Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

skynet


  • This topic is locked This topic is locked
8 replies to this topic

#1 billy6708

billy6708

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 23 June 2009 - 11:19 AM

Referred here from: http://www.bleepingcomputer.com/forums/t/235704/warning-boxes/ ~ OB

hi
i was adviced to post here as i've got a skynet virus(SKYNETxtbmfvji.dll VIRUS IDENTIFIED PACKED. ROLEX).
i'm running avg 8.5, when i start up my pc and click on anything avg tells me it's found multiple threats from the said virus.
also system restore, defrag and error check doesn't work anymore



DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 16:55:28.34 on 23/06/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.3326.2216 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://uk.yahoo.com
mDefault_Page_URL = hxxp://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
mURLSearchHooks: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [userinit] c:\users\user\appdata\roaming\sdra64.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardock objectdock.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-6-16 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-16 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-16 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-20 298776]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-12-12 451072]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 WG111T;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\drivers\WG111Tv.sys [2009-5-4 870400]

=============== Created Last 30 ================

2009-06-23 13:58 --dsh--- c:\users\user\appdata\roaming\lowsec
2009-06-23 12:32 --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-23 12:32 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-23 12:32 --d----- c:\users\user\appdata\roaming\SUPERAntiSpyware.com
2009-06-23 12:32 --d----- c:\program files\SUPERAntiSpyware
2009-06-23 12:31 --dsh--- c:\windows\system32\lowsec
2009-06-22 16:55 69 a------- c:\windows\NeroDigital.ini
2009-06-22 09:48 --d----- c:\users\user\appdata\roaming\Malwarebytes
2009-06-22 09:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 09:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 09:48 --d----- c:\programdata\Malwarebytes
2009-06-22 09:48 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 09:48 --d----- c:\progra~2\Malwarebytes
2009-06-22 00:37 --d----- c:\program files\Microsoft IntelliType Pro
2009-06-21 22:25 190,156,119 a------- c:\windows\MEMORY.DMP
2009-06-21 20:43 --d----- c:\program files\MSXML 4.0
2009-06-21 13:47 1,887 a------- c:\windows\diagwrn.xml
2009-06-21 13:47 1,887 a------- c:\windows\diagerr.xml
2009-06-21 13:38 --d----- c:\programdata\Nero
2009-06-21 13:38 --d----- c:\program files\Nero
2009-06-21 13:38 --d----- c:\progra~2\Nero
2009-06-16 12:10 --d-h--- C:\$AVG8.VAULT$
2009-06-16 11:56 10,045 a------- c:\windows\msvrc20.dll
2009-06-16 11:56 --d----- c:\program files\IObit
2009-06-16 10:02 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:02 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-06-16 10:02 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 10:02 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 10:02 --d----- c:\windows\system32\drivers\Avg
2009-06-15 18:57 --d----- c:\programdata\Sports Interactive
2009-06-15 18:57 --d----- c:\progra~2\Sports Interactive
2009-06-15 18:38 --d----- c:\programdata\Tages
2009-06-15 18:38 --d----- c:\progra~2\Tages
2009-06-15 18:37 281,504 a------- c:\windows\system32\drivers\atksgt.sys
2009-06-15 18:37 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-06-15 10:23 8,212 a------- c:\windows\mfebcdata
2009-06-14 17:55 --d----- c:\program files\City Interactive
2009-06-14 16:45 --d----- c:\users\user\appdata\roaming\Sports Interactive
2009-06-14 16:45 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-06-14 16:45 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-06-14 16:45 440,080 a------- c:\windows\system32\d3dx10.dll
2009-06-14 16:40 --d-h--- c:\program files\Zero G Registry
2009-06-14 16:40 --d----- c:\program files\Sports Interactive
2009-06-14 16:40 --d-h--- c:\users\user\InstallAnywhere
2009-06-14 15:24 --d----- c:\windows\system32\appmgmt
2009-06-14 15:13 --d----- c:\programdata\Trymedia
2009-06-14 15:13 --d----- c:\progra~2\Trymedia
2009-06-14 15:00 635,904 a------- c:\windows\system32\msvcrtnew.dll
2009-06-14 14:59 728,858 a------- c:\program files\common files\unins000.exe
2009-06-14 14:59 2,585 a------- c:\program files\common files\unins000.dat
2009-06-13 00:46 --d----- c:\program files\Scratches Director's Cut
2009-06-13 00:25 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-06-13 00:25 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-06-13 00:25 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-06-13 00:25 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-06-13 00:25 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-06-13 00:25 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-06-13 00:25 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-06-13 00:14 --d----- C:\Microsoft Games
2009-06-12 21:02 --d----- c:\programdata\SiteAdvisor
2009-06-12 21:02 --d----- c:\program files\SiteAdvisor
2009-06-12 20:45 --d----- c:\programdata\McAfee
2009-06-12 18:57 --d----- c:\windows\Full Speed
2009-06-12 15:50 327,168 a------- c:\windows\IsUninst.exe
2009-06-11 21:52 --d----- c:\program files\THQ
2009-06-11 20:36 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-06-11 16:03 --d----- c:\program files\uTorrent
2009-06-11 16:02 --d----- c:\users\user\appdata\roaming\uTorrent
2009-06-11 15:57 --d----- c:\program files\Conduit
2009-06-11 15:57 --d----- c:\program files\BigMAQ
2009-06-11 15:53 --d----- c:\programdata\Yahoo! Companion
2009-06-11 15:52 --d----- c:\programdata\Yahoo!
2009-06-11 15:38 --d----- c:\programdata\avg8
2009-06-11 15:38 --d----- c:\program files\AVG
2009-06-11 15:38 --d----- c:\progra~2\avg8
2009-06-11 14:31 25 a------- c:\windows\VSWizard.ini
2009-06-09 22:55 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-09 22:55 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-09 22:55 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-09 22:55 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-09 22:55 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-09 22:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:54 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:54 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-09 22:51 48,032 a------- c:\programdata\nvModes.dat
2009-06-09 22:51 48,032 a------- c:\progra~2\nvModes.dat
2009-06-09 22:41 --d----- c:\windows\1C4551A64743409391E41477CD655043.TMP

