Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Horse rootkit-Pakes.m


  • This topic is locked This topic is locked
20 replies to this topic

#1 badcomputer

badcomputer

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 13 August 2009 - 06:53 PM

At this point, I'm getting AVG popping up every 10 minutes warning me that the NTFS.sys is messing this up and infecting other things. It won't even boot normally anymore, not even in safe mode. Blue screen of death if I try that. Can anyone help?

Here are the logs that were required in the sticky'd thread

(Edit: I just got an error from Cobian, a program suggested by this site to back things up.
8/13/2009 7:22:54 PM Changing the backup type for "Backup 1" to Full (First backup)
8/13/2009 7:22:54 PM Creating or updating the archive "H:\Backup of Everything\C 2009-08-13 19;22;54.zip"
ERR 8/13/2009 7:41:55 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\parent.lock": Cannot open file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\parent.lock" - Native error: 00033
ERR 8/13/2009 7:41:55 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\places.sqlite-journal": Cannot open file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\places.sqlite-journal" - Native error: 00033
ERR 8/13/2009 7:47:29 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Cannot open file "\\?\C:\Documents and Settings\Danny N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat" - Native error: 00033
ERR 8/13/2009 7:47:29 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Cannot open file "\\?\C:\Documents and Settings\Danny N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG" - Native error: 00033
ERR 8/13/2009 7:48:50 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Local Settings\Temp\etilqs_zyh6SLt1XaM8do8ajDbe": Cannot open file "\\?\C:\Documents and Settings\Danny N\Local Settings\Temp\etilqs_zyh6SLt1XaM8do8ajDbe" - Native error: 00033)


DDS (Ver_09-07-30.01) - NTFSx86
Run by Danny N at 17:46:17.29 on Thu 08/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1411 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\UnHackMe\gwebupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\Danny N\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6754a456-bad9-11d4-93d3-00b0d03a2f91} - IEHelperObj Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Regedit32] c:\windows\system32\regedit.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dannyn~1\applic~1\mozilla\firefox\profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-20 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-20 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2008-2-26 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-20 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-20 298776]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-27 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-13 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-13 38160]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-8-13 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2008-2-26 28672]

=============== Created Last 30 ================

2009-08-13 17:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-13 16:23 24,416 a------- c:\windows\system32\drivers\regguard.sys
2009-08-13 16:16 123 a------- c:\windows\rootkitno.ini
2009-08-13 16:16 <DIR> --d----- C:\RootkitNO
2009-08-13 16:16 2 a--shrot c:\windows\winstart.bat
2009-08-13 16:16 32,290 a------- c:\windows\system32\drivers\Partizan.sys
2009-08-13 16:16 25,600 a------- c:\windows\system32\Partizan.exe
2009-08-13 16:16 12,728 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 16:16 <DIR> --d----- c:\program files\UnHackMe
2009-08-13 15:59 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Malwarebytes
2009-08-13 15:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 15:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-13 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-12 15:36 <DIR> --d----- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 14:58 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Auto Dialer Pro
2009-08-12 14:58 1,578 a------- c:\windows\numb.htm
2009-08-12 14:57 162,064 a------- c:\windows\system32\VText.dll
2009-08-12 14:57 9,709 a------- c:\windows\system32\msgphd.dll
2009-08-12 14:57 9,709 a------- c:\windows\system32\msgpd.dll
2009-08-12 14:57 29,696 a------- c:\windows\system32\VB5StKit.dll
2009-08-12 14:57 <DIR> --d----- c:\program files\Auto Dialer Pro
2009-08-12 01:32 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Petroglyph
2009-08-10 12:50 1,047 a------- C:\net_save.dna
2009-08-10 12:49 <DIR> --d----- c:\program files\support.com
2009-08-10 12:49 <DIR> --d----- c:\program files\common files\SupportSoft
2009-08-08 23:37 290,816 a------- c:\windows\vncutil.exe
2009-08-08 23:37 36,864 a------- c:\windows\system32\RtkCoInstXP.dll
2009-08-08 23:37 122,880 a------- c:\windows\RtkAudioService.exe
2009-08-08 23:37 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-08-08 23:37 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-27 11:47 <DIR> --d----- c:\program files\iPod
2009-07-27 11:47 <DIR> --d----- c:\program files\iTunes
2009-07-27 11:45 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-27 11:45 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-19 02:36 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-07-19 01:50 <DIR> --d----- c:\program files\PCPitstop
2009-07-19 01:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-07-17 15:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-13 15:02 619,584 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-12 20:39 138,832 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-12 20:39 202,024 a------- c:\windows\system32\PnkBstrB.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 09:35 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 23:27 22,328 a------- c:\docume~1\dannyn~1\applic~1\PnkBstrK.sys
2009-07-12 23:27 2,250,024 a------- c:\windows\system32\pbsvc.exe
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 13:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-04 16:39 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-21 02:01 17,881,600 a------- c:\windows\RTHDCPL.EXE
2009-02-20 12:07 96 a------- c:\docume~1\alluse~1\applic~1\7c6d3ffd.dat

============= FINISH: 17:46:32.46 ===============

Attached Files


Edited by badcomputer, 13 August 2009 - 07:27 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:05 AM

Posted 24 August 2009 - 11:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 August 2009 - 10:28 AM

At this point I've been running on debugging mode ever since it stopped booting regularly. Every so often anti-virus software
warns me about my NTFS.sys file being infected/infecting other files which I then remove.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Danny N at 11:24:08.10 on Wed 08/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1401 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Documents and Settings\Danny N\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6754a456-bad9-11d4-93d3-00b0d03a2f91} - IEHelperObj Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Regedit32] c:\windows\system32\regedit.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dannyn~1\applic~1\mozilla\firefox\profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-20 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2008-2-26 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-20 297752]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-27 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-13 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-8-13 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2008-2-26 28672]

=============== Created Last 30 ================

2009-08-23 19:25 626,336 ac------ c:\windows\system32\dllcache\ntfs.sys
2009-08-17 01:26 138,736 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-14 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-14 13:37 <DIR> --d----- c:\program files\Runtime Software
2009-08-13 17:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-13 16:23 24,416 a------- c:\windows\system32\drivers\regguard.sys
2009-08-13 16:16 123 -------- c:\windows\rootkitno.ini
2009-08-13 16:16 <DIR> --d----- C:\RootkitNO
2009-08-13 16:16 2 ---shrot c:\windows\winstart.bat
2009-08-13 16:16 25,600 a------- c:\windows\system32\Partizan.exe
2009-08-13 16:16 32,290 -------- c:\windows\system32\drivers\Partizan.sys
2009-08-13 16:16 12,728 -------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 16:16 <DIR> --d----- c:\program files\UnHackMe
2009-08-13 15:59 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Malwarebytes
2009-08-13 15:59 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-13 15:59 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-08-12 15:36 <DIR> --d----- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 14:58 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Auto Dialer Pro
2009-08-12 14:58 1,578 -------- c:\windows\numb.htm
2009-08-12 14:57 162,064 -------- c:\windows\system32\VText.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgphd.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgpd.dll
2009-08-12 14:57 <DIR> --d----- c:\program files\Auto Dialer Pro
2009-08-12 14:57 29,696 -------- c:\windows\system32\VB5StKit.dll
2009-08-12 01:32 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Petroglyph
2009-08-10 12:50 1,047 -------- C:\net_save.dna
2009-08-10 12:49 <DIR> --d----- c:\program files\support.com
2009-08-10 12:49 <DIR> --d----- c:\program files\common files\SupportSoft
2009-08-08 23:37 290,816 -------- c:\windows\vncutil.exe
2009-08-08 23:37 36,864 -------- c:\windows\system32\RtkCoInstXP.dll
2009-08-08 23:37 122,880 -------- c:\windows\RtkAudioService.exe
2009-08-08 23:37 1,389,056 -------- c:\windows\system32\drivers\Monfilt.sys
2009-08-08 23:37 1,684,736 -------- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-27 11:47 <DIR> --d----- c:\program files\iPod
2009-07-27 11:47 <DIR> --d----- c:\program files\iTunes
2009-07-27 11:45 2,060,288 -------- c:\windows\system32\usbaaplrc.dll
2009-07-27 11:45 39,424 -------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-08-25 13:21 188,968 a------- c:\windows\system32\PnkBstrB.exe
2009-08-23 21:57 626,336 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-16 12:19 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 12:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-15 23:17 139,584 a------- c:\windows\system32\drivers\PNKBSTRK.SYS.del
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-12 23:27 22,328 -------- c:\docume~1\dannyn~1\applic~1\PnkBstrK.sys
2009-07-12 23:27 2,250,024 -------- c:\windows\system32\pbsvc.exe
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 08:28 3,510,272 -------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 -------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 -------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 -------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 -------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 -------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 -------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 -------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 -------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 -------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 -------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 -------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 -------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 -------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 -------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcod.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-04 16:39 457,248 -------- c:\windows\system32\NVUNINST.EXE
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-02-20 12:07 96 -------- c:\docume~1\alluse~1\applic~1\7c6d3ffd.dat

============= FINISH: 11:24:21.14 ===============

Attached Files


Edited by badcomputer, 26 August 2009 - 10:29 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 31 August 2009 - 06:04 PM

Hello again.

