Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ispynow, Assorted Problems, and DNS Spam Bombing


  • Please log in to reply
20 replies to this topic

#1 Inane Cathode

Inane Cathode

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 05 December 2008 - 10:26 PM

I was asked to post the HJT logs here, I'll also describe what problems I'm having. One day suddenly my computer shut itself off as if i had start > shutdown the machine. Ever since, i've been unable to connect to certain websites either because of a 'failed connection' or firefox will just close itself. Microsoft live messenger also shuts itself off if i try to use it. Malware, spyware, and antivirus programs are unable to update, but it seems like the internet connection is otherwise functional. Upon opening a window of my browser a page pops up warning me that continuing without protection is dangerous and i should click a link leading to system-defender or something similar to that name. Additionally, even if my computer isnt connected to the network cable a window from windows pops up notifying me that a program called Spyware.Ispynow is trying to connect out of my computer, all of the buttons are grayed out however so i think windows firewall is disabled as well. I've also tried to use windows restore but it's also disabled somehow, the "next" button in one of the screens is not functional, and it appears all my backup dates have been deleted even though it's set to record restore points periodically. I've done all the malware scans that was asked of me by boopme, and hes asked that i post some logs here:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Ben Presley at 2008-12-05 20:12:19
Microsoft Windows XP Home Edition Service Pack 3
System drive F: has 76 GB (32%) free of 238 GB
Total RAM: 3327 MB (69% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"=F:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-16 590848]
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Photo Downloader"=F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"NeroFilterCheck"=F:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"StartCCC"=F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"Ink Monitor"=F:\Program Files\EPSON\Ink Monitor\InkMonitor.exe [2002-05-29 258118]
"DigidesignMMERefresh"=F:\Program Files\Digidesign\Drivers\MMERefresh.exe [2005-10-25 61440]
"CTRegRun"=F:\WINDOWS\CTRegRun.EXE [1999-10-10 41984]
"Creative Launcher"=F:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe [2000-02-16 257536]
"Disc Detector"=F:\Program Files\Creative\ShareDLL\CtNotify.exe [1999-08-30 189952]
"AudioHQ"=F:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE [2000-05-11 205312]
"NvCplDaemon"=F:\WINDOWS\system32\NvCpl.dll [2008-04-11 13524992]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=F:\WINDOWS\system32\NvMcTray.dll [2008-04-11 86016]
"HitmanPro3"=F:\Program Files\Hitman Pro 3\hitmanpro3.exe [2008-11-30 4590200]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"googletalk"=F:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"Aim6"= []
"MsnMsgr"=F:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"Steam"=f:\progra~1\valve\steam\steam.exe [2008-10-07 1410296]
"ctfmon.exe"=F:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DAEMON Tools Lite"=F:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
EPSON Status Monitor 3 Environment Check 2.lnk - F:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

F:\Documents and Settings\Ben Presley\Start Menu\Programs\Startup
MagicDisc.lnk - F:\Program Files\MagicDisc\MagicDisc.exe
PowerReg SchedulerV2.exe
Trillian.lnk - F:\Program Files\Trillian\trillian.exe
Ubisoft register.lnk - F:\Program Files\Ubisoft\Register\schedule.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
F:\WINDOWS\system32\Ati2evxx.dll [2008-09-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
F:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=5F000000
""=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Program Files\Messenger\msmsgs.exe"="F:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\Program Files\mIRC\mirc.exe"="F:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"F:\Program Files\EA GAMES\MOHAA\MOHAA.exe"="F:\Program Files\EA GAMES\MOHAA\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"F:\StubInstaller.exe"="F:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"F:\Program Files\LimeWire\LimeWire.exe"="F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"F:\Program Files\Google\Google Talk\googletalk.exe"="F:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"F:\Program Files\Common Files\AOL\Loader\aolload.exe"="F:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"F:\Program Files\Common Files\AOL\1139795904\ee\aolsoftware.exe"="F:\Program Files\Common Files\AOL\1139795904\ee\aolsoftware.exe:*:Enabled:AOL Services"
"F:\Program Files\Common Files\AOL\1139795904\ee\aim6.exe"="F:\Program Files\Common Files\AOL\1139795904\ee\aim6.exe:*:Enabled:AIM"
"F:\Program Files\Yahoo!\Messenger\YPager.exe"="F:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"F:\Program Files\Yahoo!\Messenger\YServer.exe"="F:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\Program Files\ABC\abc.exe"="F:\Program Files\ABC\abc.exe:*:Enabled:abc"
"F:\Documents and Settings\Ben Presley\Desktop\utorrent.exe"="F:\Documents and Settings\Ben Presley\Desktop\utorrent.exe:*:Enabled:µTorrent"
"F:\Program Files\Valve\Steam\SteamApps\inanecathode\counter-strike source\hl2.exe"="F:\Program Files\Valve\Steam\SteamApps\inanecathode\counter-strike source\hl2.exe:*:Enabled:hl2"
"F:\Program Files\Valve\Steam\SteamApps\inanecathode\half-life 2\hl2.exe"="F:\Program Files\Valve\Steam\SteamApps\inanecathode\half-life 2\hl2.exe:*:Enabled:hl2"
"F:\Program Files\Mozilla Firefox\firefox.exe"="F:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"F:\Program Files\Warcraft III\Warcraft III.exe"="F:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"F:\UnrealTournament\System\UnrealTournament.exe"="F:\UnrealTournament\System\UnrealTournament.exe:*:Enabled:UnrealTournament"
"F:\Program Files\Valve\Steam\SteamApps\inanecathode\garrysmod\hl2.exe"="F:\Program Files\Valve\Steam\SteamApps\inanecathode\garrysmod\hl2.exe:*:Enabled:hl2"
"F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\Program Files\Grisoft\AVG7\avginet.exe"="F:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"F:\Program Files\Grisoft\AVG7\avgcc.exe"="F:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"F:\Program Files\Grisoft\AVG7\avgemc.exe"="F:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"F:\Program Files\Grisoft\AVG7\avgamsvr.exe"="F:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"F:\Program Files\AIM6\aim6.exe"="F:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"F:\Program Files\Valve\Steam\steam.exe"="F:\Program Files\Valve\Steam\steam.exe:*:Enabled:Steam"
"F:\Program Files\CCP\EVE\bin\ExeFile.exe"="F:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"
"F:\Program Files\Wolfenstein - Enemy Territory\ET.exe"="F:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET"
"F:\Documents and Settings\Ben Presley\Desktop\WWP\Worms World Party\WWP\wwp.exe"="F:\Documents and Settings\Ben Presley\Desktop\WWP\Worms World Party\WWP\wwp.exe:*:Enabled:Worms World Party"
"F:\Program Files\Ubisoft\XIII\system\XIII.exe"="F:\Program Files\Ubisoft\XIII\system\XIII.exe:*:Disabled:XIII"
"F:\WINDOWS\system32\dplaysvr.exe"="F:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\CAVEDOG\TOTALA\TotalA.exe"="C:\CAVEDOG\TOTALA\TotalA.exe:*:Enabled:Total Annihilation"
"F:\Program Files\Trillian\trillian.exe"="F:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Ben Presley\Desktop\freespace2\FS2\FS2.exe"="C:\Documents and Settings\Ben Presley\Desktop\freespace2\FS2\FS2.exe:*:Enabled:FreeSpace"
"F:\Program Files\NCH Swift Sound\Talk\talk.exe"="F:\Program Files\NCH Swift Sound\Talk\talk.exe:*:Enabled:Express Talk"
"F:\WINDOWS\system32\dpvsetup.exe"="F:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"F:\WINDOWS\system32\rundll32.exe"="F:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"F:\Documents and Settings\Ben Presley\My Documents\Downloads\AOE II\empires2.EXE"="F:\Documents and Settings\Ben Presley\My Documents\Downloads\AOE II\empires2.EXE:*:Disabled:Age of Empires II"
"F:\Documents and Settings\Ben Presley\My Documents\Downloads\AOE II\age2_x1.exe"="F:\Documents and Settings\Ben Presley\My Documents\Downloads\AOE II\age2_x1.exe:*:Disabled:Age of Empires II Expansion"
"F:\Program Files\MSN Messenger\msnmsgr.exe"="F:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\Program Files\MSN Messenger\livecall.exe"="F:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe"="F:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:*:Enabled:Crysis_32"
"F:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe"="F:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"F:\CAVEDOG\TOTALA\totala.exe"="F:\CAVEDOG\TOTALA\totala.exe:*:Enabled:Total Annihilation"
"F:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe"="F:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™"
"F:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe"="F:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™"
"F:\WINDOWS\system32\drivers\svchost.exe"="F:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost"
"F:\WINDOWS\explorer.exe"="F:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Program Files\MSN Messenger\msnmsgr.exe"="F:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\Program Files\MSN Messenger\livecall.exe"="F:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-12-05 20:12:19 ----D---- F:\rsit
2008-12-05 20:12:19 ----D---- F:\Program Files\trend micro
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\WS2Fix.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\VCCLSID.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\VACFix.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\swxcacls.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\swsc.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\swreg.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\SrchSTS.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\Process.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\o4Patch.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\IEDFix.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\IEDFix.C.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\dumphive.exe
2008-12-05 18:38:10 ----A---- F:\WINDOWS\system32\404Fix.exe
2008-12-04 05:11:31 ----A---- F:\WINDOWS\system32\tmp.txt
2008-12-04 05:11:20 ----A---- F:\rapport.txt
2008-12-02 05:48:22 ----D---- F:\Documents and Settings\Ben Presley\Application Data\WinRAR
2008-12-02 05:23:01 ----D---- F:\WINDOWS\ERUNT
2008-12-02 05:18:03 ----D---- F:\SDFix
2008-11-30 21:15:44 ----D---- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-30 21:14:54 ----D---- F:\Program Files\SUPERAntiSpyware
2008-11-30 21:14:54 ----D---- F:\Documents and Settings\Ben Presley\Application Data\SUPERAntiSpyware.com
2008-11-30 19:40:46 ----D---- F:\Documents and Settings\Ben Presley\Application Data\Malwarebytes
2008-11-30 19:35:50 ----D---- F:\Avenger
2008-11-30 19:35:50 ----A---- F:\avenger.txt
2008-11-30 18:18:08 ----D---- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-30 18:07:50 ----D---- F:\Program Files\Malwarebytes' Anti-Malware
2008-11-30 18:04:10 ----A---- F:\xxxputes.exe
2008-11-30 17:13:04 ----D---- F:\Documents and Settings\All Users\Application Data\Hitman Pro
2008-11-30 17:12:53 ----D---- F:\Program Files\Hitman Pro 3
2008-11-30 15:46:09 ----D---- F:\Program Files\Lavasoft
2008-11-26 21:06:03 ----D---- F:\Documents and Settings\Ben Presley\Application Data\gtk-2.0
2008-11-15 17:40:56 ----D---- F:\CAVEDOG
2008-11-14 03:01:07 ----HDC---- F:\WINDOWS\$NtUninstallKB957097$
2008-11-14 03:01:02 ----HDC---- F:\WINDOWS\$NtUninstallKB954459$
2008-11-14 03:00:55 ----HDC---- F:\WINDOWS\$NtUninstallKB955069$
2008-11-09 10:29:00 ----RHD---- F:\Documents and Settings\Ben Presley\Application Data\SecuROM
2008-11-09 10:28:59 ----A---- F:\WINDOWS\system32\CmdLineExt.dll

