Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lingering Infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 nwkegan

nwkegan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 01 June 2009 - 05:07 PM

Hello. I've been having some malware problems. I thought I had gotten rid of it all but that is apparently not the case. Here is my HJT log; Process Explorer shows the two instances of rundll32.exe have registered the dll file 'juabzoe.dll', located in my system32 file. This was part of the malware I had, but I've deleted it from my system. I can't find it anywhere in the folder. I've searched, enabled hidden files, scanned with malwarebytes, everything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:59 PM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
F:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\My Documents\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ImpulseNow.lnk = F:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Ben\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Ben\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - F:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

--
End of file - 3698 bytes


Thanks for the help!

Edited by nwkegan, 01 June 2009 - 05:08 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:45 PM

Posted 02 June 2009 - 01:03 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 nwkegan

nwkegan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 June 2009 - 05:11 PM

Thanks for the help! My logs are attached to my post since they are too long to paste.

OTListIt logfile created on: 6/2/2009 3:29:14 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Ben\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.88 Gb Available Physical Memory | 43.88% Memory free
3.85 Gb Paging File | 3.00 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.65 Gb Total Space | 4.67 Gb Free Space | 31.88% Space Free | Partition Type: NTFS
Drive D: | 24.41 Gb Total Space | 16.44 Gb Free Space | 67.34% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 48.83 Gb Total Space | 5.71 Gb Free Space | 11.70% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 50.00 Gb Total Space | 20.73 Gb Free Space | 41.45% Space Free | Partition Type: NTFS

Computer Name: GAMEWIZ-1
Current User Name: Ben
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007/06/13 03:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/11/10 10:23:50 | 01,539,072 | ---- | M] () -- C:\Program Files\Ventrilo\Ventrilo.exe
PRC - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- F:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/03/27 10:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/10/29 14:19:10 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008/02/29 08:19:00 | 00,044,658 | ---- | M] (The Pidgin developer community) -- F:\Program Files\Pidgin\pidgin.exe
PRC - [2009/03/19 17:11:24 | 01,138,688 | ---- | M] (Last.fm) -- F:\Program Files\Last.fm\LastFM.exe
PRC - [2008/05/29 13:08:56 | 00,307,712 | ---- | M] (Mozilla Corporation) -- F:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/06/02 13:32:37 | 17,009,808 | ---- | M] (Blizzard Entertainment) -- F:\Program Files\World of Warcraft\WoW.exe
PRC - [2009/06/02 13:46:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/10/08 05:01:47 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2004/08/03 17:56:44 | 00,027,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\irmon.dll -- (Irmon [Auto | Running])
SRV - [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (NMIndexingService [On_Demand | Stopped])
SRV - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- F:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2009/03/16 15:48:00 | 02,849,757 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\system32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - [2009/03/27 10:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/10/29 14:19:10 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
SRV - [2007/06/28 17:01:48 | 00,092,792 | ---- | M] (CACE Technologies) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd [On_Demand | Stopped])
SRV - [2009/04/12 11:19:32 | 00,120,168 | ---- | M] (stumbleupon.com) -- C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe -- (StumbleUponUpdateService [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/09/24 11:40:22 | 04,122,368 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2005/03/09 15:53:00 | 00,036,352 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Running])
DRV - [2003/07/23 12:16:48 | 00,022,821 | ---- | M] (Belkin Corporation) -- C:\WINDOWS\system32\drivers\bcgame.sys -- (bcgame [On_Demand | Running])
DRV - [2008/09/17 16:14:00 | 00,027,672 | R--- | M] (EnTech Taiwan) -- C:\WINDOWS\system32\DRIVERS\ENTECH.sys -- (ENTECH [On_Demand | Stopped])
DRV - [2008/11/25 18:18:26 | 00,008,704 | ---- | M] () -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv [On_Demand | Stopped])
DRV - [2008/11/25 18:18:22 | 00,003,072 | ---- | M] () -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv [On_Demand | Stopped])
DRV - [1996/04/03 12:33:26 | 00,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys -- (giveio [Boot | Running])
DRV - [2007/10/12 22:12:33 | 00,026,056 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\DRIVERS\hamachi.sys -- (hamachi [On_Demand | Running])
DRV - [2001/08/17 06:51:32 | 00,018,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\irsir.sys -- (irsir [On_Demand | Running])
DRV - [2004/10/08 05:01:47 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\NMnt.sys -- (nm [On_Demand | Running])
DRV - [2007/06/28 17:01:48 | 00,042,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Running])
DRV - [2009/03/27 10:03:00 | 06,280,416 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005/05/17 02:45:08 | 00,092,800 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata [Boot | Running])
DRV - [2006/01/10 19:43:04 | 00,093,568 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus.sys -- (nvatabus [Boot | Running])
DRV - [2006/04/14 20:09:04 | 00,034,176 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
DRV - [2006/04/14 20:09:06 | 00,013,056 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
DRV - [2004/10/08 05:01:47 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/07 16:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/06/05 11:56:40 | 00,044,928 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\DRIVERS\SDTHOOK.sys -- (SDTHOOK [On_Demand | Stopped])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/09/24 06:28:47 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys -- (speedfan [Boot | Running])
DRV - [2008/01/05 00:04:18 | 00,716,272 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2004/08/03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 79 7B 76 0B 64 B9 5E 47 88 C2 58 5E 68 FC F9 82 [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 79 7B 76 0B 64 B9 5E 47 88 C2 58 5E 68 FC F9 82 [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 79 7B 76 0B 64 B9 5E 47 88 C2 58 5E 68 FC F9 82 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 79 7B 76 0B 64 B9 5E 47 88 C2 58 5E 68 FC F9 82 [binary data]
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 79 7B 76 0B 64 B9 5E 47 88 C2 58 5E 68 FC F9 82 [binary data]
IE - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-507921405-1958367476-725345543-1004\S-1-5-21-507921405-1958367476-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "homepagestartup.com"
FF - prefs.js..extensions.enabledItems: 420chanextension@kirtaner:1.0.6
FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170633FE}:0.4.5.12
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:0.9.7
FF - prefs.js..extensions.enabledItems: bandwidthmeter@gotomyhelp.com:1.2.5
FF - prefs.js..extensions.enabledItems: {e1170235-2845-420c-acc3-42261a29dd46}:3.5.1
FF - prefs.js..extensions.enabledItems: diggfirefox@mozilla.org:0.7
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090123.1
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090207
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {82BC70E0-FE85-11DA-A899-3A655C103D30}:1.0.1.2
FF - prefs.js..extensions.enabledItems: {75CEEE46-9B64-46f8-94BF-54012DE155F0}:0.3.8
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.2.4
FF - prefs.js..extensions.enabledItems: {F645A8C9-E969-42D9-B3F3-F325537222FD}:1.1.4
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:0.9941
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.1
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.4.6
FF - prefs.js..extensions.enabledItems: {20291fcc-1471-46c8-8213-5911f5ce6d67}:1.3.5
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.29
FF - prefs.js..extensions.enabledItems: undoclosedtabsbutton@supernova00.biz:3.0.3
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.6.11
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0
FF - prefs.js..extensions.enabledItems: {36C13C8F-54F1-412e-8177-2E411719162D}:3.3.9

FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components: F:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/22 18:33:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins: F:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/29 15:52:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: F:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/04/22 18:34:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: F:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS [2009/04/29 15:52:28 | 00,000,000 | ---D | M]

[2008/06/18 20:32:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Extensions
[2008/06/18 20:32:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/01 21:33:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions
[2009/03/09 13:20:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2009/03/11 18:45:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2009/04/02 02:21:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2009/03/31 16:36:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{20291fcc-1471-46c8-8213-5911f5ce6d67}
[2009/03/27 17:29:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{36C13C8F-54F1-412e-8177-2E411719162D}
[2009/05/01 14:29:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2008/06/13 17:53:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}
[2009/02/08 15:53:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/04/17 15:05:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{82BC70E0-FE85-11DA-A899-3A655C103D30}
[2008/07/18 14:55:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
[2009/04/23 20:54:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/05/01 14:29:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/03/27 17:29:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008/12/09 04:10:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
[2009/02/20 00:29:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2008/06/05 16:37:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2008/08/06 14:25:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
[2009/03/12 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\420chanextension@kirtaner
[2008/11/13 13:38:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\bandwidthmeter@gotomyhelp.com
[2009/04/04 09:30:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\diggfirefox@mozilla.org
[2009/04/17 15:05:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\isreaditlater@ideashower.com
[2008/06/21 15:48:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\undoclosedtabsbutton@supernova00.biz
[2009/03/12 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\420chanextension@kirtaner
[2009/03/12 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\420chanextension@kirtaner\__MACOSX
[2009/03/12 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\420chanextension@kirtaner\chrome
[2009/03/12 19:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ben\Application Data\mozilla\Firefox\Profiles\0u046ea1.default\extensions\420chanextension@kirtaner\content
[2007/11/17 15:20:07 | 00,001,370 | ---- | M] () -- C:\Documents and Settings\Ben\Application Data\Mozilla\FireFox\Profiles\0u046ea1.default\searchplugins\wowhead.xml
[2007/08/06 00:00:38 | 00,002,105 | ---- | M] () -- C:\Documents and Settings\Ben\Application Data\Mozilla\FireFox\Profiles\0u046ea1.default\searchplugins\youtube-video-search.xml