I apologize for the delay. Let's continue with two more scans please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms to update for me.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 31 August 2009 - 07:56 PM

AVG keeps popping up every now and then with warnings about my NTFS being infected, and every so often a new trojan is detected, usually in the system volume folder or in the windows folder, usually .sys files. Just now AVG is showing a multiple threat detection, system32/drivers/agp440.sys is infected with trojan horse generic14.ADMQ and drivers/ntfs.sys is infected with Packed.Protector.C. Both objects are white listed as a critical system file.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 20:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4129000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8614000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8126
Image Path: \Driver\PCI_PNP8126
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xB36FD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spls.sys
Image Path: spls.sys
Address: 0xB7EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\danny n\local settings\temp\wer448f.dir00\appcompat.txt
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Danny N\Local Settings\Apps\2.0\78ZYTGQ8.8BX\4758DBTH.4YE\manifests\Universe Sandbox.exe.manifest
Status: Locked to the Windows API!

Path: H:\My Music\Thumbs.db:KAVICHS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spls.sys" at address 0xb7ea70e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spls.sys" at address 0xb7ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spls.sys" at address 0xb7ec6032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spls.sys" at address 0xb7ea70c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spls.sys" at address 0xb7ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spls.sys" at address 0xb7ec5f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spls.sys" at address 0xb7ec619c

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1560) Address: 0x01000000 Size: 20480

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89e521f8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_CREATE]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_CLOSE]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_READ]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_WRITE]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_CLEANUP]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: DiskMD, IRP_MJ_PNP]
Process: System Address: 0x89a283c8 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_CREATE]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_CLOSE]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_POWER]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: avjku028ȅ౤浍瑓톈覞U, IRP_MJ_PNP]
Process: System Address: 0x89a6f348 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: aostmoipࠅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x89901500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89b4f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89baf500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x899a6500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89b621f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x899f3500 Size: 121

==EOF==

Malwarebytes' Anti-Malware 1.40
Database version: 2616
Windows 5.1.2600 Service Pack 3

8/31/2009 8:51:50 PM
mbam-log-2009-08-31 (20-51-50).txt

Scan type: Quick Scan
Objects scanned: 100493
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Danny N at 20:54:32.06 on Mon 08/31/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1289 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Danny N\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6754a456-bad9-11d4-93d3-00b0d03a2f91} - IEHelperObj Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Regedit32] c:\windows\system32\regedit.exe
StartupFolder: c:\docume~1\dannyn~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dannyn~1\applic~1\mozilla\firefox\profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-20 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2008-2-26 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-20 297752]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-13 38160]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-27 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-13 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-8-13 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2008-2-26 28672]

=============== Created Last 30 ================

2009-08-31 20:26 94,016 ac------ c:\windows\system32\dllcache\agp440.sys
2009-08-29 22:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-08-29 22:39 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-08-29 22:39 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-08-29 15:41 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\DAEMON Tools Lite
2009-08-14 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-14 13:37 <DIR> --d----- c:\program files\Runtime Software
2009-08-13 17:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-13 16:23 24,416 a------- c:\windows\system32\drivers\regguard.sys
2009-08-13 16:16 123 -------- c:\windows\rootkitno.ini
2009-08-13 16:16 <DIR> --d----- C:\RootkitNO
2009-08-13 16:16 2 ---shrot c:\windows\winstart.bat
2009-08-13 16:16 25,600 a------- c:\windows\system32\Partizan.exe
2009-08-13 16:16 32,290 -------- c:\windows\system32\drivers\Partizan.sys
2009-08-13 16:16 12,728 -------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 16:16 <DIR> --d----- c:\program files\UnHackMe
2009-08-13 15:59 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Malwarebytes
2009-08-13 15:59 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-13 15:59 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-08-12 15:36 <DIR> --d----- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 14:58 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Auto Dialer Pro
2009-08-12 14:58 1,578 -------- c:\windows\numb.htm
2009-08-12 14:57 162,064 -------- c:\windows\system32\VText.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgphd.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgpd.dll
2009-08-12 14:57 <DIR> --d----- c:\program files\Auto Dialer Pro
2009-08-12 14:57 29,696 -------- c:\windows\system32\VB5StKit.dll
2009-08-12 01:32 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Petroglyph
2009-08-10 12:50 1,047 -------- C:\net_save.dna
2009-08-10 12:49 <DIR> --d----- c:\program files\support.com
2009-08-10 12:49 <DIR> --d----- c:\program files\common files\SupportSoft
2009-08-08 23:37 290,816 -------- c:\windows\vncutil.exe
2009-08-08 23:37 36,864 -------- c:\windows\system32\RtkCoInstXP.dll
2009-08-08 23:37 122,880 -------- c:\windows\RtkAudioService.exe
2009-08-08 23:37 1,389,056 -------- c:\windows\system32\drivers\Monfilt.sys
2009-08-08 23:37 1,684,736 -------- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-31 20:29 94,016 a------- c:\windows\system32\drivers\agp440.sys
2009-08-31 19:21 188,968 a------- c:\windows\system32\PnkBstrB.exe
2009-08-31 15:06 138,736 a------- c:\windows\system32\drivers\PNKBSTRK.SYS.del
2009-08-29 22:28 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-23 21:57 626,336 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-16 12:19 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 12:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-12 23:27 22,328 -------- c:\docume~1\dannyn~1\applic~1\PnkBstrK.sys
2009-07-12 23:27 2,250,024 -------- c:\windows\system32\pbsvc.exe
2009-07-09 12:16 2,060,288 -------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 -------- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 08:28 3,510,272 -------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 -------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 -------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 -------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 -------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 -------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 -------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 -------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 -------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 -------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 -------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 -------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 -------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 -------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 -------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcod.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-04 16:39 457,248 -------- c:\windows\system32\NVUNINST.EXE
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-02-20 12:07 96 -------- c:\docume~1\alluse~1\applic~1\7c6d3ffd.dat

============= FINISH: 20:54:47.37 ===============


Edit: I just ran a scan with Reanimator before Windows fully booted, I removed a few rootkits that were found and once it restarted to remove them, I got an unexpected system shut down initiated by NT Authority/System. Some file failed to launch and caused an unexpected shut down, I got a timer and I couldn't do anything about it since Windows hadn't booted fully.

Attached Files


Edited by badcomputer, 31 August 2009 - 08:21 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 01 September 2009 - 11:11 AM

Hello.

We will start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 01 September 2009 - 01:28 PM

I read the combofix log and i read i was infected with the corporate virus securom, once we're done with this massive clusterf*ck of a rootkit infection, any chance you can help me get rid of that? Here's the Combofix log.