======List of files/folders modified in the last 1 months======

2008-12-05 20:12:19 ----RD---- F:\Program Files
2008-12-05 20:11:20 ----D---- F:\Program Files\Mozilla Firefox
2008-12-05 18:45:27 ----D---- F:\WINDOWS\Prefetch
2008-12-05 18:38:10 ----D---- F:\WINDOWS\system32
2008-12-05 18:34:50 ----A---- F:\WINDOWS\NeroDigital.ini
2008-12-05 08:52:22 ----D---- F:\WINDOWS\Temp
2008-12-04 05:10:28 ----D---- F:\WINDOWS\system32\CatRoot2
2008-12-04 05:04:53 ----D---- F:\WINDOWS\system32\drivers
2008-12-04 05:04:11 ----A---- F:\WINDOWS\system32\PerfStringBackup.INI
2008-12-03 05:01:53 ----A---- F:\WINDOWS\SchedLgU.Txt
2008-12-02 08:52:29 ----RHD---- F:\$VAULT$.AVG
2008-12-02 05:28:32 ----RSHDC---- F:\WINDOWS\system32\dllcache
2008-12-02 05:28:32 ----A---- F:\WINDOWS\ntbtlog.txt
2008-12-02 05:23:01 ----D---- F:\WINDOWS
2008-11-30 21:14:56 ----SHD---- F:\WINDOWS\Installer
2008-11-30 21:14:42 ----D---- F:\Program Files\Common Files\Wise Installation Wizard
2008-11-30 20:56:29 ----D---- F:\Program Files\Trillian
2008-11-30 18:17:30 ----SHD---- F:\RECYCLER
2008-11-30 15:45:40 ----SD---- F:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-30 15:45:40 ----D---- F:\Documents and Settings\Ben Presley\Application Data\Lavasoft
2008-11-30 15:10:52 ----D---- F:\Documents and Settings\Ben Presley\Application Data\AVG7
2008-11-30 15:04:47 ----D---- F:\Documents and Settings\Ben Presley\Application Data\Google
2008-11-30 14:58:53 ----A---- F:\WINDOWS\system32\termsrv.dll
2008-11-30 14:58:52 ----A---- F:\WINDOWS\system32\winlogon.exe
2008-11-28 04:56:22 ----D---- F:\WINDOWS\system32\config
2008-11-27 22:26:45 ----D---- F:\WINDOWS\system
2008-11-26 21:04:43 ----D---- F:\Program Files\GIMP-2.0
2008-11-23 09:52:55 ----HD---- F:\WINDOWS\inf
2008-11-23 09:52:55 ----D---- F:\WINDOWS\Help
2008-11-22 16:34:43 ----HD---- F:\Program Files\InstallShield Installation Information
2008-11-22 16:04:08 ----D---- F:\Program Files\Activision
2008-11-16 09:52:03 ----D---- F:\Documents and Settings\Ben Presley\Application Data\uTorrent
2008-11-14 03:01:06 ----HD---- F:\WINDOWS\$hf_mig$
2008-11-14 03:01:05 ----A---- F:\WINDOWS\imsins.BAK
2008-11-14 03:00:20 ----D---- F:\WINDOWS\WinSxS
2008-11-09 10:27:28 ----D---- F:\WINDOWS\system32\DirectX
2008-11-09 10:15:47 ----D---- F:\Program Files\Electronic Arts
2008-11-07 16:44:17 ----D---- F:\WINDOWS\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7Core;AVG7 Kernel; F:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-23 821856]
R1 Avg7RsW;AVG7 Wrap Driver; F:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-03-24 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; F:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-03-24 27776]
R1 AvgClean;AVG7 Clean Driver; F:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-21 10760]
R1 mbmiodrvr;mbmiodrvr; \??\F:\WINDOWS\system32\mbmiodrvr.sys []
R1 SASDIFSV;SASDIFSV; \??\F:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\F:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; F:\WINDOWS\system32\drivers\SCDEmu.sys [2006-03-17 26844]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; F:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 AvgTdi;AVG Network Redirector; F:\WINDOWS\System32\Drivers\avgtdi.sys [2007-03-24 4960]
R2 enodpl;enodpl; F:\WINDOWS\System32\drivers\enodpl.sys [2003-03-02 7552]
R2 Hardlock;Hardlock; \??\F:\WINDOWS\system32\drivers\hardlock.sys []
R2 PfModNT;PfModNT; \??\F:\WINDOWS\system32\PfModNT.sys []
R2 tandpl;tandpl; F:\WINDOWS\System32\drivers\tandpl.sys [2003-04-19 4736]
R3 catchme;catchme; \??\F:\DOCUME~1\BENPRE~1\LOCALS~1\Temp\catchme.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; F:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; F:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; F:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-02-11 92544]
R3 monfilt;monfilt; F:\WINDOWS\system32\drivers\monfilt.sys [2008-02-13 1389056]
R3 mouhid;Mouse HID Driver; F:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; F:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-04-11 6546368]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; F:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; F:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-01-03 105856]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; F:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; F:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service; F:\WINDOWS\system32\drivers\viahduaa.sys [2008-05-08 238080]
S1 intelppm;Intel Processor Driver; F:\WINDOWS\System32\DRIVERS\intelppm.sys []
S3 apnrioqp;apnrioqp; F:\WINDOWS\system32\drivers\apnrioqp.sys []
S3 ati2mtag;ati2mtag; F:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2008-09-23 3331072]
S3 ctljystk;Creative SBLive! Gameport; F:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); F:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); F:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 EPUSBSTOR;EPSON USB Storage Driver; F:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 17976]
S3 hitmanpro3;Hitman Pro 3 Support Driver; \??\F:\WINDOWS\system32\drivers\hitmanpro3.sys []
S3 Jukebox3;Jukebox3; F:\WINDOWS\system32\DRIVERS\ctpdusb.sys [2005-05-16 16000]
S3 kxwdmdrv;kX WDM Driver Service; F:\WINDOWS\system32\drivers\kx.sys []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\F:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 PnkBstrK;PnkBstrK; \??\F:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 SASENUM;SASENUM; \??\F:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 sfman;Creative SoundFont Manager Driver (WDM); F:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 usbaudio;USB Audio Driver (WDM); F:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; F:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; F:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; F:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S4 IntelIde;IntelIde; F:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; F:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Ati HotKey Poller;Ati HotKey Poller; F:\WINDOWS\system32\Ati2evxx.exe [2008-09-23 581632]
R2 Avg7Alrt;AVG7 Alert Manager Server; F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-10-23 418816]
R2 Avg7UpdSvc;AVG7 Update Service; F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-03-24 49664]
R2 AVGEMS;AVG E-mail Scanner; F:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-21 406528]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; F:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 DigiRefresh;Digidesign MME Refresh Service; F:\Program Files\Digidesign\Drivers\MMERefresh.exe [2005-10-25 61440]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2001-10-25 90112]
R2 NVSvc;NVIDIA Display Driver Service; F:\WINDOWS\system32\nvsvc32.exe [2008-04-11 155716]
R2 PnkBstrA;PnkBstrA; F:\WINDOWS\system32\PnkBstrA.exe [2007-12-06 66872]
R2 PnkBstrB;PnkBstrB; F:\WINDOWS\system32\PnkBstrB.exe [2007-12-14 107832]
R2 UMWdf;Windows User Mode Driver Framework; F:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; F:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
S2 ATI Smart;ATI Smart; F:\WINDOWS\system32\ati2sgag.exe [2008-09-23 593920]
S3 aspnet_state;ASP.NET State Service; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; f:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; F:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.04 2008-12-05 20:12:20