==================== Find3M ====================

2009-06-22 00:37 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-22 00:37 86,016 a------- c:\windows\inf\infstor.dat
2009-06-22 00:37 51,200 a------- c:\windows\inf\infpub.dat
2009-06-21 22:18 153,225,644 a------- c:\windows\DUMP4baf.tmp
2009-06-12 15:53 4,608 a------- c:\windows\system32\w95inf32.dll
2009-06-12 15:53 2,272 a------- c:\windows\system32\w95inf16.dll
2009-05-23 10:19 1,882,904 a------- c:\windows\system32\AutoPartNt.exe
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 00:08 1,505,824 a------- c:\windows\system32\nvcpluir.dll
2009-05-01 00:08 1,194,528 a------- c:\windows\system32\nvcplui.exe
2009-05-01 00:08 1,358,368 a------- c:\windows\system32\nvsvsr.dll
2009-05-01 00:08 1,292,832 a------- c:\windows\system32\nvsvs.dll
2009-04-30 22:02 10,366,976 a------- c:\windows\system32\nvoglv32.dll
2009-04-30 22:02 9,850,016 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 22:02 7,593,472 a------- c:\windows\system32\nvd3dum.dll
2009-04-30 22:02 3,128,320 a------- c:\windows\system32\nvwgf2um.dll
2009-04-30 22:02 1,704,960 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod146.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-30 22:02 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-04-22 00:20 14,311,680 a------- c:\windows\system32\xlive.dll
2009-04-22 00:20 13,642,496 a------- c:\windows\system32\xlivefnt.dll
2009-03-27 10:03 236,064 a------- c:\windows\system32\nvmccs.dll
2009-03-27 10:03 139,264 a------- c:\windows\system32\nvcod141.dll
2009-03-27 10:03 45,056 a------- c:\windows\system32\nvmccsrs.dll
2008-12-12 19:23 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 03:41 174 a--sh--- c:\program files\desktop.ini
2008-01-21 03:23 773,120 a----r-- c:\users\user\appdata\roaming\sdra64.exe
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:57:45.19 ===============

Attached Files


Edited by Orange Blossom, 23 June 2009 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 AM

Posted 27 June 2009 - 12:24 PM

Hello billy6708,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 billy6708

billy6708
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 27 June 2009 - 01:31 PM

hi
thanks for getting in touch.
since my post my pc went thru a schedule scan with avg and since then i haven't been getting the warnings, so not sure if it's been cured.
here's the log just in case


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:44, on 27/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.121.97.18 thepiratebay.org
O1 - Hosts: 91.121.97.18 www.thepiratebay.org
O1 - Hosts: 91.121.97.18 thepiratebay.org
O1 - Hosts: 91.121.97.18 www.thepiratebay.org
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7026 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 AM

Posted 27 June 2009 - 01:38 PM

Hello,

You're welcome. :thumbup2:

For this rootkit I can't let HijackThis be the judge. It doesn't show there. I'm going to get on to you a little bit here.....going to places like Pirate Bay are not helping your cause here, and sooner or later the odds will even up, if they haven't already. Did you set those 01s yourself?