ComboFix 09-08-31.04 - Danny N 09/01/2009 14:10.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1423 [GMT -4:00]
Running from: c:\documents and settings\Danny N\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PandoBar
c:\program files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
c:\windows\Installer\19f51059.msp
c:\windows\Installer\31c28b0.msp
c:\windows\Installer\31c28b7.msp
c:\windows\Installer\31c28d0.msp
c:\windows\Installer\3445147a.msp
c:\windows\Installer\34451490.msp
c:\windows\Installer\42e12f9.msp
c:\windows\Installer\44055cd.msp
c:\windows\Installer\44055d5.msp
c:\windows\Installer\440561d.msp
c:\windows\Installer\440562f.msp
c:\windows\Installer\4405639.msp
c:\windows\Installer\4e75368.msp
c:\windows\Installer\4e75369.msp
c:\windows\Installer\4e7536a.msp
c:\windows\Installer\4e7536b.msp
c:\windows\Installer\4e7536c.msp
c:\windows\Installer\4e7536d.msp
c:\windows\Installer\4e7536e.msp
c:\windows\Installer\4e7536f.msp
c:\windows\Installer\4e75370.msp
c:\windows\Installer\6b21850.msp
c:\windows\Installer\6b21867.msp
c:\windows\Installer\6b2187e.msp
c:\windows\Installer\6b218a7.msp
c:\windows\Installer\6b218c3.msp
c:\windows\Installer\6b218c5.msp
c:\windows\Installer\6b21988.msp
c:\windows\Installer\6b219b5.msp
c:\windows\Installer\6b219d0.msp
c:\windows\Installer\6b219ed.msp
c:\windows\Installer\6b219f5.msp
c:\windows\Installer\6b21a0d.msp
c:\windows\Installer\6b21a24.msp
c:\windows\Installer\6b21a3b.msp
c:\windows\Installer\6b21a53.msp
c:\windows\Installer\6b21a6a.msp
c:\windows\Installer\6b21a80.msp
c:\windows\Installer\be94c62.msi
c:\windows\Installer\d70cf.msp
c:\windows\OPTIONS\CABS\_desktop.ini
c:\windows\Palace.reg
c:\windows\system32\_000004_.tmp.dll

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{F2BAD9D9-B08D-4F6E-B4F0-D2BC6BC944CC}\RP610\A0321549.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 01:23 . 2009-09-01 01:23 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-30 02:40 . 2009-08-30 02:41 -------- d-----w- c:\program files\ERUNT
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-08-29 19:41 . 2009-08-30 04:00 -------- d-----w- c:\documents and settings\Danny N\Application Data\DAEMON Tools Lite
2009-08-14 22:13 . 2009-08-14 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-14 17:37 . 2009-08-14 17:37 -------- d-----w- c:\program files\Runtime Software
2009-08-13 21:40 . 2009-08-13 21:40 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-13 20:23 . 2009-09-01 01:12 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-08-13 20:16 . 2009-08-29 04:16 -------- d-----w- C:\RootkitNO
2009-08-13 20:16 . 2009-08-13 20:16 2 --sh-tr- c:\windows\winstart.bat
2009-08-13 20:16 . 2009-09-01 01:13 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-13 20:16 . 2009-09-01 01:13 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-13 20:16 . 2009-07-27 23:51 12728 ------w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 20:16 . 2009-09-01 00:59 -------- d-----w- c:\program files\UnHackMe
2009-08-13 19:59 . 2009-08-13 19:59 -------- d-----w- c:\documents and settings\Danny N\Application Data\Malwarebytes
2009-08-13 19:59 . 2009-08-03 17:36 38160 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 19:59 . 2009-08-13 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 19:59 . 2009-08-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 19:59 . 2009-08-03 17:36 19096 ------w- c:\windows\system32\drivers\mbam.sys
2009-08-12 19:36 . 2009-08-12 19:37 -------- d-----w- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 19:29 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 18:58 . 2009-08-12 18:58 -------- d-----w- c:\documents and settings\Danny N\Application Data\Auto Dialer Pro
2009-08-12 18:57 . 2008-07-20 15:11 9709 ------w- c:\windows\system32\msgphd.dll
2009-08-12 18:57 . 2008-07-20 15:11 9709 ------w- c:\windows\system32\msgpd.dll
2009-08-12 18:57 . 1999-12-07 12:00 162064 ------w- c:\windows\system32\VText.dll
2009-08-12 18:57 . 2009-08-13 20:23 -------- d-----w- c:\program files\Auto Dialer Pro
2009-08-12 18:57 . 1996-12-09 03:00 29696 ------w- c:\windows\system32\VB5StKit.dll
2009-08-12 05:32 . 2009-08-12 05:32 -------- d-----w- c:\documents and settings\Danny N\Application Data\Petroglyph
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\program files\support.com
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Danny N\Local Settings\Application Data\SupportSoft
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-08-09 03:37 . 2008-10-23 09:42 290816 ------w- c:\windows\vncutil.exe
2009-08-09 03:37 . 2009-05-14 07:21 36864 ------w- c:\windows\system32\RtkCoInstXP.dll
2009-08-09 03:37 . 2009-03-17 06:07 122880 ------w- c:\windows\RtkAudioService.exe
2009-08-09 03:37 . 2006-01-04 07:41 1389056 ------w- c:\windows\system32\drivers\Monfilt.sys
2009-08-09 03:37 . 2008-08-05 12:10 1684736 ------w- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 17:17 . 2008-05-08 19:09 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-01 01:23 . 2008-07-11 12:57 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-01 00:29 . 2008-08-27 00:53 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-08-31 19:06 . 2008-07-11 12:57 138736 ----a-w- c:\windows\system32\drivers\PNKBSTRK.SYS.del
2009-08-30 02:47 . 2009-04-20 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 02:28 . 2008-07-23 00:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-29 14:51 . 2008-12-17 02:50 -------- d-----w- c:\program files\Steam
2009-08-16 16:19 . 2009-04-20 17:44 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 16:19 . 2009-04-20 17:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 16:19 . 2008-02-17 20:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 20:31 . 2009-06-01 21:29 -------- d-----w- c:\program files\Lexmark X1100 Series
2009-08-13 19:56 . 2008-04-02 00:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 07:24 . 2008-02-25 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 05:19 . 2008-05-03 16:39 -------- d-----w- c:\documents and settings\Danny N\Application Data\uTorrent
2009-08-06 22:10 . 2008-12-30 22:32 -------- d-----w- c:\program files\Logitech
2009-08-05 09:01 . 2006-02-28 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-01 22:57 . 2009-03-20 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 15:48 . 2009-07-27 15:47 -------- d-----w- c:\program files\iTunes
2009-07-27 15:47 . 2009-07-27 15:47 -------- d-----w- c:\program files\iPod
2009-07-27 15:47 . 2008-02-17 21:30 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 15:46 . 2009-07-27 15:46 -------- d-----w- c:\program files\QuickTime
2009-07-27 15:43 . 2009-07-27 15:43 75040 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-25 22:34 . 2008-04-16 00:39 -------- d-----w- c:\program files\Google
2009-07-19 06:37 . 2008-02-24 00:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 05:50 . 2009-07-19 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-07-19 05:33 . 2008-09-23 03:48 -------- d-----w- c:\documents and settings\Danny N\Application Data\IGN_DLM
2009-07-19 05:33 . 2008-03-04 06:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-17 19:01 . 2006-02-28 12:00 58880 ------w- c:\windows\system32\atl.dll
2009-07-16 05:27 . 2009-05-23 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-16 05:17 . 2009-06-28 18:52 -------- d-----w- c:\program files\Electronic Arts
2009-07-15 11:49 . 2008-05-07 02:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-14 03:43 . 2006-02-28 12:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 03:27 . 2008-02-24 23:32 22328 ------w- c:\documents and settings\Danny N\Application Data\PnkBstrK.sys
2009-07-13 03:27 . 2008-02-24 23:32 22328 ------w- c:\documents and settings\Danny N\Application Data\PnkBstrK.sys
2009-07-13 03:27 . 2008-02-24 23:32 2250024 ------w- c:\windows\system32\pbsvc.exe
2009-07-13 03:17 . 2009-07-13 03:17 -------- d-----w- c:\program files\Ubisoft
2009-07-12 15:25 . 2008-05-07 23:32 -------- d-----w- c:\program files\Starcraft
2009-07-09 16:16 . 2009-07-27 15:45 39424 ------w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-07-27 15:45 2060288 ------w- c:\windows\system32\usbaaplrc.dll
2009-07-02 02:39 . 2009-07-02 02:39 856472 ------w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-30 20:48 . 2008-02-24 00:44 1324 ------w- c:\windows\system32\d3d9caps.dat
2009-06-26 16:50 . 2006-02-28 12:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-02-28 12:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-14 20:07 . 2009-06-28 18:22 1004800 ------w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2006-02-28 12:00 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-02-24 00:14 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ------w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ------w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ------w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ------w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ------w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ------w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ------w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-05-01 02:02 671744 ------w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-05-01 02:02 1580550 ------w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-05-01 02:02 1310720 ------w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-02-24 01:08 457248 ------w- c:\windows\system32\nvudisp.exe
2009-06-10 10:03 . 2008-02-24 01:07 8087712 ------w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2008-02-24 01:07 5908608 ------w- c:\windows\system32\nv4_disp.dll
2009-06-10 10:03 . 2007-12-05 05:41 1720320 ------w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2006-12-21 16:29 9998336 ------w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2006-12-21 16:29 815104 ------w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2006-12-21 16:29 151552 ------w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2006-12-21 16:29 151552 ------w- c:\windows\system32\nvcod.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-04 20:39 . 2008-04-30 00:24 457248 ------w- c:\windows\system32\NVUNINST.EXE
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ------w- c:\windows\system32\quartz.dll
2008-04-07 06:59 . 2008-04-21 07:11 67696 ------w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-04-21 07:11 54376 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-04-21 07:11 34952 ------w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-04-21 07:11 46720 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-04-21 07:11 172144 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ------w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ------w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-07-27 236744]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\documents and settings\Danny N\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 16:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKLM\~\startupfolder\C:^Documents and Settings^Danny N^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FreeProxy"=2 (0x2)
"NVSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"LightScribeService"=2 (0x2)
"LexBceS"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"nhksrv"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"ekrn"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe"=2 (0x2)
"LVSrvLauncher"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Games\\Grand Theft Auto IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Battlefied 2142\\BF2142.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"h:\\Games\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"h:\\Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Steam\\steamapps\\trenton4\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"h:\\Battlefied 2142\\FirstStrike.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\trenton4\\insurgency\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\janelrulesall\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\bobnumerotres\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 1:44 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 1:44 PM 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/26/2008 1:26 AM 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/20/2009 1:44 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 1:44 PM 297752]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/27/2006 12:21 AM 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/13/2009 4:16 PM 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/8/2009 11:37 PM 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/13/2009 4:23 PM 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/26/2008 1:26 AM 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-30 c:\windows\Tasks\Crysis Wars® Updates.job
- c:\windows\Installer\Crysis Wars® Updates for All Users.lnk [2008-09-24 05:07]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{06663B56-0D73-4f9f-BCC5-4AA941470AFD} - (no file)
URLSearchHooks-{06663B56-0D73-4f9f-BCC5-4AA941470AFD} - c:\program files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1284227242-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,95,47,0e,be,72,0e,f9,e5,28,a3,a6,48,cc,0d,7c,30,bf,13,3d,8b,7a,5e,
9d,ad,94,f3,d6,f2,07,21,ab,0c,f5,43,52,1c,92,91,30,73,90,49,44,3c,e0,d8,ee,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1960408961-1284227242-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:22,b9,a3,65,60,db,7e,4f,7a,95,ac,bd,09,5d,b1,cb,f4,3d,a9,62,a6,
f6,58,e2,29,32,9c,69,7f,5b,72,32,c0,c5,6b,46,db,a5,b5,e7,63,e7,c2,2f,cb,92,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1472)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\UnHackMe\Unhackme.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-09-01 14:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 18:22