======Uninstall list======

-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\News\CTNews.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\AudioHQ.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Creative Rhythmania\Rhythm.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Diagnose.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\EaxDemo.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Keytar\Keytar.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Launcher\Launcher.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Midi.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\PlayCenter2\Player2.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Recorder\Recorder.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\Restore.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\SoundFont.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\SurMixer.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\SBLive\WaveStudio\Wstudio.isu"
-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Creative\Uninstall\Installer.isu"
-->F:\WINDOWS\uninst.exe -fF:\Maxis\Simtower\DeIsL1.isu
-->MsiExec /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}\Setup.exe" -l0x9
-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 2.0 (Remove Only)-->"F:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX-->F:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin-->F:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AGEIA PhysX v8.01.18-->MsiExec.exe /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
AIM 6-->F:\Program Files\AIM6\uninst.exe
ASIO4ALL-->F:\Program Files\ASIO4ALL v2\uninstall.exe
ATI - Software Uninstall Utility-->F:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x465c
ATI Display Driver-->rundll32 F:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5-->F:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVI Movie Player-->F:\Program Files\AVI Movie Player\uninstall.exe
AviSynth 2.5-->"F:\Program Files\AviSynth 2.5\Uninstall.exe"
Call of Duty® - World at War™-->F:\Program Files\InstallShield Installation Information\{D80A6A73-E58A-4673-AFF5-F12D7110661F}\setup.exe -runfromtemp -l0x0409
Call of Duty® 2-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033
Command & Conquer The First Decade-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}\setup.exe" -l0x9 -removeonly
Connection Checker version 1.12-->"F:\Program Files\Connection Checker\unins000.exe"
Creative Jukebox Driver-->F:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Crysis®-->MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
DelinvFile - 3.03-->"F:\Program Files\PurgeIE\unins000.exe"
Digidesign Audio Drivers 7.0-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9F1D8E17-2AE6-4608-901D-42146D7D9C68}\setup.exe" -l0x9 -removeonly
DOOM 3: Resurrection of Evil-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{04347DFD-87B6-4E30-B14D-5DF2888AD8F5} /l1033
Doom 3-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{584267B8-0BB0-4D18-9FFA-726576619E9A} /l1033 /x
DWGeditor-->MsiExec.exe /X{AC7190A0-EEA1-423C-A531-FCEB4E0EBBB1}
eDrawings 2006-->MsiExec.exe /I{8C47092F-B249-43CB-A780-40274329043D}
EPSON Online Reference Guide-->F:\Program Files\epson\guide\uninstall.exe
EPSON Printer Software-->F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
Fallout 3-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
FL Studio 5-->F:\Program Files\Image-Line\FLStudio5\uninstall.exe
FL Studio 7-->F:\Program Files\Image-Line\FL Studio 7\uninstall.exe
FLAC Installer 1.1.2a (remove only)-->F:\Program Files\FLAC\uninstall.exe
FMS-->F:\Program Files\FMS\Uninstall.exe
GIMP 2.6.3-->"F:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only)-->"F:\Program Files\Google\Google Talk\uninstall.exe"
GTK+ 2.8.9 runtime environment-->"F:\Program Files\Common Files\GTK\2.0\unins000.exe"
Half-Life 2: Episode Two-->"F:\progra~1\valve\steam\steam.exe" steam://uninstall/420
Half-Life® 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
Half-Life: Blue Shift Patch-->C:\Sierra\BLUE-S~1\bshift\UNWISE.EXE C:\Sierra\BLUE-S~1\bshift\install.log
Half-Life: Blue Shift-->C:\Sierra\BLUE-S~1\bshift\UNWISE.EXE C:\Sierra\BLUE-S~1\bshift\install.log
Half-Life: Opposing Force-->C:\Sierra\HALF-L~1\UNWISE.EXE C:\Sierra\HALF-L~1\OPFOR.LOG
Half-Life-->C:\Sierra\HALF-L~1\UNWISE.EXE C:\Sierra\HALF-L~1\INSTALL.LOG
Hitman Pro 3-->"F:\Program Files\Hitman Pro 3\hitmanpro3.exe" /uninstall
Homeworld-->C:\Sierra\HOMEWO~1\UNINST~1\UNWISE.EXE C:\Sierra\HOMEWO~1\UNINST~1\INSTALL.LOG
Hotfix for Windows Internet Explorer 7 (KB947864)-->"F:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IL Download Manager-->F:\Program Files\Image-Line\Downloader\uninstall.exe
Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Indeo® Software-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Ligos\Indeo\Uninst.isu"
Ink Monitor-->F:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
InterLok Driver Kit-->MsiExec.exe /X{1A24F9E8-009D-40FC-ABED-2AAFFAB0F4F0}
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Magic ISO Maker v5.5 (build 0265)-->F:\PROGRA~1\MagicISO\UNWISE.EXE F:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.6.85-->F:\PROGRA~1\MAGICD~1\UNWISE.EXE F:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"F:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Max Payne-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{39930321-4C58-4B8B-BCBF-342698C9801D}\setup.exe" uninstall uninstall
Medal of Honor Allied Assault-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Megaman-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Capcom\Megaman\Uninst.isu"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0-->f:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MINERVA: Metastasis-->F:\PROGRA~1\Valve\Steam\STEAMA~1\SOURCE~1\METAST~1\UNWISE.EXE F:\PROGRA~1\Valve\Steam\STEAMA~1\SOURCE~1\METAST~1\metastasis.log
mIRC-->F:\Program Files\mIRC\uninstall.exe _?=F:\Program Files\mIRC
Motherboard Monitor 5-->"F:\Program Files\Motherboard Monitor 5\unins000.exe"
Mozilla Firefox (3.0.4)-->F:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 6 Ultra Edition-->F:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Network Play System (Patching)-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NOMAD Explorer-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{3C080B57-0D1E-4C73-B03B-68A9EF9F23F3}\Setup.exe" -l0x9 /remove
NVIDIA Drivers-->F:\WINDOWS\system32\nvuninst.exe UninstallGUI
Painkiller - Battle Out Of Hell-->F:\WINDOWS\unvise32.exe f:\program files\dreamcatcher\painkiller\uninstal.log
Porrasturvat - Stair Dismount-->F:\Program Files\Porrasturvat - Stair Dismount\uninstall.exe
Portal-->"F:\progra~1\valve\steam\steam.exe" steam://uninstall/400
PowerISO-->"F:\Program Files\PowerISO\uninstall.exe"
Prince of Persia The Sands of Time-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{8C453F13-6877-4D34-8816-009ABDE306DB}\setup.exe" -l0x9
Prince of Persia Warrior Within-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{EE5BC0BB-9EDA-423C-8276-48857B735D68}\Setup.exe" -l0x9
Psychonauts-->"F:\progra~1\valve\steam\steam.exe" steam://uninstall/3830
Red Orchestra-->"F:\Program Files\Valve\Steam\steam.exe" steam://uninstall/1200
Security Update for Windows Internet Explorer 7 (KB938127)-->"F:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"F:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"F:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"F:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"F:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"F:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"F:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"F:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"F:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"F:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"F:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"F:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"F:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"F:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SimCopter-->F:\WINDOWS\uninst.exe -f"F:\Program Files\Maxis\SimCopter\DeIsL1.isu"
SolidWorks 2006 SP0-->MsiExec.exe /I{7745E24A-84A9-4754-9FFD-8FBE12CA0200}
Sound Blaster Live!-->F:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
SPOREâ„¢-->"F:\Program Files\InstallShield Installation Information\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}\SPORESetup.exe" -runfromtemp -l0x0009 -removeonly
Steam™-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->F:\Program Files\SystemRequirementsLab\Uninstall.exe
System Shock2-->F:\WINDOWS\IsUninst.exe -fF:\Sshock2\SShocku.log
TeamSpeak 2 RC2-->"F:\Program Files\Teamspeak2_RC2\unins000.exe"
Terragen-->MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
The Sims-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Maxis\The Sims\Uninst.isu"
Total Annihilation - Battle Tactics-->F:\CAVEDOG\TOTALA\tabtunst.exe F:\CAVEDOG\TOTALA
Total Annihilation - Core Contingency-->F:\CAVEDOG\TOTALA\CC\CCQUERY.EXE
Total Annihilation-->F:\CAVEDOG\TOTALA\setup.exe -u
Trillian-->F:\Program Files\Trillian\trillian.exe /uninstall
Truck Dismount (remove only)-->"F:\Program Files\Truck Dismount\uninst.exe"
Unreal Tournament G.O.T.Y. Edition-->F:\UnrealTournament\System\Setup.exe uninstall "UnrealTournament"
Unreal-->F:\Unreal\System\Setup.exe uninstall "Unreal"
Update for Windows XP (KB951072-v2)-->"F:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"F:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo-->F:\PROGRA~1\Ventrilo\UNWISE.EXE F:\PROGRA~1\Ventrilo\INSTALL.LOG
WavePad Uninstall-->F:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Winamp (remove only)-->"F:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"F:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->F:\Program Files\WinRAR\uninstall.exe
Wolfenstein - Enemy Territory-->F:\PROGRA~1\WOLFEN~1\Uninstall\Unwise.exe /u F:\PROGRA~1\WOLFEN~1\Uninstall\Install.log
XIII-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{42BC0474-6E50-464A-8183-5E3D32E41B1B}\setup.exe" -l0x9