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 billy6708

billy6708
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 27 June 2009 - 04:17 PM

hi
thanks for the help and advice.
i've only had this computer for 3 weeks, it was bought with a whole lot of stuff already on it. and those 01's i wouldn't know how to set them whatever they are :thumbup2:
here's the logs

ComboFix 09-06-26.02 - User 27/06/2009 21:57.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.3326.2341 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msvrc20.dll
c:\windows\system32\SKYNETbpskuqcn.dat
c:\windows\system32\SKYNETfjbnwpjx.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEToetbmtyn
-------\Service_SKYNETpujexmii


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 21:02 . 2009-06-27 21:04 -------- d-----w- c:\users\User\AppData\Local\temp
2009-06-27 18:27 . 2009-06-27 18:27 -------- d-----w- c:\program files\Trend Micro
2009-06-26 19:35 . 2009-06-26 19:35 -------- d-----w- c:\users\User\AppData\Local\Adobe
2009-06-26 10:45 . 2009-06-26 10:45 -------- d-----w- c:\users\User\AppData\Local\GHOSTBUSTERS ™
2009-06-26 09:51 . 2009-06-26 09:51 -------- d-----w- c:\program files\Atari
2009-06-24 14:53 . 2009-06-24 14:55 -------- d-----w- c:\windows\system32\ca-ES
2009-06-24 14:53 . 2009-06-24 14:55 -------- d-----w- c:\windows\system32\eu-ES
2009-06-24 14:53 . 2009-06-24 14:55 -------- d-----w- c:\windows\system32\vi-VN
2009-06-24 14:38 . 2009-06-24 14:38 -------- d-----w- c:\windows\system32\EventProviders
2009-06-23 12:58 . 2009-06-25 18:51 -------- d-sh--w- c:\users\User\AppData\Roaming\lowsec
2009-06-23 11:34 . 2009-06-26 08:12 117760 ----a-w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 11:32 . 2009-06-23 11:32 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-06-23 11:32 . 2009-06-23 11:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 11:32 . 2009-06-23 11:32 -------- d-----w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com
2009-06-22 08:48 . 2009-06-22 08:48 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-06-22 08:48 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 08:48 . 2009-06-22 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 08:48 . 2009-06-22 08:48 -------- d-----w- c:\programdata\Malwarebytes
2009-06-22 08:48 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:53 . 2009-06-22 00:53 -------- d-----w- c:\users\User\AppData\Local\Nero
2009-06-21 23:37 . 2009-06-21 23:37 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2009-06-21 23:35 . 2009-06-21 23:35 16013384 ----a-w- c:\users\User\AppData\Roaming\Uniblue\DriverScanner\Download\hid_vid_045e_pid_00dd_mi_006_30_183_0.exe
2009-06-21 21:04 . 2009-04-11 06:28 324608 ----a-w- c:\windows\system32\sdohlp.dll
2009-06-21 21:03 . 2009-04-11 06:32 19944 ----a-w- c:\windows\system32\kdusb.dll
2009-06-21 21:02 . 2009-04-11 06:28 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2009-06-21 21:02 . 2009-04-11 06:28 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2009-06-21 21:02 . 2009-04-11 06:28 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2009-06-21 21:02 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2009-06-21 21:02 . 2009-04-11 06:28 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2009-06-21 21:02 . 2009-04-11 06:28 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-06-21 21:02 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2009-06-21 21:02 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2009-06-21 21:02 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-06-21 21:02 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-06-21 21:02 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-06-21 19:43 . 2009-06-21 19:43 -------- d-----w- c:\program files\MSXML 4.0
2009-06-21 12:38 . 2009-06-21 12:39 -------- d-----w- c:\program files\Common Files\Nero
2009-06-21 12:38 . 2009-06-21 12:38 -------- d-----w- c:\programdata\Nero
2009-06-21 12:38 . 2009-06-21 12:38 -------- d-----w- c:\program files\Nero
2009-06-20 21:54 . 2009-06-20 21:54 782664 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-20 20:40 . 2009-06-16 09:02 12552 ----a-w- c:\programdata\avg8\update\backup\avgrkx86.sys
2009-06-20 20:40 . 2009-06-16 09:02 108552 ----a-w- c:\programdata\avg8\update\backup\avgtdix.sys
2009-06-20 20:40 . 2009-06-16 09:02 325640 ----a-w- c:\programdata\avg8\update\backup\avgldx86.sys
2009-06-20 20:40 . 2009-06-16 09:02 10520 ----a-w- c:\programdata\avg8\update\backup\avgrsstx.dll
2009-06-20 20:40 . 2009-06-16 09:02 27656 ----a-w- c:\programdata\avg8\update\backup\avgmfx86.sys
2009-06-20 20:40 . 2009-06-16 09:02 485144 ----a-w- c:\programdata\avg8\update\backup\avgrsx.exe
2009-06-20 20:37 . 2009-06-16 09:02 746264 ----a-w- c:\programdata\avg8\update\backup\avginet.dll