Pre-Run: 11,679,645,696 bytes free
Post-Run: 11,683,151,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

384 --- E O F --- 2009-08-26 17:00

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 01 September 2009 - 02:56 PM

Hello.

Run a new Malwarebytes scan, then take a new DDS run for me and post back with the logs for my review.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 01 September 2009 - 05:35 PM

I just got a popup from AVG warning me about an infection in Windows/System32/drivers/agp440.sys. The threat name is Trojan horse generic14.admq and the process name is C/program files/malwarebytes' Anti-Malware/mbam.exe Process ID: 1284. It doesn't let me do anything but ignore the threat. Is my malwarebytes infected? If so, should I uninstall ASAP and reinstall? It popped up as I was scanning, so might it be a false alarm? Here's the log by the way.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Danny N at 18:33:52.43 on Tue 09/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1450 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Danny N\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6754a456-bad9-11d4-93d3-00b0d03a2f91} - IEHelperObj Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\dannyn~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dannyn~1\applic~1\mozilla\firefox\profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3 beta 5\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3 beta 5\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3 beta 5\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-20 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2008-2-26 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-20 297752]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-13 38160]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-27 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-13 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-8-13 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2008-2-26 28672]

=============== Created Last 30 ================

2009-09-01 14:21 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-09-01 14:01 <DIR> a-dshr-- C:\cmdcons
2009-09-01 14:00 229,376 a------- c:\windows\PEV.exe
2009-09-01 14:00 161,792 a------- c:\windows\SWREG.exe
2009-09-01 14:00 98,816 a------- c:\windows\sed.exe
2009-08-31 21:23 138,736 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-29 22:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-08-29 22:39 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-08-29 22:39 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-08-29 15:41 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\DAEMON Tools Lite
2009-08-14 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-14 13:37 <DIR> --d----- c:\program files\Runtime Software
2009-08-13 17:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-08-13 16:23 24,416 a------- c:\windows\system32\drivers\regguard.sys
2009-08-13 16:16 123 -------- c:\windows\rootkitno.ini
2009-08-13 16:16 <DIR> --d----- C:\RootkitNO
2009-08-13 16:16 2 ---shrot c:\windows\winstart.bat
2009-08-13 16:16 32,290 a------- c:\windows\system32\drivers\Partizan.sys
2009-08-13 16:16 25,600 a------- c:\windows\system32\Partizan.exe
2009-08-13 16:16 12,728 -------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 16:16 <DIR> --d----- c:\program files\UnHackMe
2009-08-13 15:59 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Malwarebytes
2009-08-13 15:59 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-13 15:59 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-08-12 15:36 <DIR> --d----- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 14:58 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Auto Dialer Pro
2009-08-12 14:58 1,578 -------- c:\windows\numb.htm
2009-08-12 14:57 162,064 -------- c:\windows\system32\VText.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgphd.dll
2009-08-12 14:57 9,709 -------- c:\windows\system32\msgpd.dll
2009-08-12 14:57 <DIR> --d----- c:\program files\Auto Dialer Pro
2009-08-12 14:57 29,696 -------- c:\windows\system32\VB5StKit.dll
2009-08-12 01:32 <DIR> --d----- c:\docume~1\dannyn~1\applic~1\Petroglyph
2009-08-10 12:50 1,047 -------- C:\net_save.dna
2009-08-10 12:49 <DIR> --d----- c:\program files\support.com
2009-08-10 12:49 <DIR> --d----- c:\program files\common files\SupportSoft
2009-08-08 23:37 290,816 -------- c:\windows\vncutil.exe
2009-08-08 23:37 36,864 -------- c:\windows\system32\RtkCoInstXP.dll
2009-08-08 23:37 122,880 -------- c:\windows\RtkAudioService.exe
2009-08-08 23:37 1,389,056 -------- c:\windows\system32\drivers\Monfilt.sys
2009-08-08 23:37 1,684,736 -------- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-09-01 16:27 188,968 a------- c:\windows\system32\PnkBstrB.exe
2009-08-31 20:29 94,016 a------- c:\windows\system32\drivers\agp440.sys
2009-08-31 15:06 138,736 a------- c:\windows\system32\drivers\PNKBSTRK.SYS.del
2009-08-29 22:28 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-16 12:19 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 12:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-12 23:27 22,328 -------- c:\docume~1\dannyn~1\applic~1\PnkBstrK.sys
2009-07-12 23:27 2,250,024 -------- c:\windows\system32\pbsvc.exe
2009-07-09 12:16 2,060,288 -------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 -------- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 08:28 3,510,272 -------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 -------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 -------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 -------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 -------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 -------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 -------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 -------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 -------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 -------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 -------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 -------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 -------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 -------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 -------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 -------- c:\windows\system32\nvcod.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-04 16:39 457,248 -------- c:\windows\system32\NVUNINST.EXE
2009-02-20 12:07 96 -------- c:\docume~1\alluse~1\applic~1\7c6d3ffd.dat

============= FINISH: 18:34:19.06 ===============

Attached Files


Edited by extremeboy, 02 September 2009 - 11:28 AM.
Remove repeatition of Combofix log


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 02 September 2009 - 11:31 AM

Hello.