O1 HOSTS File: (36 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (StumbleUpon Launcher) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Ben\Start Menu\Programs\Startup\ImpulseNow.lnk = F:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe (Stardock Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1958367476-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 00 08 04 00 [binary data]
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/01 19:52:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{ca902144-40a3-11dc-9cfa-dca3c1f5472d}\Shell - "" = AutoRun
O33 - MountPoints2\{ca902144-40a3-11dc-9cfa-dca3c1f5472d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ca902144-40a3-11dc-9cfa-dca3c1f5472d}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\setup.exe -- [2004/10/08 05:01:47 | 00,023,040 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/02 13:49:22 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[2009/06/02 13:47:36 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\gmer.exe
[2009/06/02 13:46:24 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTListIt2.exe
[2009/05/31 15:41:34 | 00,000,756 | ---- | C] () -- C:\Documents and Settings\Ben\Start Menu\Programs\Startup\ImpulseNow.lnk
[2009/05/31 14:13:56 | 00,000,000 | ---D | C] -- D:\My Documents\HiJackThis
[2009/05/25 14:34:14 | 00,000,000 | ---D | C] -- D:\My Documents\Rawr v2.2.5
[2009/05/16 22:25:17 | 00,000,000 | ---D | C] -- D:\My Documents\My Games
[2009/05/16 22:21:58 | 00,000,711 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Impulse.lnk
[2009/05/16 22:21:53 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{5CB3B214-2971-41B4-93F5-3344A403F942}
[2009/05/16 21:51:17 | 02,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2009/05/16 21:51:17 | 00,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2009/05/16 21:51:16 | 04,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2009/05/16 21:51:15 | 00,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2009/05/16 21:51:15 | 00,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2009/05/16 21:51:14 | 00,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2009/05/16 21:51:13 | 00,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2009/05/16 21:51:12 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2009/05/16 21:51:12 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2009/05/16 21:51:11 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2009/05/16 21:51:09 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2009/05/16 21:51:09 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2009/05/16 21:51:09 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2009/05/16 21:45:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ben\Application Data\Stardock
[2009/05/16 21:44:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Stardock
[2009/05/11 13:48:36 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/11 13:48:36 | 00,000,570 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/11 13:48:34 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/10 20:48:41 | 00,000,618 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\PokerStars.lnk
[2009/05/06 18:15:54 | 00,000,000 | ---D | C] -- D:\My Documents\My Received Files
[2009/05/06 18:11:42 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/05/06 18:11:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/05/06 18:11:28 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/05/06 18:11:07 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/05/06 18:09:05 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/05/05 22:21:21 | 00,000,752 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\PFPortChecker.lnk
[2009/05/05 22:21:21 | 00,000,000 | ---D | C] -- C:\Program Files\PFPortChecker
[2009/05/04 21:48:40 | 00,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2009/03/27 10:03:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 10:03:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 10:03:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 10:03:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/03/14 10:48:32 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/03/02 07:12:39 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/03/02 07:12:39 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/02/20 03:13:59 | 00,472,064 | ---- | C] () -- C:\WINDOWS\System32\NTFSFormat.dll
[2009/02/20 03:13:59 | 00,180,736 | ---- | C] () -- C:\WINDOWS\System32\DeviceManager.dll
[2009/02/20 03:13:59 | 00,139,776 | ---- | C] () -- C:\WINDOWS\System32\NTFSCopy.dll
[2009/02/20 03:13:59 | 00,093,184 | ---- | C] () -- C:\WINDOWS\System32\Partition.dll
[2009/02/20 03:13:59 | 00,086,528 | ---- | C] () -- C:\WINDOWS\System32\NTFSLib.dll
[2009/02/20 03:13:59 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ResizeNTFS.dll
[2009/02/20 03:13:59 | 00,068,096 | ---- | C] () -- C:\WINDOWS\System32\Device.dll
[2009/02/20 03:13:59 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\FatCopy.dll
[2009/02/20 03:13:59 | 00,061,952 | ---- | C] () -- C:\WINDOWS\System32\FatResizeMove.dll