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AVG 7.5.552

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"LANG"=C
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;F:\Program Files\Common Files\GTK\2.0\bin;F:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=4303
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------


Thanks for reading,
Inane

Edited by Yourhighness, 21 December 2008 - 12:36 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:46 PM

Posted 16 December 2008 - 12:04 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 19 December 2008 - 03:59 PM

Hi there, i thought you guys forgot about me ;) glad to be on board now though!


Heres the dds text file that was requested i post, along with the attached zipped attach.txt file


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/31/2005 7:30:37 PM
System Uptime: 12/14/2008 1:26:27 PM (120 hours ago)

Motherboard: ASUSTeK Computer INC. | | M3A78
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+ | AM2 | 2813/200mhz

==== Disk Partitions =========================

A: is Removable
C: is Removable
D: is CDROM ()
F: is FIXED (NTFS) - 233 GiB total, 74.337 GiB free.
G: is CDROM ()
H: is CDROM ()
I: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer: ATK
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
AGEIA PhysX v8.01.18
AIM 6
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 7.5
AVI Movie Player
AviSynth 2.5
Call of Duty® - World at War™
Call of Duty® 2
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Command & Conquer The First Decade
Connection Checker version 1.12
Creative Jukebox Driver
Crysis®
DelinvFile - 3.03
Digidesign Audio Drivers 7.0
Doom 3
DOOM 3: Resurrection of Evil
DWGeditor
eDrawings 2006
EPSON Online Reference Guide
EPSON Printer Software
Fallout 3
FL Studio 5
FL Studio 7
FLAC Installer 1.1.2a (remove only)
FMS
GIMP 2.6.3
Google Earth
Google Talk (remove only)
GTK+ 2.8.9 runtime environment
Half-Life
Half-Life 2: Episode Two
Half-Life® 2
Half-Life: Blue Shift
Half-Life: Blue Shift Patch
Half-Life: Opposing Force
Hitman Pro 3
Homeworld
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
IL Download Manager
Image Resizer Powertoy for Windows XP
Indeo® Software
Ink Monitor
InterLok Driver Kit
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Magic ISO Maker v5.5 (build 0265)
MagicDisc 2.6.85
Malwarebytes' Anti-Malware
Max Payne
Medal of Honor Allied Assault
Megaman
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
MINERVA: Metastasis
mIRC
Motherboard Monitor 5
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
Nero 6 Ultra Edition
Network Play System (Patching)
NOMAD Explorer
NVIDIA Drivers
Painkiller - Battle Out Of Hell
Porrasturvat - Stair Dismount
Portal
PowerISO
Prince of Persia The Sands of Time
Prince of Persia Warrior Within
Psychonauts
Red Orchestra
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SimCopter
Skins
SolidWorks 2006 SP0
Sound Blaster Live!
SPORE™
Steam™
System Requirements Lab
System Shock2
TeamSpeak 2 RC2
Terragen
The Sims
Total Annihilation
Total Annihilation - Battle Tactics
Total Annihilation - Core Contingency
Trillian
Truck Dismount (remove only)
Unreal
Unreal Tournament G.O.T.Y. Edition
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Ventrilo
Ventrilo Client
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
Wolfenstein - Enemy Territory
XIII
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/12/2008 3:58:45 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
12/12/2008 3:58:43 PM, error: SRService [104] - The System Restore initialization process failed.
12/14/2008 1:22:53 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
12/14/2008 1:22:53 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
12/14/2008 1:22:53 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
12/14/2008 1:24:57 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
12/14/2008 1:24:57 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.

==== End Of File ===========================

#4 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 19 December 2008 - 04:00 PM

Hmm, i guess the attach zip didnt attach correctly, here it is:

Attached Files



#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 20 December 2008 - 02:28 AM

Hello Inane Cathode and welcome to BleepingComputer!

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Step #2

Start Malwarebytes Antimalware, let it check for updates and then run a scan. Please post back with the log. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#6 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 20 December 2008 - 05:08 PM

Java uninstalled fine, and installed fine.

Malware bytes wont update, so i've downloaded the manual update.
Said manual update wont work with the version of the program i have, so i have to install the newer version of malwarebytes. Again, the installer doesnt seem to be working, so i'll try how i installed it the first time (rename it, and install from safe mode)
Then i'll try the manual update.

I have to go to work now, so i'll complete your instructions this evening.

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 21 December 2008 - 12:42 PM

hi,

ok. I found your previous thread with the logs (when you are asked to create logs in new topic in this subforum, its always best to link to previous discussions :thumbsup: ). Thats not a nice infection to have, so we will do two things for now to be on the safe side:

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 21 December 2008 - 02:31 PM

Didnt know i had to link previous conversations, i thought you guys knew ;)

Tried running combofix and it wouldnt run, so i renamed it scones.exe and it seemed to have worked ok. It got to the recovery portion, i was actively connected to the internet, and it said i wasnt, i am able to go to certain websites but not others. So i continued without downloading the recovery console (i have it on the windows xp cd). It then popped up another box saying download failed and it continued to scan. It then said it detected rootkit activity and needed to restart.

It's restarting right now, i'll update when i get new information.

Update: After restarting it tried to download the console again and stated "Failed to enumerate download path, continuing scan anyway" or something to that effect.