"Windows/System32/drivers/agp440.sys" <- That is a legitimate file, but we'll confirm this whether it's a false positive or not.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Browse to the following file:
  • C:\Windows\System32\drivers\agp440.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Uninstall your malwarebytes, and let's re-download and install it.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 02 September 2009 - 07:06 PM

After the combofix yesterday, my PC was running like new, very good speed that it hadn't shown since I built it. Today it started slowing down again notably. Should I run combofix again? I uninstalled and reinstalled Malwarebytes. After I updated and started the scan, AVG again warned me of AGP and then for some reason at the bottom it mentioned the process name for malwarebytes. I don't know once again if mbam.exe is infected or not. I scanned mbam.exe on the online scanner you linked me and there were no positives on it. Malwarebytes shows no infections, but the online scan you told me to do on agp440.sys showed a few positives. Here are the logs.

File CEACF98140994AFF6F7201DEF1D6CB00BE0B0E0B.sys received on 2009.08.26 12:38:28 (UTC)
Current status: finished
Result: 5/41 (12.20%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.26 -
AhnLab-V3 5.0.0.2 2009.08.25 -
AntiVir 7.9.1.3 2009.08.26 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.26 -
Avast 4.8.1335.0 2009.08.25 Win32:Cutwail
AVG 8.5.0.406 2009.08.25 -
BitDefender 7.2 2009.08.26 Gen:Rootkit.Heur.fmW@f0!uRg
CAT-QuickHeal 10.00 2009.08.25 -
ClamAV 0.94.1 2009.08.26 -
Comodo 2100 2009.08.26 -
DrWeb 5.0.0.12182 2009.08.26 -
eSafe 7.0.17.0 2009.08.26 -
eTrust-Vet 31.6.6700 2009.08.25 -
F-Prot 4.5.1.85 2009.08.25 -
F-Secure 8.0.14470.0 2009.08.26 -
Fortinet 3.120.0.0 2009.08.26 -
GData 19 2009.08.26 Gen:Rootkit.Heur.fmW@f0!uRg
Ikarus T3.1.1.68.0 2009.08.26 -
Jiangmin 11.0.800 2009.08.26 -
K7AntiVirus 7.10.827 2009.08.25 -
Kaspersky 7.0.0.125 2009.08.26 -
McAfee 5720 2009.08.25 -
McAfee+Artemis 5720 2009.08.25 -
McAfee-GW-Edition 6.8.5 2009.08.26 -
Microsoft 1.4903 2009.08.26 Virus:Win32/Cutwail.G
NOD32 4368 2009.08.26 a variant of Win32/Kryptik.ABX
Norman 2009.08.26 -
nProtect 2009.1.8.0 2009.08.26 -
Panda 10.0.2.2 2009.08.26 -
PCTools 4.4.2.0 2009.08.26 -
Prevx 3.0 2009.08.26 -
Rising 21.44.11.00 2009.08.25 -
Sophos 4.44.0 2009.08.26 -
Sunbelt 3.2.1858.2 2009.08.25 -
Symantec 1.4.4.12 2009.08.26 -
TheHacker 6.3.4.3.388 2009.08.25 -
TrendMicro 8.950.0.1094 2009.08.26 -
VBA32 3.12.10.10 2009.08.26 -
ViRobot 2009.8.26.1903 2009.08.26 -
VirusBuster 4.6.5.0 2009.08.25 -
Additional information
File size: 94016 bytes
MD5 : 1fc43931ea67c22742d3139d02d699e3
SHA1 : 1d129c66d64a30d373be0db5eb57052bb0678305
SHA256: f41ae18503fecfe31efa6ef38280ffc9ed57a902859faf61b2b4a9824e6d4af5
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xED1
timedatestamp.....: 0x4A94914D (Wed Aug 26 03:35:09 2009)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x220 0xD4F 0xD60 5.99 7e9151baddc33093f935e692db7fe3c4
.data 0xF80 0x19 0x20 2.17 09023b0586a11b5dd790a88206791533
.reloc 0xFA0 0x15FA0 0x15FA0 6.04 e1061d71840548cbeee0cff4eb6e4f40

( 0 imports )


( 0 exports )
TrID : File type identification
['Generic Win/DOS Executable (49.5%)/nDOS Executable Generic (49.5%)/nVXD Driver (0.7%)/nAutodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)', None, None]
ssdeep: 1536:HM/X2wcVIE3lZli6AbALiNBryARGOB/BycYDx:HiGIglZlL6tjB/RYDx
PEiD : -
RDS : NSRL Reference Data Set
-

Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/2/2009 8:02:31 PM
mbam-log-2009-09-02 (20-02-31).txt

Scan type: Quick Scan
Objects scanned: 105125
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 02 September 2009 - 08:11 PM

Hello.

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/249380/infected-with-trojan-horse-rootkit-pakesm/
  • Click Browse and select the C:\Windows\System32\drivers\agp440.sys
  • Under the comments section, say that Extremeboy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Delete the version of Combofix you currently have. Re-download it again from one of those two links and run a new run with Combofix.

Post the log once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 02 September 2009 - 10:34 PM

I submitted the file, it said the file uploaded successfully. Here's the combofix log.