2009-06-20 20:37 . 2009-06-16 09:02 582936 ----a-w- c:\programdata\avg8\update\backup\avgiproxy.exe
2009-06-20 20:37 . 2009-06-16 09:02 1423640 ----a-w- c:\programdata\avg8\update\backup\avgupd.dll
2009-06-20 20:37 . 2009-06-16 09:02 1057048 ----a-w- c:\programdata\avg8\update\backup\avgupd.exe
2009-06-16 11:10 . 2009-06-24 12:05 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-16 10:56 . 2009-06-16 10:56 -------- d-----w- c:\program files\IObit
2009-06-16 09:02 . 2009-06-20 20:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-16 09:02 . 2009-06-20 20:39 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-16 09:02 . 2009-06-20 20:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 09:02 . 2009-06-20 20:39 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 09:02 . 2009-06-20 20:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 09:02 . 2009-06-27 11:00 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-15 17:57 . 2009-06-15 17:57 -------- d-----w- c:\programdata\Sports Interactive
2009-06-15 17:38 . 2009-06-15 17:38 -------- d-----w- c:\programdata\Tages
2009-06-15 17:37 . 2009-06-15 17:37 281504 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-15 17:37 . 2009-06-15 17:37 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-14 19:28 . 2009-06-14 19:29 -------- d-----w- c:\users\User\AppData\Local\Microsoft Games
2009-06-14 16:55 . 2009-06-14 16:55 -------- d-----w- c:\program files\City Interactive
2009-06-14 16:39 . 2009-06-14 16:39 -------- d-----w- c:\users\User\AppData\Roaming\InstallShield
2009-06-14 15:45 . 2009-06-15 17:49 -------- d-----w- c:\users\User\AppData\Roaming\Sports Interactive
2009-06-14 15:45 . 2008-05-30 13:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-06-14 15:45 . 2008-05-30 13:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-06-14 15:45 . 2006-11-29 12:06 440080 ----a-w- c:\windows\system32\d3dx10.dll
2009-06-14 15:40 . 2009-06-15 08:26 -------- d-----w- c:\program files\Sports Interactive
2009-06-14 15:40 . 2009-06-14 15:43 -------- d--h--w- c:\program files\Zero G Registry
2009-06-14 15:40 . 2009-06-14 15:40 -------- d--h--w- c:\users\User\InstallAnywhere
2009-06-14 14:13 . 2009-06-14 14:13 -------- d-----w- c:\programdata\Trymedia
2009-06-14 14:00 . 2007-10-23 23:47 635904 ----a-w- c:\windows\system32\msvcrtnew.dll
2009-06-12 23:46 . 2009-06-12 23:47 -------- d-----w- c:\program files\Scratches Director's Cut
2009-06-12 23:26 . 2009-06-12 23:26 -------- d-----w- c:\users\User\AppData\Local\Fallout3
2009-06-12 23:25 . 2009-03-16 13:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-06-12 23:25 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-06-12 23:25 . 2009-03-09 14:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-06-12 23:25 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-06-12 23:25 . 2009-03-09 14:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-06-12 23:25 . 2009-03-16 13:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-06-12 23:25 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-06-12 23:14 . 2009-06-12 23:14 -------- d-----w- C:\Microsoft Games
2009-06-12 21:36 . 2009-06-12 21:36 -------- d--h--r- c:\users\User\AppData\Roaming\SecuROM
2009-06-12 20:02 . 2009-06-12 20:02 -------- d-----w- c:\programdata\SiteAdvisor
2009-06-12 20:02 . 2009-06-12 20:02 -------- d-----w- c:\program files\SiteAdvisor
2009-06-12 19:45 . 2009-06-15 09:31 -------- d-----w- c:\programdata\McAfee
2009-06-12 17:57 . 2009-06-12 17:57 -------- d-----w- c:\windows\Full Speed
2009-06-12 14:53 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2009-06-12 14:53 . 1998-09-02 08:28 155408 ----a-w- c:\windows\system32\LMRT.dll
2009-06-12 14:53 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2009-06-12 14:53 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2009-06-12 14:53 . 1998-08-20 10:38 217984 ----a-w- c:\windows\system32\strmdll.dll
2009-06-12 14:53 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2009-06-12 14:53 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll
2009-06-12 14:53 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2009-06-12 14:53 . 2009-06-12 14:53 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-06-12 14:53 . 2009-06-12 14:53 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-12 14:50 . 1998-10-02 18:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-06-11 20:52 . 2009-06-11 20:52 -------- d-----w- c:\program files\THQ
2009-06-11 20:02 . 2009-06-11 20:02 -------- d-----w- c:\users\User\AppData\Roaming\vlc
2009-06-11 20:01 . 2009-06-11 20:02 -------- d-----w- c:\users\User\AppData\Roaming\dvdcss
2009-06-11 15:03 . 2009-06-11 15:03 -------- d-----w- c:\program files\uTorrent