Ok it finished, heres the log it produced:

ComboFix 08-12-21.01 - Ben Presley 2008-12-21 12:32:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2937 [GMT -7:00]
Running from: f:\documents and settings\Ben Presley\Desktop\sconesmckensie.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Ben Presley\Application Data\Google\mscscc.dll
f:\documents and settings\Ben Presley\Application Data\Google\runhh6110411.exe
f:\documents and settings\Ben Presley\Application Data\Google\T-Scan
f:\documents and settings\Ben Presley\Application Data\Google\T-Scan\n.gif
f:\documents and settings\Ben Presley\Application Data\Google\T-Scan\t.gif
f:\documents and settings\Ben Presley\Application Data\Google\T-Scan\y.gif
f:\documents and settings\Ben Presley\nah_kcsw.exe
f:\documents and settings\Ben Presley\nah_log.dat
f:\windows\system32\404Fix.exe
f:\windows\system32\drivers\TDSSxxou.sys
f:\windows\system32\dumphive.exe
f:\windows\system32\IEDFix.C.exe
f:\windows\system32\IEDFix.exe
f:\windows\system32\o4Patch.exe
f:\windows\system32\Process.exe
f:\windows\system32\SrchSTS.exe
f:\windows\system32\TDSSehys.log
f:\windows\system32\TDSSirxy.dll
f:\windows\system32\TDSSktpo.dll
f:\windows\system32\TDSSnmxh.log
f:\windows\system32\TDSSocun.dll
f:\windows\system32\TDSSqqon.dll
f:\windows\system32\TDSSravu.dll
f:\windows\system32\TDSSsahc.dll
f:\windows\system32\TDSSwghd.log
f:\windows\system32\TDSSwupe.dat
f:\windows\system32\tmp.reg
f:\windows\system32\VACFix.exe
f:\windows\system32\VCCLSID.exe
f:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 12:12 . 2008-12-03 19:52 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 12:12 . 2008-12-03 19:52 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-12-20 14:57 . 2008-12-20 14:58 <DIR> d-------- F:\Scones
2008-12-20 14:46 . 2008-12-20 14:46 <DIR> d-------- f:\program files\Java
2008-12-20 14:46 . 2008-12-20 14:46 410,984 --a------ f:\windows\system32\deploytk.dll
2008-12-20 14:46 . 2008-12-20 14:46 73,728 --a------ f:\windows\system32\javacpl.cpl
2008-12-20 14:46 . 2008-12-20 14:46 268 --ah----- F:\sqmdata03.sqm
2008-12-20 14:46 . 2008-12-20 14:46 244 --ah----- F:\sqmnoopt03.sqm
2008-12-20 14:40 . 2008-12-20 14:40 268 --ah----- F:\sqmdata02.sqm
2008-12-20 14:40 . 2008-12-20 14:40 244 --ah----- F:\sqmnoopt02.sqm
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- F:\rsit
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- f:\program files\trend micro
2008-12-02 05:28 . 2008-12-02 05:28 578,560 --a--c--- f:\windows\system32\dllcache\user32.dll
2008-12-02 05:23 . 2008-12-02 05:23 <DIR> d-------- f:\windows\ERUNT
2008-12-02 05:18 . 2008-12-02 06:17 <DIR> d-------- F:\SDFix
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-30 21:14 . 2008-11-30 21:15 <DIR> d-------- f:\program files\SUPERAntiSpyware
2008-11-30 21:14 . 2008-11-30 21:14 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\SUPERAntiSpyware.com
2008-11-30 19:40 . 2008-11-30 19:40 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\Malwarebytes
2008-11-30 18:38 . 2008-11-30 18:38 <DIR> d-------- f:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 18:18 . 2008-11-30 18:18 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:07 . 2008-12-21 12:12 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-11-30 18:04 . 2008-11-30 15:56 2,372,472 --a------ F:\xxxputes.exe
2008-11-30 17:13 . 2008-11-30 17:13 <DIR> d-------- f:\documents and settings\All Users\Application Data\Hitman Pro
2008-11-30 17:12 . 2008-11-30 17:12 <DIR> d-------- f:\program files\Hitman Pro 3
2008-11-30 15:46 . 2008-11-30 15:46 <DIR> d-------- f:\program files\Lavasoft
2008-11-26 21:06 . 2008-11-26 21:28 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\gtk-2.0
2008-11-26 21:05 . 2008-11-26 21:29 <DIR> d-------- f:\documents and settings\Ben Presley\.gimp-2.6
2008-11-26 21:05 . 2008-11-26 21:05 <DIR> d-------- f:\documents and settings\Ben Presley\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 22:02 --------- d-----w f:\program files\Trillian
2008-12-20 15:00 --------- d-----w f:\documents and settings\LocalService\Application Data\AVG7
2008-12-01 04:14 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-11-30 22:45 --------- d-----w f:\documents and settings\Ben Presley\Application Data\Lavasoft
2008-11-30 22:10 --------- d-----w f:\documents and settings\Ben Presley\Application Data\AVG7
2008-11-30 21:58 507,904 ----a-w f:\windows\system32\winlogon.exe
2008-11-30 21:58 295,424 ----a-w f:\windows\system32\termsrv.dll
2008-11-27 04:04 --------- d-----w f:\program files\GIMP-2.0
2008-11-22 23:34 --------- d--h--w f:\program files\InstallShield Installation Information
2008-11-22 23:04 --------- d-----w f:\program files\Activision
2008-11-16 16:52 --------- d-----w f:\documents and settings\Ben Presley\Application Data\uTorrent
2008-11-09 17:29 --------- d--h--r f:\documents and settings\Ben Presley\Application Data\SecuROM
2008-11-09 17:28 107,888 ----a-w f:\windows\system32\CmdLineExt.dll
2008-11-09 17:15 --------- d-----w f:\program files\Electronic Arts
2008-10-30 00:33 --------- d-----w f:\program files\SystemRequirementsLab
2008-10-30 00:33 --------- d-----w f:\documents and settings\Ben Presley\Application Data\SystemRequirementsLab
2008-10-30 00:15 --------- d-----w f:\program files\PurgeIE
2008-10-30 00:15 --------- d-----w f:\documents and settings\Ben Presley\Application Data\DelinvFile
2008-10-30 00:02 --------- d-----w f:\documents and settings\All Users\Application Data\Fallout3
2008-10-29 23:11 --------- d-----w f:\program files\Bethesda Softworks
2008-10-29 23:10 --------- d-----w f:\program files\MSBuild
2008-10-29 23:07 --------- d-----w f:\program files\Reference Assemblies
2008-10-25 00:20 --------- d-----w f:\program files\MSN Messenger
2008-10-24 11:21 455,296 ----a-w f:\windows\system32\drivers\mrxsmb.sys
2008-10-24 02:07 --------- d-----w f:\program files\Connection Checker
2008-10-22 21:01 --------- d-----w f:\program files\Max Payne
2008-10-16 21:13 202,776 ----a-w f:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w f:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w f:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w f:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w f:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w f:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w f:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w f:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w f:\windows\system32\wininet.dll
2008-10-08 09:01 4,608 ----a-w f:\windows\system32\w95inf32.dll
2008-10-08 09:01 2,272 ----a-w f:\windows\system32\w95inf16.dll
2008-10-03 10:02 247,326 ----a-w f:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w f:\windows\system32\msxml4.dll
2008-09-24 03:05 593,920 ------w f:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w f:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w f:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w f:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w f:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w f:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w f:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w f:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w f:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w f:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w f:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w f:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w f:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w f:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w f:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w f:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w f:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w f:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w f:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w f:\windows\system32\ati2cqag.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="f:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Steam"="f:\progra~1\valve\steam\steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="f:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Adobe Photo Downloader"="f:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Ink Monitor"="f:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 258118]
"DigidesignMMERefresh"="f:\program files\Digidesign\Drivers\MMERefresh.exe" [2005-10-25 61440]
"CTRegRun"="f:\windows\CTRegRun.EXE" [1999-10-10 41984]
"Creative Launcher"="f:\program files\Creative\SBLive\Launcher\CTLauncher.exe" [2000-02-16 257536]
"Disc Detector"="f:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"AudioHQ"="f:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2000-05-11 205312]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-04-11 13524992]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-04-11 86016]
"HitmanPro3"="f:\program files\Hitman Pro 3\hitmanpro3.exe" [2008-11-30 4590200]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"nwiz"="nwiz.exe" [2008-04-11 f:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="f:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]

f:\documents and settings\Ben Presley\Start Menu\Programs\Startup\
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-02-12 546816]
PowerReg SchedulerV2.exe [2008-09-29 256000]
Trillian.lnk - f:\program files\Trillian\trillian.exe [2008-11-26 1873280]
Ubisoft register.lnk - f:\program files\Ubisoft\Register\schedule.exe [2008-10-13 28672]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
EPSON Status Monitor 3 Environment Check 2.lnk - f:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-09-29 131584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.avrn"= AvidAVICodec.dll
"vidc.ffds"= -
"MIDI1"= diomidi.dll
"wave1"= Digi32.dll
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\mIRC\\mirc.exe"=
"f:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"f:\\StubInstaller.exe"=
"f:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aolsoftware.exe"=
"f:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aim6.exe"=
"f:\\Documents and Settings\\Ben Presley\\Desktop\\utorrent.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\counter-strike source\\hl2.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\half-life 2\\hl2.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\UnrealTournament\\System\\UnrealTournament.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\garrysmod\\hl2.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"f:\\Program Files\\AIM6\\aim6.exe"=
"f:\\Program Files\\Valve\\Steam\\steam.exe"=
"f:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"f:\\Documents and Settings\\Ben Presley\\Desktop\\WWP\\Worms World Party\\WWP\\wwp.exe"=
"f:\\Program Files\\Ubisoft\\XIII\\system\\XIII.exe"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\empires2.EXE"=
"f:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\age2_x1.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"f:\\CAVEDOG\\TOTALA\\totala.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5060:UDP"= 5060:UDP:Express Talk Sip Incoming Calls (UDP)

