.Win32.Maxifiles.ad 3

C:\Program Files\mIRC\mirc.exe Infected:

not-a-virus:Client-IRC.Win32.mIRC.621 1

C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar Infected:

IM-Flooder.Win32.VB.dn 2

C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bdfu 1

C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.blh 1

C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.asz 1

C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.atb 1

C:\SDFix\backups\catchme.zip Infected: Rootkit.Win32.TDSS.dbg 1

D:\downloads\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

* The selected area was scanned.*

Link to post
Share on other sites

Hi there

Please download OTMoveIt3 by OldTimer.

Save it to your desktop.

Double-click on OTMoveIt3.exe

Using notepad copy the lines in the codebox below:

:Processes

explorer.exe

:Services

:Reg

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

:Files

c:\windows\system32\prunnet.exe

C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip

C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar

C:\SDFix\backups\backups.zip

:Commands

[purity]

[emptytemp]

[start explorer]

[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Close OTMoveIt3

Post back the results and let me know how things are running now

Link to post
Share on other sites

It seems to be running fine since a little bit ago (around the time we did combofix and stuff I think)

How do you stop windows from asking you to run the recovery console (say unless you want to). It keep asking to choose between windows xp and the recovery console on start up.

Here's the OTMoveIt log.

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\ deleted successfully.

========== FILES ==========

File/Folder c:\windows\system32\prunnet.exe not found.

C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip moved successfully.

C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar moved successfully.

C:\SDFix\backups\backups.zip moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\bwaters\LOCALS~1\Temp\etilqs_QlaWe6TH6MON025OMrIT scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\bwaters\LOCALS~1\Temp\~DF6A82.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01202009_083339

Files moved on Reboot...

File C:\DOCUME~1\bwaters\LOCALS~1\Temp\etilqs_QlaWe6TH6MON025OMrIT not found!

C:\DOCUME~1\bwaters\LOCALS~1\Temp\~DF6A82.tmp moved successfully.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

File C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat not found!

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\XUL.mfl moved successfully.

Link to post
Share on other sites

Hi there

Things are looking better.

How do you stop windows from asking you to run the recovery console (say unless you want to).

The recovery console option should only show for 2 seconds, if you wish to delete the recovery console option then we can run through the necessary steps to do so. Reply and let me know whether you wish to keep it or not.

Link to post
Share on other sites

HI

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router

Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.