2009-06-11 15:02 . 2009-06-26 13:28 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2009-06-11 14:57 . 2009-06-11 14:57 -------- d-----w- c:\program files\BigMAQ
2009-06-11 14:57 . 2009-06-11 14:57 -------- d-----w- c:\program files\Conduit
2009-06-11 14:54 . 2009-06-11 14:54 -------- d-----w- c:\users\User\AppData\Local\Yahoo
2009-06-11 14:53 . 2009-06-11 14:53 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2009-06-11 14:53 . 2009-06-11 14:53 -------- d-----w- c:\programdata\Yahoo! Companion
2009-06-11 14:52 . 2009-06-11 14:54 -------- d-----w- c:\programdata\Yahoo!
2009-06-11 14:52 . 2009-05-26 20:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-06-11 14:38 . 2009-06-24 08:23 -------- d-----w- c:\programdata\avg8
2009-06-11 14:38 . 2009-06-11 14:38 -------- d-----w- c:\program files\AVG
2009-06-11 14:12 . 2009-06-21 12:40 -------- d-----w- c:\users\User\AppData\Roaming\Nero
2009-06-11 13:58 . 2009-06-20 21:58 -------- d-----w- c:\users\User\AppData\Local\Zattoo
2009-06-11 13:55 . 2009-06-11 13:57 -------- d-----w- c:\users\User\AppData\Local\ZattooPlayer
2009-06-09 22:05 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-09 22:05 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-06-09 21:55 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-06-09 21:54 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-06-09 21:54 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-09 21:41 . 2009-06-09 21:41 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 10:42 . 2008-12-12 15:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 15:39 . 2008-12-12 17:16 -------- d-----w- c:\programdata\NVIDIA
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-06-24 14:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Journal
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-24 14:56 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-06-24 14:53 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-23 11:31 . 2008-12-12 16:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-22 15:55 . 2008-12-12 16:01 3384 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2009-06-22 00:53 . 2008-12-12 16:01 100256 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-21 23:25 . 2008-12-12 15:15 -------- d-----w- c:\programdata\DriverScanner
2009-06-21 21:18 . 2008-12-12 15:43 153225644 ----a-w- c:\windows\DUMP4baf.tmp
2009-06-14 14:00 . 2009-06-14 13:59 2585 ----a-w- c:\program files\Common Files\unins000.dat
2009-06-14 13:59 . 2009-06-14 13:59 728858 ----a-w- c:\program files\Common Files\unins000.exe
2009-06-14 13:40 . 2009-06-09 21:51 48032 ----a-w- c:\programdata\nvModes.dat
2009-06-12 21:26 . 2009-03-02 22:03 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-06-11 19:36 . 2009-06-11 19:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-06-11 17:01 . 2008-12-12 15:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-11 14:52 . 2008-12-12 15:14 -------- d-----w- c:\program files\Yahoo!
2009-06-11 14:05 . 2008-12-12 15:49 -------- d-----w- c:\programdata\Microsoft Help
2009-06-11 13:40 . 2008-12-12 15:36 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-09 22:08 . 2008-12-12 16:08 -------- d-----w- c:\program files\Microsoft Works
2009-05-23 09:19 . 2009-02-04 19:55 1882904 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-04-30 23:08 . 2009-04-30 23:08 1505824 ----a-w- c:\windows\system32\nvcpluir.dll
2009-04-30 23:08 . 2009-04-30 23:08 1194528 ----a-w- c:\windows\system32\nvcplui.exe
2009-04-30 23:08 . 2009-04-30 23:08 1358368 ----a-w- c:\windows\system32\nvsvsr.dll
2009-04-30 23:08 . 2009-04-30 23:08 1292832 ----a-w- c:\windows\system32\nvsvs.dll
2009-04-30 21:02 . 2009-04-30 21:02 9850016 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2009-04-30 21:02 4224 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-04-30 21:02 . 2009-04-30 21:02 3128320 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-04-30 21:02 . 2009-04-30 21:02 1704960 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w- c:\windows\system32\nvcod146.dll
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2009-04-30 21:02 10366976 ----a-w- c:\windows\system32\nvoglv32.dll
2009-04-30 21:02 . 2009-01-15 08:19 7593472 ----a-w- c:\windows\system32\nvd3dum.dll