R1 SASDIFSV;SASDIFSV;\??\f:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\f:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [2008-10-31 238080]
S3 EPUSBSTOR;EPSON USB Storage Driver;f:\windows\system32\DRIVERS\epusbsto.sys [2001-09-10 17976]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\f:\windows\system32\drivers\hitmanpro3.sys []
S3 kxwdmdrv;kX WDM Driver Service;f:\windows\system32\drivers\kx.sys []
S3 SASENUM;SASENUM;\??\f:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ytmnd.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Ben Presley\Application Data\Mozilla\Firefox\Profiles\8d31umkc.default\
FF - plugin: f:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 12:36:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = f:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?p ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?` ??????~?B~??????????@???????????????????B?????? ???????????????????@????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSxxou.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-21 12:38:54
ComboFix-quarantined-files.txt 2008-12-21 19:38:04

Pre-Run: 79,951,298,560 bytes free
Post-Run: 81,318,268,928 bytes free

276 --- E O F --- 2008-12-21 19:23:02

Edited by Inane Cathode, 21 December 2008 - 02:40 PM.


#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 23 December 2008 - 07:52 AM

Hi Inane Cathode,

Please note that you are infected with a trojan or a Backdoor / Backdoor Server.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  • Disconnect the infected computer from the internet until the computer can be cleaned.
  • From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

Should you have any questions, please feel free to ask.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Now, on to the fix.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/t/184404/ispynow-assorted-problems-and-dns-spam-bombing/?p=1055410
    
    Suspect::[42]
    F:\xxxputes.exe
    
    DirLook::
    F:\Scones
    
    File::
    F:\sqmdata03.sqm
    F:\sqmnoopt03.sqm
    F:\sqmdata02.sqm
    F:\sqmnoopt02.sqm
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #3

Please try to update Malwarebytes Antimalware again and have it run. If that does not work, try to update Super Antispyware and run that instead.

Please post the log created by SDFix in your next reply: F:\SDFix\Report.txt, the ComboFix log, and the Malwarebytes Antimalware or Super Antispyware log. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 23 December 2008 - 05:56 PM

I'm no expert, obviously, but when my computer just started to act screwy i yanked the network cable and its been disconnected ever since (only connected for a few seconds to check if i was able to update) and i never accessed any password protected site so i think i might be safe, maybe :thumbsup:

ComboFix ran just dandy, as did malwarebytes. It was even able to update all by itself :) I'm not sure why you want me to post the sdfix, the only time i (attempted) to run it was when i first got on these forums so the scan information will be at least that old. You're the expert though :) I apologize i wasnt up front with this right away, but to get some of the antimalware programs to function i had to rename the files and folders to funny names, it seemed to have worked at the time, but that explains why theres the file called xxxputes.exe, i think thats actually sdfix, and the sdfix folder got renamed to scones i believe, moot point now but sorry i didnt explain that more clearly.

Here's the logs you've requested:

ComboFix 08-12-21.01 - Ben Presley 2008-12-23 15:33:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2694 [GMT -7:00]
Running from: f:\documents and settings\Ben Presley\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\Ben Presley\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
F:\sqmdata02.sqm
F:\sqmdata03.sqm
F:\sqmnoopt02.sqm
F:\sqmnoopt03.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\sqmdata02.sqm
F:\sqmdata03.sqm
F:\sqmnoopt02.sqm
F:\sqmnoopt03.sqm

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-21 12:27 . 2008-12-21 12:38 <DIR> d-------- F:\sconesmckensie
2008-12-21 12:12 . 2008-12-03 19:52 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 12:12 . 2008-12-03 19:52 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-12-20 14:57 . 2008-12-20 14:58 <DIR> d-------- F:\Scones
2008-12-20 14:46 . 2008-12-20 14:46 <DIR> d-------- f:\program files\Java
2008-12-20 14:46 . 2008-12-20 14:46 410,984 --a------ f:\windows\system32\deploytk.dll
2008-12-20 14:46 . 2008-12-20 14:46 73,728 --a------ f:\windows\system32\javacpl.cpl
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- F:\rsit
2008-12-05 20:12 . 2008-12-05 20:12 <DIR> d-------- f:\program files\trend micro
2008-12-02 05:28 . 2008-12-02 05:28 578,560 --a--c--- f:\windows\system32\dllcache\user32.dll
2008-12-02 05:23 . 2008-12-02 05:23 <DIR> d-------- f:\windows\ERUNT
2008-12-02 05:18 . 2008-12-02 06:17 <DIR> d-------- F:\SDFix
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-30 21:14 . 2008-11-30 21:15 <DIR> d-------- f:\program files\SUPERAntiSpyware
2008-11-30 21:14 . 2008-11-30 21:14 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\SUPERAntiSpyware.com
2008-11-30 19:40 . 2008-11-30 19:40 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\Malwarebytes
2008-11-30 18:38 . 2008-11-30 18:38 <DIR> d-------- f:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 18:18 . 2008-11-30 18:18 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:07 . 2008-12-21 12:12 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-11-30 18:04 . 2008-11-30 15:56 2,372,472 --a------ F:\xxxputes.exe
2008-11-30 17:13 . 2008-12-22 08:51 <DIR> d-------- f:\documents and settings\All Users\Application Data\Hitman Pro
2008-11-30 17:12 . 2008-11-30 17:12 <DIR> d-------- f:\program files\Hitman Pro 3
2008-11-30 15:46 . 2008-11-30 15:46 <DIR> d-------- f:\program files\Lavasoft
2008-11-26 21:06 . 2008-11-26 21:28 <DIR> d-------- f:\documents and settings\Ben Presley\Application Data\gtk-2.0
2008-11-26 21:05 . 2008-11-26 21:29 <DIR> d-------- f:\documents and settings\Ben Presley\.gimp-2.6
2008-11-26 21:05 . 2008-11-26 21:05 <DIR> d-------- f:\documents and settings\Ben Presley\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 15:00 --------- d-----w f:\documents and settings\LocalService\Application Data\AVG7
2008-12-20 22:02 --------- d-----w f:\program files\Trillian
2008-12-01 04:14 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-11-30 22:45 --------- d-----w f:\documents and settings\Ben Presley\Application Data\Lavasoft
2008-11-30 22:10 --------- d-----w f:\documents and settings\Ben Presley\Application Data\AVG7
2008-11-30 21:58 507,904 ----a-w f:\windows\system32\winlogon.exe
2008-11-30 21:58 295,424 ----a-w f:\windows\system32\termsrv.dll
2008-11-27 04:04 --------- d-----w f:\program files\GIMP-2.0
2008-11-22 23:34 --------- d--h--w f:\program files\InstallShield Installation Information
2008-11-22 23:04 --------- d-----w f:\program files\Activision
2008-11-16 16:52 --------- d-----w f:\documents and settings\Ben Presley\Application Data\uTorrent
2008-11-09 17:29 --------- d--h--r f:\documents and settings\Ben Presley\Application Data\SecuROM
2008-11-09 17:28 107,888 ----a-w f:\windows\system32\CmdLineExt.dll
2008-11-09 17:15 --------- d-----w f:\program files\Electronic Arts
2008-10-30 00:33 --------- d-----w f:\program files\SystemRequirementsLab
2008-10-30 00:33 --------- d-----w f:\documents and settings\Ben Presley\Application Data\SystemRequirementsLab
2008-10-30 00:15 --------- d-----w f:\program files\PurgeIE
2008-10-30 00:15 --------- d-----w f:\documents and settings\Ben Presley\Application Data\DelinvFile
2008-10-30 00:02 --------- d-----w f:\documents and settings\All Users\Application Data\Fallout3
2008-10-29 23:11 --------- d-----w f:\program files\Bethesda Softworks
2008-10-29 23:10 --------- d-----w f:\program files\MSBuild
2008-10-29 23:07 --------- d-----w f:\program files\Reference Assemblies
2008-10-25 00:20 --------- d-----w f:\program files\MSN Messenger
2008-10-24 11:21 455,296 ----a-w f:\windows\system32\drivers\mrxsmb.sys
2008-10-24 02:07 --------- d-----w f:\program files\Connection Checker
2008-10-23 12:36 286,720 ----a-w f:\windows\system32\gdi32.dll
2008-10-16 21:13 202,776 ----a-w f:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w f:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w f:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w f:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w f:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w f:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w f:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w f:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w f:\windows\system32\wininet.dll
2008-10-08 09:01 4,608 ----a-w f:\windows\system32\w95inf32.dll
2008-10-08 09:01 2,272 ----a-w f:\windows\system32\w95inf16.dll
2008-10-03 10:02 247,326 ----a-w f:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w f:\windows\system32\msxml4.dll
2008-09-24 03:05 593,920 ------w f:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w f:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w f:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w f:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w f:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w f:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w f:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w f:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w f:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w f:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w f:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w f:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w f:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w f:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w f:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w f:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w f:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w f:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w f:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w f:\windows\system32\ati2cqag.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of F:\Scones ----