ComboFix 09-09-02.02 - Danny N 09/02/2009 23:28.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1473 [GMT -4:00]
Running from: c:\documents and settings\Danny N\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-02 23:58 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 23:58 . 2009-09-02 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 23:58 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 01:23 . 2009-09-02 22:08 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-30 02:40 . 2009-08-30 02:41 -------- d-----w- c:\program files\ERUNT
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-30 02:39 . 2009-08-30 02:39 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-08-29 19:41 . 2009-08-30 04:00 -------- d-----w- c:\documents and settings\Danny N\Application Data\DAEMON Tools Lite
2009-08-14 22:13 . 2009-08-14 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-14 17:37 . 2009-08-14 17:37 -------- d-----w- c:\program files\Runtime Software
2009-08-13 21:40 . 2009-08-13 21:40 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-13 20:23 . 2009-09-01 01:12 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-08-13 20:16 . 2009-08-29 04:16 -------- d-----w- C:\RootkitNO
2009-08-13 20:16 . 2009-08-13 20:16 2 --sh-tr- c:\windows\winstart.bat
2009-08-13 20:16 . 2009-09-01 01:13 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-13 20:16 . 2009-09-01 01:13 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-13 20:16 . 2009-07-27 23:51 12728 ------w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-08-13 20:16 . 2009-09-01 00:59 -------- d-----w- c:\program files\UnHackMe
2009-08-13 19:59 . 2009-08-13 19:59 -------- d-----w- c:\documents and settings\Danny N\Application Data\Malwarebytes
2009-08-13 19:59 . 2009-08-13 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 19:36 . 2009-08-12 19:37 -------- d-----w- c:\program files\hAcx Internet Auto-Dialer
2009-08-12 19:29 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 18:58 . 2009-08-12 18:58 -------- d-----w- c:\documents and settings\Danny N\Application Data\Auto Dialer Pro
2009-08-12 18:57 . 2008-07-20 15:11 9709 ------w- c:\windows\system32\msgphd.dll
2009-08-12 18:57 . 2008-07-20 15:11 9709 ------w- c:\windows\system32\msgpd.dll
2009-08-12 18:57 . 1999-12-07 12:00 162064 ------w- c:\windows\system32\VText.dll
2009-08-12 18:57 . 2009-08-13 20:23 -------- d-----w- c:\program files\Auto Dialer Pro
2009-08-12 18:57 . 1996-12-09 03:00 29696 ------w- c:\windows\system32\VB5StKit.dll
2009-08-12 05:32 . 2009-08-12 05:32 -------- d-----w- c:\documents and settings\Danny N\Application Data\Petroglyph
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\program files\support.com
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Danny N\Local Settings\Application Data\SupportSoft
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-08-09 03:37 . 2008-10-23 09:42 290816 ------w- c:\windows\vncutil.exe
2009-08-09 03:37 . 2009-05-14 07:21 36864 ------w- c:\windows\system32\RtkCoInstXP.dll
2009-08-09 03:37 . 2009-03-17 06:07 122880 ------w- c:\windows\RtkAudioService.exe
2009-08-09 03:37 . 2006-01-04 07:41 1389056 ------w- c:\windows\system32\drivers\Monfilt.sys
2009-08-09 03:37 . 2008-08-05 12:10 1684736 ------w- c:\windows\system32\drivers\Ambfilt.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 00:43 . 2008-05-08 19:09 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-02 22:07 . 2008-07-11 12:57 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-01 00:29 . 2008-08-27 00:53 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-08-31 19:06 . 2008-07-11 12:57 138736 ----a-w- c:\windows\system32\drivers\PNKBSTRK.SYS.del
2009-08-30 02:47 . 2009-04-20 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 02:28 . 2008-07-23 00:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-29 14:51 . 2008-12-17 02:50 -------- d-----w- c:\program files\Steam
2009-08-16 16:19 . 2009-04-20 17:44 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 16:19 . 2009-04-20 17:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 16:19 . 2008-02-17 20:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 20:31 . 2009-06-01 21:29 -------- d-----w- c:\program files\Lexmark X1100 Series
2009-08-13 19:56 . 2008-04-02 00:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 07:24 . 2008-02-25 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 05:19 . 2008-05-03 16:39 -------- d-----w- c:\documents and settings\Danny N\Application Data\uTorrent
2009-08-06 22:10 . 2008-12-30 22:32 -------- d-----w- c:\program files\Logitech
2009-08-05 09:01 . 2006-02-28 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-01 22:57 . 2009-03-20 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 15:48 . 2009-07-27 15:47 -------- d-----w- c:\program files\iTunes
2009-07-27 15:47 . 2009-07-27 15:47 -------- d-----w- c:\program files\iPod
2009-07-27 15:47 . 2008-02-17 21:30 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 15:46 . 2009-07-27 15:46 -------- d-----w- c:\program files\QuickTime
2009-07-25 22:34 . 2008-04-16 00:39 -------- d-----w- c:\program files\Google
2009-07-19 06:37 . 2008-02-24 00:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 05:50 . 2009-07-19 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-07-19 05:33 . 2008-09-23 03:48 -------- d-----w- c:\documents and settings\Danny N\Application Data\IGN_DLM
2009-07-19 05:33 . 2008-03-04 06:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-17 19:01 . 2006-02-28 12:00 58880 ------w- c:\windows\system32\atl.dll
2009-07-16 05:27 . 2009-05-23 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-16 05:17 . 2009-06-28 18:52 -------- d-----w- c:\program files\Electronic Arts
2009-07-15 11:49 . 2008-05-07 02:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-14 03:43 . 2006-02-28 12:00 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 03:27 . 2008-02-24 23:32 22328 ------w- c:\documents and settings\Danny N\Application Data\PnkBstrK.sys
2009-07-13 03:27 . 2008-02-24 23:32 2250024 ------w- c:\windows\system32\pbsvc.exe
2009-07-13 03:17 . 2009-07-13 03:17 -------- d-----w- c:\program files\Ubisoft
2009-07-12 15:25 . 2008-05-07 23:32 -------- d-----w- c:\program files\Starcraft
2009-07-09 16:16 . 2009-07-27 15:45 39424 ------w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-07-27 15:45 2060288 ------w- c:\windows\system32\usbaaplrc.dll
2009-07-02 02:39 . 2009-07-02 02:39 856472 ------w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-30 20:48 . 2008-02-24 00:44 1324 ------w- c:\windows\system32\d3d9caps.dat
2009-06-26 16:50 . 2006-02-28 12:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-02-28 12:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-02-24 00:14 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ------w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ------w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ------w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ------w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ------w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ------w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ------w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-05-01 02:02 671744 ------w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-05-01 02:02 1580550 ------w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-05-01 02:02 1310720 ------w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-02-24 01:08 457248 ------w- c:\windows\system32\nvudisp.exe
2009-06-10 10:03 . 2008-02-24 01:07 8087712 ------w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2008-02-24 01:07 5908608 ------w- c:\windows\system32\nv4_disp.dll
2009-06-10 10:03 . 2007-12-05 05:41 1720320 ------w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2006-12-21 16:29 9998336 ------w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2006-12-21 16:29 815104 ------w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2006-12-21 16:29 151552 ------w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2006-12-21 16:29 151552 ------w- c:\windows\system32\nvcod.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ------w- c:\windows\system32\wkssvc.dll
2008-04-07 06:59 . 2008-04-21 07:11 67696 ------w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-04-21 07:11 54376 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-04-21 07:11 34952 ------w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-04-21 07:11 46720 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-04-21 07:11 172144 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ------w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ------w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_18.18.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\266c293.msp
+ 2009-09-02 14:50 . 2009-09-02 14:50 315392 c:\windows\ERDNT\AutoBackup\9-2-2009\Users\00000002\UsrClass.dat
+ 2009-09-02 14:50 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-2-2009\ERDNT.EXE
+ 2009-09-02 14:50 . 2009-09-02 14:50 10358784 c:\windows\ERDNT\AutoBackup\9-2-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-07-27 236744]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\documents and settings\Danny N\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 16:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^Danny N^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FreeProxy"=2 (0x2)
"NVSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"LightScribeService"=2 (0x2)
"LexBceS"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"nhksrv"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"ekrn"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe"=2 (0x2)
"LVSrvLauncher"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Games\\Grand Theft Auto IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Battlefied 2142\\BF2142.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"h:\\Games\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"h:\\Games\\Halo 2\\halo2.exe"=
"c:\\Program Files\\Steam\\steamapps\\trenton4\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"h:\\Battlefied 2142\\FirstStrike.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\trenton4\\insurgency\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\janelrulesall\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\bobnumerotres\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 1:44 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 1:44 PM 108552]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/26/2008 1:26 AM 6656]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/20/2009 1:44 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 1:44 PM 297752]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/27/2006 12:21 AM 21920]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/13/2009 4:16 PM 32290]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/8/2009 11:37 PM 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/13/2009 4:23 PM 24416]
S4 FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe; [x]
S4 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/26/2008 1:26 AM 28672]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PNKBSTRB
*NewlyCreated* - PNKBSTRK
*Deregistered* - UnHackMeDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-30 c:\windows\Tasks\Crysis Wars® Updates.job
- c:\windows\Installer\Crysis Wars® Updates for All Users.lnk [2008-09-24 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: >>> DIAL <<< - file://c:\windows\numb.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 23:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1284227242-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,95,47,0e,be,72,0e,f9,e5,28,a3,a6,48,cc,0d,7c,30,bf,13,3d,8b,7a,5e,
9d,ad,94,f3,d6,f2,07,21,ab,0c,f5,43,52,1c,92,91,30,73,90,49,44,3c,e0,d8,ee,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1960408961-1284227242-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:22,b9,a3,65,60,db,7e,4f,7a,95,ac,bd,09,5d,b1,cb,f4,3d,a9,62,a6,
f6,58,e2,29,32,9c,69,7f,5b,72,32,c0,c5,6b,46,db,a5,b5,e7,63,e7,c2,2f,cb,92,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-03 23:32
ComboFix-quarantined-files.txt 2009-09-03 03:32
ComboFix2.txt 2009-09-01 18:22

Pre-Run: 11,186,118,656 bytes free
Post-Run: 11,239,063,552 bytes free

315 --- E O F --- 2009-09-02 05:28

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 03 September 2009 - 09:25 AM

Hello.