2009-04-26 23:42 . 2008-12-12 15:35 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-11 06:33 . 2009-06-21 21:04 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-06-21 21:04 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-06-21 21:04 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-06-21 21:04 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-06-21 21:04 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-06-21 21:04 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-06-21 21:05 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-06-21 21:03 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-06-21 21:03 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-06-21 21:03 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-06-21 21:05 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-06-21 21:05 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-06-21 21:03 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-06-21 21:03 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:52 . 2009-06-21 21:03 248320 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2009-04-11 04:51 . 2009-06-21 21:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-06-21 21:03 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-06-21 21:03 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-06-21 21:03 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-06-21 21:03 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-06-21 21:03 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-06-21 21:03 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-06-21 21:03 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-06-21 21:03 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-06-21 21:03 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-06-21 21:03 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-06-21 21:03 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-06-21 21:03 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-06-21 21:03 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-06-21 21:03 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-06-21 21:04 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:43 . 2009-06-21 21:03 62208 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-04-11 04:43 . 2009-06-21 21:03 236544 ----a-w- c:\windows\system32\drivers\HdAudio.sys
2009-04-11 04:42 . 2009-06-21 21:04 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-06-21 21:03 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-06-21 21:03 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-06-21 21:03 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-06-21 21:03 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-04-11 04:42 . 2009-06-21 21:03 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-06-21 21:03 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-06-21 21:03 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-06-21 21:03 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-06-21 21:05 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-06-21 21:03 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-06-21 21:03 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-06-21 21:03 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-06-21 21:03 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-06-21 21:03 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-04-11 04:27 . 2009-06-21 21:03 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:23 . 2009-06-21 21:04 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-06-21 21:03 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-06-21 21:03 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-06-21 21:03 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:15 . 2009-06-21 21:04 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-06-21 21:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-06-21 21:03 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f312b9a-208b-49fa-8218-b9aa22ec1463}]
2009-06-08 08:55 2124824 ----a-w- c:\program files\BigMAQ\tbBigM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 81920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13781536]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-2-4 3581680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:):90,52,48,b5,e1,f4,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9505DF03-3EDF-4FE7-8BF8-750E039EDEE7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6F1E2E31-1CBC-4C9F-A45C-3AE9E4737C11}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{672C305F-3ECA-44D5-85CF-DCFD3B4AC7FC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{64F261E6-7294-4DDA-8600-1EBFB9EF6887}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5431BD55-50B5-422E-A2F9-85ABC383EF69}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{738D8F42-96B0-4CA7-849E-27140BF3377A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{643D3F05-AF09-461E-A476-79176D6F027F}d:\\games\\codwaw-kaos\\codwaw.exe"= UDP:d:\games\codwaw-kaos\codwaw.exe:Call of Duty®: World at War Campaign/Coop
"UDP Query User{30D065FF-2F3B-46A5-B6BC-5286BFC985AE}d:\\games\\codwaw-kaos\\codwaw.exe"= TCP:d:\games\codwaw-kaos\codwaw.exe:Call of Duty®: World at War Campaign/Coop