2008-12-20 14:57 2539400 --a------ f:\scones\scones.exe
2008-12-20 14:55 1811824 --a------ f:\scones\mbam-rules.exe


((((((((((((((((((((((((((((( snapshot@2008-12-21_12.37.08.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 12:43:42 286,720 ----a-w f:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w f:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w f:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w f:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w f:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w f:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2008-06-22 17:14:53 3,584 ----a-w f:\windows\system32\bootdelete.exe
+ 2008-10-23 12:36:14 286,720 -c----w f:\windows\system32\dllcache\gdi32.dll
- 2005-01-28 21:44:28 96,768 -c--a-w f:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 12:52:04 96,768 -c--a-w f:\windows\system32\dllcache\logagent.exe
- 2005-01-28 21:44:28 1,027,072 -c--a-w f:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-10 13:28:36 1,028,096 -c--a-w f:\windows\system32\dllcache\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 -c--a-w f:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-10 14:07:24 2,376,760 -c--a-w f:\windows\system32\dllcache\WMVCore.dll
- 2005-01-28 21:44:28 96,768 ----a-w f:\windows\system32\logagent.exe
+ 2008-06-10 12:52:04 96,768 ----a-w f:\windows\system32\logagent.exe
- 2008-12-21 19:35:45 67,560 ----a-w f:\windows\system32\perfc009.dat
+ 2008-12-22 15:15:26 67,560 ----a-w f:\windows\system32\perfc009.dat
- 2008-12-21 19:35:46 432,856 ----a-w f:\windows\system32\perfh009.dat
+ 2008-12-22 15:15:27 432,856 ----a-w f:\windows\system32\perfh009.dat
- 2007-11-30 12:39:22 17,272 ------w f:\windows\system32\spmsg.dll
+ 2007-07-27 16:41:40 16,760 ------w f:\windows\system32\spmsg.dll
- 2005-01-28 21:44:28 1,027,072 ----a-w f:\windows\system32\wmnetmgr.dll
+ 2008-06-10 13:28:36 1,028,096 ----a-w f:\windows\system32\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 ----a-w f:\windows\system32\wmvcore.dll
+ 2008-06-10 14:07:24 2,376,760 ----a-w f:\windows\system32\WMVCore.dll
+ 2008-12-22 15:11:10 16,384 ------w f:\windows\Temp\Perflib_Perfdata_25c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="f:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Steam"="f:\progra~1\valve\steam\steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="f:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Adobe Photo Downloader"="f:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Ink Monitor"="f:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2002-05-29 258118]
"DigidesignMMERefresh"="f:\program files\Digidesign\Drivers\MMERefresh.exe" [2005-10-25 61440]
"CTRegRun"="f:\windows\CTRegRun.EXE" [1999-10-10 41984]
"Creative Launcher"="f:\program files\Creative\SBLive\Launcher\CTLauncher.exe" [2000-02-16 257536]
"Disc Detector"="f:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"AudioHQ"="f:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2000-05-11 205312]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-04-11 13524992]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-04-11 86016]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"nwiz"="nwiz.exe" [2008-04-11 f:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="f:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]

f:\documents and settings\Ben Presley\Start Menu\Programs\Startup\
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-02-12 546816]
PowerReg SchedulerV2.exe [2008-09-29 256000]
Trillian.lnk - f:\program files\Trillian\trillian.exe [2008-11-26 1873280]
Ubisoft register.lnk - f:\program files\Ubisoft\Register\schedule.exe [2008-10-13 28672]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
EPSON Status Monitor 3 Environment Check 2.lnk - f:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-09-29 131584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.avrn"= AvidAVICodec.dll
"vidc.ffds"= -
"MIDI1"= diomidi.dll
"wave1"= Digi32.dll
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\mIRC\\mirc.exe"=
"f:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"f:\\StubInstaller.exe"=
"f:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aolsoftware.exe"=
"f:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aim6.exe"=
"f:\\Documents and Settings\\Ben Presley\\Desktop\\utorrent.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\counter-strike source\\hl2.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\half-life 2\\hl2.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\UnrealTournament\\System\\UnrealTournament.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\garrysmod\\hl2.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"f:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"f:\\Program Files\\AIM6\\aim6.exe"=
"f:\\Program Files\\Valve\\Steam\\steam.exe"=
"f:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"f:\\Documents and Settings\\Ben Presley\\Desktop\\WWP\\Worms World Party\\WWP\\wwp.exe"=
"f:\\Program Files\\Ubisoft\\XIII\\system\\XIII.exe"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\empires2.EXE"=
"f:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\age2_x1.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"f:\\CAVEDOG\\TOTALA\\totala.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5060:UDP"= 5060:UDP:Express Talk Sip Incoming Calls (UDP)

R1 SASDIFSV;SASDIFSV;\??\f:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\f:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [2008-10-31 238080]
S3 EPUSBSTOR;EPSON USB Storage Driver;f:\windows\system32\DRIVERS\epusbsto.sys [2001-09-10 17976]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\f:\windows\system32\drivers\hitmanpro3.sys []
S3 HitmanProCrusader;HitmanProCrusader;f:\documents and settings\Ben Presley\Local Settings\temp\hitmanpro3\hitmanpro3_jsp.exe []
S3 kxwdmdrv;kX WDM Driver Service;f:\windows\system32\drivers\kx.sys []
S3 SASENUM;SASENUM;\??\f:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

*Newly Created Service* - HITMANPROCRUSADER
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ytmnd.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Ben Presley\Application Data\Mozilla\Firefox\Profiles\8d31umkc.default\
FF - plugin: f:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 15:35:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = f:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?p ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?` ??????~?B~??????????@???????????????????B?????? ???????????????????`????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-23 15:38:22
ComboFix-quarantined-files.txt 2008-12-23 22:37:10
ComboFix2.txt 2008-12-21 19:38:54

Pre-Run: 81,208,066,048 bytes free
Post-Run: 81,191,501,824 bytes free

282 --- E O F --- 2008-12-22 10:00:46




SDFix: Version 1.240
Run by Administrator on Tue 12/02/2008 at 05:30 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

F:\WINDOWS\system32\rtc.dat - Deleted
F:\WINDOWS\system32\TDSSirxy.dll - Deleted
F:\WINDOWS\system32\TDSSravu.dll - Deleted
F:\WINDOWS\system32\TDSSocun.dll - Deleted
F:\WINDOWS\system32\TDSSqqon.dll - Deleted
F:\WINDOWS\system32\TDSSwupe.dat - Deleted
F:\WINDOWS\system32\TDSSwghd.log - Deleted


Could Not Remove F:\WINDOWS\system32\TDSSktpo.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 06:16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

F:\Documents and Settings\Ben Presley\Application Data\Google\runhh6110411.exe [308] 0x8A46DDA0

scanning hidden services & system hive ...

disk error: F:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: F:\WINDOWS\system32\config\software, 0
disk error: F:\Documents and Settings\Ben Presley\ntuser.dat, 0
scanning hidden files ...