[2009/02/20 03:13:59 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\FileSystemCheck.dll
[2009/02/20 03:13:59 | 00,031,744 | ---- | C] () -- C:\WINDOWS\System32\FatLib.dll
[2009/02/20 03:13:59 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\FATFileSystemAnalyser.dll
[2009/02/20 03:13:59 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\NTFSFileSystemAnalyser.dll
[2009/02/20 03:13:59 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\FatFormat.dll
[2009/02/20 03:13:59 | 00,021,504 | ---- | C] () -- C:\WINDOWS\System32\Fixup.dll
[2009/02/20 03:13:59 | 00,017,920 | ---- | C] () -- C:\WINDOWS\System32\SectorCopy.dll
[2009/02/20 03:13:59 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\FileSystemAnalyser.dll
[2009/02/20 03:13:59 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2009/02/20 03:13:59 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\DeviceAdapter.dll
[2009/02/20 03:13:59 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2009/02/20 03:13:59 | 00,006,656 | ---- | C] () -- C:\WINDOWS\System32\CallbackOperator.dll
[2009/02/20 03:13:59 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2008/11/17 15:38:31 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/08/14 01:27:34 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/08/14 01:27:34 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2008/08/14 01:27:33 | 00,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/08/14 01:27:33 | 00,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/08/14 01:27:32 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/08/14 01:27:32 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/07/20 21:51:15 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/07/20 21:51:15 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/07/20 21:51:15 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/01/05 00:04:18 | 00,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/11/05 20:33:54 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/10/29 18:01:29 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/10/28 17:34:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\galaxy.ini
[2007/10/23 02:13:39 | 00,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2007/08/04 18:19:24 | 00,002,554 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2007/08/01 20:34:51 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/06/28 17:01:48 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/10/08 05:01:47 | 00,001,136 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/10/08 05:01:47 | 00,000,617 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/10/08 05:01:47 | 00,000,261 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/10/08 04:57:38 | 01,580,544 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[2002/06/06 03:01:58 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll
[1996/04/03 12:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/06/02 13:46:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTListIt2.exe
[2009/06/02 13:04:00 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/06/02 10:27:00 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/06/01 23:56:47 | 00,441,954 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/06/01 23:56:47 | 00,071,512 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/06/01 23:56:46 | 00,522,706 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/06/01 23:56:13 | 00,001,474 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\Clear Memory.lnk
[2009/06/01 00:47:08 | 00,215,715 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/06/01 00:47:06 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Ben\Local Settings\desktop.ini
[2009/06/01 00:47:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/01 00:47:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/31 15:41:35 | 00,000,756 | ---- | M] () -- C:\Documents and Settings\Ben\Start Menu\Programs\Startup\ImpulseNow.lnk
[2009/05/31 15:07:12 | 00,000,036 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/30 21:56:34 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/26 17:04:18 | 00,001,383 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\cmd.lnk
[2009/05/26 16:04:21 | 00,000,617 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/26 16:04:21 | 00,000,261 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/26 16:04:21 | 00,000,223 | -HS- | M] () -- C:\boot.ini
[2009/05/16 22:21:58 | 00,000,711 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Impulse.lnk
[2009/05/16 00:21:52 | 00,001,323 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\i j j i.lnk
[2009/05/11 13:48:36 | 00,000,570 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/10 20:48:41 | 00,000,618 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\PokerStars.lnk
[2009/05/08 17:52:38 | 00,000,023 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/05/08 03:07:00 | 00,116,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/05 22:21:21 | 00,000,752 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\PFPortChecker.lnk
< End of report >