"{B5C3A5A3-BBA9-425D-9D78-3E8806DD339C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8C94E31D-08C3-4E30-A596-91399A70584B}"= UDP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{43A78AB0-7867-4814-9D63-75E1E7CF674C}"= TCP:c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{D07351C2-610C-4ABB-8841-E445BDA66547}"= UDP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"{18DCD7D8-7C0C-4B4D-A039-6826CEC1C123}"= TCP:c:\program files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:Grand Theft Auto IV
"TCP Query User{AEF31D76-9943-4FB2-9DEB-3206B08397B0}d:\\games\\left 4 dead\\left4dead.exe"= UDP:d:\games\left 4 dead\left4dead.exe:left4dead
"UDP Query User{CF60D3EC-4893-467E-8866-363CC8C3C44F}d:\\games\\left 4 dead\\left4dead.exe"= TCP:d:\games\left 4 dead\left4dead.exe:left4dead
"TCP Query User{644825BC-7650-4F2D-AB3D-611747C21141}c:\\program files\\zattoo\\zattood.exe"= UDP:c:\program files\zattoo\zattood.exe:zattood
"UDP Query User{15D53A94-4518-4AF1-9C18-C12653CE869C}c:\\program files\\zattoo\\zattood.exe"= TCP:c:\program files\zattoo\zattood.exe:zattood
"TCP Query User{7148A15F-CF0D-43D9-8981-28469188A137}c:\\program files\\zattoo\\zattoo.exe"= UDP:c:\program files\zattoo\zattoo.exe:
"UDP Query User{F13F09D0-3763-4B54-BCAB-6E055D35A413}c:\\program files\\zattoo\\zattoo.exe"= TCP:c:\program files\zattoo\zattoo.exe:
"{C4C73D4C-0C0E-4C43-BB36-E4B38845EA60}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5BB647B6-97D8-4B74-9E3D-3E0E454F887A}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FB17DED3-C229-4A1D-A413-94E7E77A9814}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{83537734-5D86-4912-BF47-CFCB1A1515FF}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{889A625F-1A34-4BC7-8FE3-31868E57642F}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{BFF5E6A1-547F-4E33-9C46-2CDFFF2C99F9}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{BF4EE6FF-33A6-463A-9347-5287379A765F}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{0436DCF1-5174-4B37-AA56-4E1EB8B26C15}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{1CFAE73C-C977-4A6F-B4CE-F3D1DD411038}"= UDP:d:\games\battlefield 2\BF2.exe:Battlefield 2
"{75583530-1AA7-4B09-B208-9CD5F23E4AF3}"= TCP:d:\games\battlefield 2\BF2.exe:Battlefield 2
"{DF3D4A19-7BBC-41F5-A6D8-10DCF91BF91E}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{4315932D-DD6A-4480-9160-662B9A303C75}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{C58EE8D5-40C3-433F-B572-EDE9D60FBC3A}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe
"{D22EBC07-AA14-43AC-89CA-F99A4452969B}"= c:\program files\AVG\AVG8\avgdiag.exe:avgdiag.exe
"{31872E6F-8996-4E2C-A45C-BAE1343181CD}"= c:\program files\AVG\AVG8\avgdiagex.exe:avgdiagex.exe
"{D5130E61-4F95-445D-8DA3-745BF4163C97}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{DF66D520-36E3-41BE-978F-285952F83C1D}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{E4900F34-E135-4574-8846-970BA2C2D025}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{F493FEAF-608A-4BB2-9A72-83F9F16231BE}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"TCP Query User{3B67A232-4A8A-47EF-9D24-F774DF4B1FC3}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{A5498D2F-B023-4CA1-AB3C-64A08AB929CA}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer
"TCP Query User{F4530B19-72E8-4016-8D2F-B2572948226F}d:\\games\\battlefield 2\\bf2.exe"= UDP:d:\games\battlefield 2\bf2.exe:BF2
"UDP Query User{2A0BAB57-AFF3-41D0-A01E-0BFB90A80BAC}d:\\games\\battlefield 2\\bf2.exe"= TCP:d:\games\battlefield 2\bf2.exe:BF2
"TCP Query User{A5C3D2CC-BE00-4D86-8130-F68A47AA500A}d:\\games\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:d:\games\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"UDP Query User{299C9E79-A183-43B6-92F8-A68AE1563AD8}d:\\games\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:d:\games\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"TCP Query User{6F287B07-4C56-406B-9CAE-45CCDCF47CCE}d:\\games\\far cry 2\\bin\\farcry2.exe"= UDP:d:\games\far cry 2\bin\farcry2.exe:Far Cry® 2
"UDP Query User{4EA6B74B-08F6-4D55-AF52-BDB8DCBEA60B}d:\\games\\far cry 2\\bin\\farcry2.exe"= TCP:d:\games\far cry 2\bin\farcry2.exe:Far Cry® 2
"TCP Query User{248257EC-3027-4DF0-B3B1-99758CE7695E}d:\\games\\crysis\\bin32\\crysis.exe"= UDP:d:\games\crysis\bin32\crysis.exe:Crysis
"UDP Query User{47316B13-F5D6-4A43-AA5B-D8D03570679C}d:\\games\\crysis\\bin32\\crysis.exe"= TCP:d:\games\crysis\bin32\crysis.exe:Crysis
"TCP Query User{7ABA9BD9-69BC-4AB7-80B5-C9A53AE701FE}d:\\games\\fear\\fearserver.exe"= UDP:d:\games\fear\fearserver.exe:F.E.A.R. - Stand-Alone Server
"UDP Query User{45D0A595-6417-46C2-8C21-57812F36EF84}d:\\games\\fear\\fearserver.exe"= TCP:d:\games\fear\fearserver.exe:F.E.A.R. - Stand-Alone Server