You have a nasty infection on here. One of them is a rootkit. One of your system file was also infected.

Regarding rootkits...

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

If you wish to continue follow the steps below...

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 03 September 2009 - 12:31 PM

If you recommend I wipe this hard drive clean, then could you point me towards a way for a quick and easy reinstallation of my programs? Is there any way to back up programs without bringing the rootkit back? I'm looking for a simple way to back up my programs to make the reformatting process as quick and painless as possible. Here's the log by the way of the scan you asked me to run.

GMER 1.0.15.15077 [o2uh3qyh.exe] - http://www.gmer.net
Rootkit scan 2009-09-03 13:28:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spjb.sys ZwCreateKey [0xB7EA70E0]
SSDT spjb.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT spjb.sys ZwEnumerateValueKey [0xB7EC6032]
SSDT spjb.sys ZwOpenKey [0xB7EA70C0]
SSDT spjb.sys ZwQueryKey [0xB7EC610A]
SSDT spjb.sys ZwQueryValueKey [0xB7EC5F8A]
SSDT spjb.sys ZwSetValueKey [0xB7EC619C]

INT 0x62 ? 89E53BF8
INT 0x63 ? 89C26F00
INT 0x73 ? 89E53BF8
INT 0x73 ? 89E53BF8
INT 0x73 ? 89E53BF8
INT 0x73 ? 89E53BF8
INT 0x73 ? 89C26F00
INT 0x73 ? 89E53BF8
INT 0x82 ? 89E53BF8
INT 0x83 ? 89C26F00
INT 0x94 ? 89C26F00
INT 0xB1 ? 89E55BF8
INT 0xB1 ? 89E55BF8
INT 0xB4 ? 89C26F00
INT 0xB4 ? 89C26F00
INT 0xB4 ? 89C26F00
INT 0xB4 ? 89C26F00

---- Devices - GMER 1.0.15 ----

Device 89E521F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 89A49500
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 89C0E500
Device \Driver\usbuhci \Device\USBPDO-1 89C0E500
Device \Driver\usbuhci \Device\USBPDO-2 89C0E500
Device \Driver\usbehci \Device\USBPDO-3 89C301F8
Device \Driver\PCI_PNP8814 \Device\00000047 spjb.sys
Device \Driver\usbuhci \Device\USBPDO-4 89C0E500
Device \Driver\PCI_PNP8814 \Device\00000048 spjb.sys