disk error: F:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\mIRC\\mirc.exe"="F:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"F:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="F:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"F:\\StubInstaller.exe"="F:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Program Files\\Google\\Google Talk\\googletalk.exe"="F:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"F:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aolsoftware.exe"="F:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"F:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aim6.exe"="F:\\Program Files\\Common Files\\AOL\\1139795904\\ee\\aim6.exe:*:Enabled:AIM"
"F:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\ABC\\abc.exe"="F:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"F:\\Documents and Settings\\Ben Presley\\Desktop\\utorrent.exe"="F:\\Documents and Settings\\Ben Presley\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\counter-strike source\\hl2.exe"="F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\half-life 2\\hl2.exe"="F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\half-life 2\\hl2.exe:*:Enabled:hl2"
"F:\\Program Files\\Mozilla Firefox\\firefox.exe"="F:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"F:\\Program Files\\Warcraft III\\Warcraft III.exe"="F:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"F:\\UnrealTournament\\System\\UnrealTournament.exe"="F:\\UnrealTournament\\System\\UnrealTournament.exe:*:Enabled:UnrealTournament"
"F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\garrysmod\\hl2.exe"="F:\\Program Files\\Valve\\Steam\\SteamApps\\inanecathode\\garrysmod\\hl2.exe:*:Enabled:hl2"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="F:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"F:\\Program Files\\AIM6\\aim6.exe"="F:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"F:\\Program Files\\Valve\\Steam\\steam.exe"="F:\\Program Files\\Valve\\Steam\\steam.exe:*:Enabled:Steam"
"F:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"="F:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe:*:Enabled:CCP ExeFile"
"F:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"="F:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"F:\\Documents and Settings\\Ben Presley\\Desktop\\WWP\\Worms World Party\\WWP\\wwp.exe"="F:\\Documents and Settings\\Ben Presley\\Desktop\\WWP\\Worms World Party\\WWP\\wwp.exe:*:Enabled:Worms World Party"
"F:\\Program Files\\Ubisoft\\XIII\\system\\XIII.exe"="F:\\Program Files\\Ubisoft\\XIII\\system\\XIII.exe:*:Disabled:XIII"
"F:\\WINDOWS\\system32\\dplaysvr.exe"="F:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"="C:\\CAVEDOG\\TOTALA\\TotalA.exe:*:Enabled:Total Annihilation"
"F:\\Program Files\\Trillian\\trillian.exe"="F:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Ben Presley\\Desktop\\freespace2\\FS2\\FS2.exe"="C:\\Documents and Settings\\Ben Presley\\Desktop\\freespace2\\FS2\\FS2.exe:*:Enabled:FreeSpace"
"F:\\Program Files\\NCH Swift Sound\\Talk\\talk.exe"="F:\\Program Files\\NCH Swift Sound\\Talk\\talk.exe:*:Enabled:Express Talk"
"F:\\WINDOWS\\system32\\dpvsetup.exe"="F:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"F:\\WINDOWS\\system32\\rundll32.exe"="F:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"F:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\empires2.EXE"="F:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\empires2.EXE:*:Disabled:Age of Empires II"
"F:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\age2_x1.exe"="F:\\Documents and Settings\\Ben Presley\\My Documents\\Downloads\\AOE II\\age2_x1.exe:*:Disabled:Age of Empires II Expansion"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"F:\\CAVEDOG\\TOTALA\\totala.exe"="F:\\CAVEDOG\\TOTALA\\totala.exe:*:Enabled:Total Annihilation"
"F:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="F:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™"
"F:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="F:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™"
"F:\\WINDOWS\\system32\\drivers\\svchost.exe"="F:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"F:\\WINDOWS\\explorer.exe"="F:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"="F:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"F:\\Program Files\\MSN Messenger\\livecall.exe"="F:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

F:\WINDOWS\system32\TDSSktpo.dll Found

File Backups: - F:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 31 Dec 2005 4,348 ..SH. --- F:\DOCUME~1\ALLUSE~1\DRM\DRMV1.BAK
Fri 27 Feb 2004 233,472 A..H. --- F:\PROGRA~1\IMAGE-~1\FLSTUD~2\REXSHA~1.DLL
Fri 15 Dec 2006 106,496 A..H. --- F:\DOCUME~1\BENPRE~1\LOCALS~1\TEMP\~1FF.TMP
Fri 12 Nov 2004 37,376 ...H. --- F:\PROGRA~1\COMMON~1\ADOBE\ESD\DLMCLE~1.EXE
Thu 13 Nov 2008 4,811 ...HR --- F:\DOCUME~1\BENPRE~1\APPLIC~1\SECUROM\USERDATA\SECURO~1.BAK
Sat 31 Dec 2005 4,348 ...H. --- F:\DOCUME~1\BENPRE~1\MYDOCU~1\MYMUSI~1\LICENS~1\DRMV1KEY.BAK
Tue 30 Jan 2007 20 A..H. --- F:\DOCUME~1\BENPRE~1\MYDOCU~1\MYMUSI~1\LICENS~1\DRMV1LIC.BAK
Sat 31 Dec 2005 312 A.SH. --- F:\DOCUME~1\BENPRE~1\MYDOCU~1\MYMUSI~1\LICENS~1\DRMV2KEY.BAK

Finished!




Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/23/2008 3:44:09 PM
mbam-log-2008-12-23 (15-44-09).txt

Scan type: Quick Scan
Objects scanned: 53295
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


As far as file sharing goes, i do admit i have done it before but very lightly and only with media i have actually already bought but just lost the legitimate copy in meatspace. I've been extremely careful with the filesharing program i've been using, i dont think anything i've downloaded from it has been a problem. I'll tell you how i think i got infected though; One of my friends linked me some funny video or what have you, i clicked it and ended up on video site that was a little bit seedy, i can tell from the banner ads. Nothing was awry at that point, but what happened is i accidentally clicked on one of those stupid "your computer is infected" banners by mistake and ended up on a REALLY seedy site that popped up a query box faking to me that i had to hit ok to do something or other. Whats more moronic on my part is instead of just alt f4ing the whole thing i was being careless and just ok'd or canceled out of the query box, after that things just got strange. Popups everywhere like crazy, almost impossible to leave the site, etc etc. The next morning after booting up is when the computer started acting like it has been.
I suppose that's all kinda irrelevant at this point, i'd just thought you'd like to know :)

And also, if you can give me any ideas for backup of my machine as far as really important data goes that would be awesome. It's just i have my music producing programs, and saved music, and so many files that mean alot to me i wish i had some way to take a snapshot of the machine and store it somewhere so next time something like this happens i can do what i normally do, and just format and reinstall windows.

Thanks
Ben

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 24 December 2008 - 03:17 AM

Hi Ben,

lets see if that helps:
  • Download IEFix and run it.
  • Click the Apply button.
  • You'll be prompted for the Operating System CD or the Service Pack Files location:
  • If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted. Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"
  • If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to Fig 2 below. IEFix will continue with DLL registration part.
  • Restart windows
The old log is for seeing what else files were removed and what the log shows. it says for example:
disk error: F:\WINDOWS\system32\config\system, 0
Which is not necessarily a good indicator.

Regarding a backup solution, I use this: http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/ myself on a weekly basis. I also have an older version of acronis true image as I got it for free in a promotion.

Lets see if the above got you a bit further, until I can double check something as well.
Merry Xmas,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 December 2008 - 01:30 PM

When i try to use it it says "IE 7 not supported" or something to that effect.

I also have an duplicate installation of windows on the boot drive i want to get rid of too, i know boot.ini has something to do with it but i wouldnt trust myself messing with system files :thumbsup:

#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 25 December 2008 - 08:49 AM

hi there,

having two windows installations is not a good thing to do. The fact that Windows was on partition F did suggest something like that though.
Please navigate to this topic and follow the instructions. See if that helps. Alternatively you can try that after wards.

Lets try to get this sorted first and make sure you are clean and then we can go into a bit more detail about backup plans :thumbsup:.

Please do a scan with Kaspersky Online Scanner (You need to use InternetExplorer or enable IEView in Firefox)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 Inane Cathode

Inane Cathode
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 28 December 2008 - 11:14 AM

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 03:49:30
Records in database: 1523061
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
D:\
F:\
G:\
H:\
I:\
Scan statistics
Files scanned 136585
Threat name 2
Infected objects 4
Suspicious objects 0
Duration of the scan 02:43:59

File name Threat name Threats count
F:\Documents and Settings\Ben Presley\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-1dff5bb5 Infected: Exploit.Java.Gimsh.b 1
F:\Documents and Settings\Ben Presley\Application Data\Sun\Java\Deployment\cache\6.0\48\61bc2830-58c2bddc Infected: Exploit.Java.Gimsh.b 1
F:\Documents and Settings\Ben Presley\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-626ecf41 Infected: Exploit.Java.Gimsh.b 1
F:\Documents and Settings\Ben Presley\Desktop\Zips Und Rars\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
The selected area was scanned.


Theres the kaspersky log you requested :thumbsup:

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:46 PM

Posted 29 December 2008 - 05:02 PM

Hi Inane Cathode,

Please do this:

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

How is your pc doing now? Would like to be sure, before we go towards wrapping this up :thumbsup: .

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users