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [16/06/2009 10:02 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [16/06/2009 10:02 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [16/06/2009 10:02 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 21:39 298776]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [12/12/2008 16:08 451072]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\System32\drivers\athru6.sys [05/07/2007 03:57 873472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
S3 WG111T;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\System32\drivers\WG111Tv.sys [04/05/2009 20:43 870400]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Advanced WindowsCare V2 Pro.job
- c:\program files\IObit\Advanced WindowsCare V2 Pro\AutoCare.exe [2009-06-16 16:49]

2009-06-25 c:\windows\Tasks\AwcProUpdate.job
- c:\program files\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.exe [2009-06-16 10:28]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 22:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2662525665-2411992783-903557154-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:25,49,b9,5b,1f,24,83,91,aa,3b,ef,46,60,ec,fe,8c,86,64,42,94,1f,
1b,d7,67,98,15,07,6c,1e,bb,b8,b2,7f,6f,08,4f,24,66,e0,c9,ff,9f,f6,3b,a8,b4,\
"rkeysecu"=hex:e9,55,93,86,16,da,25,b4,21,3a,c3,db,ed,5b,11,1f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(640)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\deskscape.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\nvvsvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\System32\IoctlSvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-27 22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 21:07

Pre-Run: 58,083,880,960 bytes free
Post-Run: 58,122,207,232 bytes free

420 --- E O F --- 2009-06-26 07:28




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11:56, on 27/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BigMAQ Toolbar - {7f312b9a-208b-49fa-8218-b9aa22ec1463} - C:\Program Files\BigMAQ\tbBigM.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6063 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 AM

Posted 27 June 2009 - 04:37 PM

Hello,

You're welcome. :thumbup2:

How is it running now that ComboFix finished that rootkit off? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 billy6708

billy6708
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 27 June 2009 - 04:58 PM

hi
it's running fine so thanks for your help and advice.
you lot do a good job here, being as there's a good few thousand miles between us thats stopping me from buying you a drink to say thankyou i'll make a donation instead.
once again thanks for everything :thumbup2:

billy

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 AM

Posted 27 June 2009 - 05:47 PM

Hello Billy,

Great to know it's running, and you're most welcome. :) Yep....about 5,000 is closer to it, if you're in the UK. Traveled that myself a few times. :thumbup2: I'll certainly appreciate the donation, and thanks. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:18 AM

Posted 30 June 2009 - 05:40 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users