Edited by Buckeye_Sam, 03 June 2009 - 02:58 PM.


#4 nwkegan

nwkegan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 02 June 2009 - 05:27 PM

Sorry for the double post, it was an accident. However, my logs seem to have clipped at the bottom of my first post anyway, so I'll edit this with the rest in just a minute.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-02 16:41:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT spdk.sys ZwCreateKey [0xB9EAB0E0]
SSDT spdk.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spdk.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spdk.sys ZwOpenKey [0xB9EAB0C0]
SSDT spdk.sys ZwQueryKey [0xB9EC9108]
SSDT spdk.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spdk.sys ZwSetValueKey [0xB9EC919A]

INT 0x62 ? 89DE3BF8
INT 0x63 ? 89DE3BF8
INT 0x73 ? 89DE3BF8
INT 0x82 ? 89DE3BF8
INT 0xA4 ? 89C45E30
INT 0xB4 ? 89C45E30

---- Kernel code sections - GMER 1.0.15 ----

? spdk.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B81A262C 5 Bytes JMP 89C45410
.text a0mytu8e.SYS B2541384 1 Byte [20]
.text a0mytu8e.SYS B2541384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a0mytu8e.SYS B25413AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a0mytu8e.SYS B25413C4 3 Bytes [00, 00, 00]
.text a0mytu8e.SYS B25413C9 1 Byte [00]
.text ...
? System32\Drivers\sfc.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 01ACA68D F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!GetScrollInfo 7E420DA2 7 Bytes JMP 01ACA615 F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!ShowScrollBar 7E42F2B3 5 Bytes JMP 01ACA711 F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!GetScrollPos 7E42F6C4 5 Bytes JMP 01ACA63D F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!SetScrollPos 7E42F710 5 Bytes JMP 01ACA6B8 F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!GetScrollRange 7E42F747 5 Bytes JMP 01ACA662 F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!SetScrollRange 7E42F95B 5 Bytes JMP 01ACA6E3 F:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text F:\Program Files\Winamp\winamp.exe[1888] USER32.dll!EnableScrollBar 7E467DDD 7 Bytes JMP 01ACA5ED F:\Program Files\Winamp\Plugins\gen_jumpex.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spdk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spdk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spdk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spdk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spdk.sys
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\a0mytu8e.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EBBD92] spdk.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT F:\Program Files\Last.fm\LastFM.exe[300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BC3F78
IAT F:\Program Files\World of Warcraft\WoW.exe[4848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 027626A0
IAT F:\Program Files\Mozilla Firefox\firefox.exe[4956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00A03F78

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E521F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C19ED5D-0A62-405A-9CEC-C3557A40F828} 88FA31F8
Device \Driver\usbohci \Device\USBPDO-0 89B14500
Device \Driver\usbehci \Device\USBPDO-1 89B44500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5173269E-3CC4-4531-8689-D061F6B4EB92} 88FA31F8
Device \Driver\nvata \Device\00000070 89DE31F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE41F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DE41F8
Device \Driver\Cdrom \Device\CdRom0 89AA8500
Device \Driver\Ftdisk \Device\HarddiskVolume3 89DE41F8
Device \Driver\Cdrom \Device\CdRom1 89AA8500
Device \Driver\Ftdisk \Device\HarddiskVolume4 89DE41F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88FA31F8
Device \Driver\NetBT \Device\NetbiosSmb 88FA31F8
Device \Driver\PCI_PNP0346 \Device\0000004f spdk.sys
Device \Driver\sptd \Device\491839096 spdk.sys
Device \Driver\usbohci \Device\USBFDO-0 89B14500
Device \Driver\nvata \Device\NvAta0 89DE31F8
Device \Driver\usbehci \Device\USBFDO-1 89B44500
Device \Driver\nvata \Device\0000006e 89DE31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88FA11F8
Device \Driver\nvata \Device\NvAta1 89DE31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88FA11F8
Device \Driver\nvata \Device\NvAta2 89DE31F8
Device \Driver\Ftdisk \Device\FtControl 89DE41F8
Device \Driver\a0mytu8e \Device\Scsi\a0mytu8e1 89B3B500
Device \Driver\a0mytu8e \Device\Scsi\a0mytu8e1Port3Path0Target0Lun0 89B3B500
Device \FileSystem\Cdfs \Cdfs 88F821F8

---- Services - GMER 1.0.15 ----

Service system32\drivers\ovfsthxetwukvst.sys (*** hidden *** ) [SYSTEM] ovfsthxuipdwvbw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw@imagepath \systemroot\system32\drivers\ovfsthxetwukvst.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxuipdwvbw\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxetwukvst.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x54 0x49 0xF0 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0xCB 0x02 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x63 0x37 0x8C 0x9F ...
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw@imagepath \systemroot\system32\drivers\ovfsthxetwukvst.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw\modules
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxuipdwvbw\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxetwukvst.sys
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x54 0x49 0xF0 0x71 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0xCB 0x02 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x63 0x37 0x8C 0x9F ...

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Buckeye_Sam, 03 June 2009 - 02:58 PM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:45 PM

Posted 03 June 2009 - 02:59 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:45 PM

Posted 25 June 2009 - 02:59 PM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users