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 89C0E500
Device \Driver\usbuhci \Device\USBPDO-6 89C0E500
Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE51F8
Device \Driver\usbehci \Device\USBPDO-7 89C301F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DE51F8
Device \Driver\Cdrom \Device\CdRom0 89C25500
Device \Driver\Cdrom \Device\CdRom1 89C25500
Device \Driver\Cdrom \Device\CdRom2 89C25500
Device \Driver\Cdrom \Device\CdRom3 89C25500
Device \Driver\NetBT \Device\NetBt_Wins_Export 899F6500
Device \Driver\sptd \Device\2474188814 spjb.sys
Device \Driver\NetBT \Device\NetbiosSmb 899F6500
Device \Driver\sptd \Device\2474345064 spjb.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 89C0E500
Device \Driver\usbuhci \Device\USBFDO-1 89C0E500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8993E500
Device \Driver\usbuhci \Device\USBFDO-2 89C0E500
Device \Driver\NetBT \Device\NetBT_Tcpip_{E4BE9502-4642-4188-A0DC-02A9EA127EE8} 899F6500
Device 8993E500
Device \Driver\usbehci \Device\USBFDO-3 89C301F8
Device \Driver\usbuhci \Device\USBFDO-4 89C0E500
Device \Driver\Ftdisk \Device\FtControl 89DE51F8
Device \Driver\usbuhci \Device\USBFDO-5 89C0E500
Device \Driver\usbuhci \Device\USBFDO-6 89C0E500
Device \Driver\usbehci \Device\USBFDO-7 89C301F8
Device \Driver\atgmdlmt \Device\Scsi\atgmdlmt1Port6Path0Target0Lun0 89A831F8
Device \Driver\atgmdlmt \Device\Scsi\atgmdlmt1 89A831F8
Device \Driver\a5zdn3n7 \Device\Scsi\a5zdn3n71Port7Path0Target0Lun0 89B591F8
Device \Driver\a5zdn3n7 \Device\Scsi\a5zdn3n71 89B591F8
Device 88AF9500
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Danny N\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\Cache\E01A8332d01 0 bytes
File C:\Documents and Settings\Danny N\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\Cache\E01B8332d01 0 bytes
File C:\Documents and Settings\Danny N\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\Cache\6A8D60AFd01 0 bytes
File C:\Documents and Settings\Danny N\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\Cache\8BC756F8d01 0 bytes
File H:\KOTOR 0 bytes
File H:\KOTOR\Override 0 bytes
File H:\KOTOR\Override\lr_pc_2_4.uti 5640 bytes
File H:\KOTOR\Override\atris.dlg 632923 bytes
File H:\KOTOR\Override\a_nihlius_01.uti 1649 bytes
File H:\KOTOR\Override\a_shroud_01.uti 1984 bytes
File H:\KOTOR\Override\a_sion_01.uti 2323 bytes
File H:\KOTOR\Override\fx_step_splash.MDL 3677 bytes
File H:\KOTOR\Override\gencrps004.utp 3826 bytes
File H:\KOTOR\Override\globalcat.2da 25623 bytes
File H:\KOTOR\Override\handend.dlg 69358 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis 0 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\gurron_friend.ncs 343 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\change_hand.ncs 84 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\deliver.uti 988 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\destroy_gurron.ncs 100 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\feat.2da 63055 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\give_gurron_item.ncs 70 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\goodbye_friend.ncs 362 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\goodbye_gurron2.ncs 356 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\gurron.dlg 12218 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\Gurron.utc 3451 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\gurron2.dlg 19352 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\Gurron2.utc 3453 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\gurron_friend.dlg 7509 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\gurron_friend.utc 3308 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\hand_fadein.ncs 58 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\hand_fadein2.ncs 58 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\hand_fadeout.ncs 58 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\hand_fadeout2.ncs 58 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\kreia_there.ncs 118 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\quello.dlg 105467 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\spawn_gurron.ncs 322 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\spawn_gurron2.ncs 325 bytes
File H:\KOTOR\Override\Kreia's Mechanical Hand by Master Zionosis\take_deliver.ncs 55 bytes
File H:\KOTOR\Override\lr_pc_0_1.uti 5515 bytes
File H:\KOTOR\Override\lr_pc_0_2.uti 5517 bytes
File H:\KOTOR\Override\lr_pc_0_3.uti 5516 bytes
File H:\KOTOR\Override\lr_pc_0_4.uti 5518 bytes
File H:\KOTOR\Override\lr_pc_0_5.uti 5518 bytes
File H:\KOTOR\Override\lr_pc_0_6.uti 5518 bytes
File H:\KOTOR\Override\lr_pc_0_7.uti 5518 bytes
File H:\KOTOR\Override\lr_pc_0_9.uti 5520 bytes
File H:\KOTOR\Override\lr_pc_2_1.uti 5637 bytes
File H:\KOTOR\Override\lr_pc_2_2.uti 5639 bytes
File H:\KOTOR\Override\lr_pc_2_3.uti 5638 bytes
File H:\KOTOR\Override\lr_pc_2_5.uti 5640 bytes
File H:\KOTOR\Override\lr_pc_2_6.uti 5640 bytes
File H:\KOTOR\Override\lr_pc_2_7.uti 5640 bytes
File H:\KOTOR\Override\lr_pc_2_9.uti 5642 bytes
File H:\KOTOR\Override\lr_pc_givesaber.ncs 354 bytes
File H:\KOTOR\Override\OP_CACHE.ATR 96 bytes
File H:\KOTOR\Override\OP_CACHE.IDX 48 bytes
File H:\KOTOR\Override\Source 0 bytes
File H:\KOTOR\Override\Source\change_hand.nss 115 bytes
File H:\KOTOR\Override\Source\destroy_gurron.nss 132 bytes
File H:\KOTOR\Override\Source\give_gurron_item.nss 84 bytes
File H:\KOTOR\Override\Source\goodbye_friend.nss 1065 bytes
File H:\KOTOR\Override\Source\goodbye_gurron2.nss 1059 bytes
File H:\KOTOR\Override\Source\gurron_friend.nss 437 bytes
File H:\KOTOR\Override\Source\hand_fadein.nss 64 bytes
File H:\KOTOR\Override\Source\hand_fadein2.nss 64 bytes
File H:\KOTOR\Override\Source\hand_fadeout.nss 65 bytes
File H:\KOTOR\Override\Source\hand_fadeout2.nss 65 bytes
File H:\KOTOR\Override\Source\kreia_there.nss 152 bytes
File H:\KOTOR\Override\Source\spawn_gurron.nss 412 bytes
File H:\KOTOR\Override\Source\spawn_gurron2.nss 415 bytes
File H:\KOTOR\Override\Source\take_deliver.nss 79 bytes
File H:\KOTOR\Override\upcrystals.2da 1427 bytes
File H:\KOTOR\Override\v_damagetat.MDL 3751 bytes
File H:\KOTOR\Override\w_rockpoisn.MDL 26999 bytes
File H:\KOTOR\Saves 0 bytes
File H:\KOTOR\Saves\000026 - Game25 0 bytes
File H:\KOTOR\Saves\000026 - Game25\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000026 - Game25\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000026 - Game25\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000026 - Game25\PARTYTABLE.res 41878 bytes
File H:\KOTOR\Saves\000026 - Game25\SAVEGAME.sav 21515918 bytes
File H:\KOTOR\Saves\000026 - Game25\savenfo.res 1124 bytes
File H:\KOTOR\Saves\000026 - Game25\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE 0 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\GLOBALVARS.res 52383 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\PARTYTABLE.res 34630 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\pifo.ifo 40092 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\SAVEGAME.sav 4037267 bytes
File H:\KOTOR\Saves\000001 - AUTOSAVE\savenfo.res 2275 bytes
File H:\KOTOR\Saves\000002 - Game1 0 bytes
File H:\KOTOR\Saves\000002 - Game1\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000002 - Game1\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000002 - Game1\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000002 - Game1\PARTYTABLE.res 36040 bytes
File H:\KOTOR\Saves\000002 - Game1\SAVEGAME.sav 13958000 bytes
File H:\KOTOR\Saves\000002 - Game1\savenfo.res 1117 bytes
File H:\KOTOR\Saves\000002 - Game1\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000003 - Game2 0 bytes
File H:\KOTOR\Saves\000003 - Game2\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000003 - Game2\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000003 - Game2\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000003 - Game2\PARTYTABLE.res 34918 bytes
File H:\KOTOR\Saves\000003 - Game2\SAVEGAME.sav 7326866 bytes
File H:\KOTOR\Saves\000003 - Game2\savenfo.res 1131 bytes
File H:\KOTOR\Saves\000003 - Game2\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000004 - Game3 0 bytes
File H:\KOTOR\Saves\000004 - Game3\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000004 - Game3\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000004 - Game3\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000004 - Game3\PARTYTABLE.res 35760 bytes
File H:\KOTOR\Saves\000004 - Game3\SAVEGAME.sav 6242946 bytes
File H:\KOTOR\Saves\000004 - Game3\savenfo.res 1122 bytes
File H:\KOTOR\Saves\000004 - Game3\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000005 - Game4 0 bytes
File H:\KOTOR\Saves\000005 - Game4\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000005 - Game4\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000005 - Game4\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000005 - Game4\PARTYTABLE.res 35464 bytes
File H:\KOTOR\Saves\000005 - Game4\SAVEGAME.sav 8785256 bytes
File H:\KOTOR\Saves\000005 - Game4\savenfo.res 1033 bytes
File H:\KOTOR\Saves\000005 - Game4\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000006 - Game5 0 bytes
File H:\KOTOR\Saves\000006 - Game5\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000006 - Game5\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000006 - Game5\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000006 - Game5\PARTYTABLE.res 37409 bytes
File H:\KOTOR\Saves\000006 - Game5\SAVEGAME.sav 11878981 bytes
File H:\KOTOR\Saves\000006 - Game5\savenfo.res 1132 bytes
File H:\KOTOR\Saves\000006 - Game5\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000007 - Game6 0 bytes
File H:\KOTOR\Saves\000007 - Game6\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000007 - Game6\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000007 - Game6\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000007 - Game6\PARTYTABLE.res 35723 bytes
File H:\KOTOR\Saves\000007 - Game6\SAVEGAME.sav 9837221 bytes
File H:\KOTOR\Saves\000007 - Game6\savenfo.res 1034 bytes
File H:\KOTOR\Saves\000007 - Game6\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000008 - Game7 0 bytes
File H:\KOTOR\Saves\000008 - Game7\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000008 - Game7\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000008 - Game7\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000008 - Game7\PARTYTABLE.res 38086 bytes
File H:\KOTOR\Saves\000008 - Game7\SAVEGAME.sav 13056313 bytes
File H:\KOTOR\Saves\000008 - Game7\savenfo.res 1140 bytes
File H:\KOTOR\Saves\000008 - Game7\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000009 - Game8 0 bytes
File H:\KOTOR\Saves\000009 - Game8\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000009 - Game8\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000009 - Game8\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000009 - Game8\PARTYTABLE.res 37289 bytes
File H:\KOTOR\Saves\000009 - Game8\SAVEGAME.sav 13673135 bytes
File H:\KOTOR\Saves\000009 - Game8\savenfo.res 1035 bytes
File H:\KOTOR\Saves\000009 - Game8\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000010 - Game9 0 bytes
File H:\KOTOR\Saves\000010 - Game9\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000010 - Game9\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000010 - Game9\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000010 - Game9\PARTYTABLE.res 38336 bytes
File H:\KOTOR\Saves\000010 - Game9\SAVEGAME.sav 14120234 bytes
File H:\KOTOR\Saves\000010 - Game9\savenfo.res 1135 bytes
File H:\KOTOR\Saves\000010 - Game9\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000011 - Game10 0 bytes
File H:\KOTOR\Saves\000011 - Game10\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000011 - Game10\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000011 - Game10\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000011 - Game10\PARTYTABLE.res 39278 bytes
File H:\KOTOR\Saves\000011 - Game10\SAVEGAME.sav 13727181 bytes
File H:\KOTOR\Saves\000011 - Game10\savenfo.res 1042 bytes
File H:\KOTOR\Saves\000011 - Game10\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000012 - Game11 0 bytes
File H:\KOTOR\Saves\000012 - Game11\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000012 - Game11\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000012 - Game11\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000012 - Game11\PARTYTABLE.res 38880 bytes
File H:\KOTOR\Saves\000012 - Game11\SAVEGAME.sav 13691358 bytes
File H:\KOTOR\Saves\000012 - Game11\savenfo.res 1056 bytes
File H:\KOTOR\Saves\000012 - Game11\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000013 - Game12 0 bytes
File H:\KOTOR\Saves\000013 - Game12\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000013 - Game12\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000013 - Game12\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000013 - Game12\PARTYTABLE.res 38641 bytes
File H:\KOTOR\Saves\000013 - Game12\SAVEGAME.sav 19224020 bytes
File H:\KOTOR\Saves\000013 - Game12\savenfo.res 1040 bytes
File H:\KOTOR\Saves\000013 - Game12\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000014 - Game13 0 bytes
File H:\KOTOR\Saves\000014 - Game13\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000014 - Game13\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000014 - Game13\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000014 - Game13\PARTYTABLE.res 38416 bytes
File H:\KOTOR\Saves\000014 - Game13\SAVEGAME.sav 13767173 bytes
File H:\KOTOR\Saves\000014 - Game13\savenfo.res 1145 bytes
File H:\KOTOR\Saves\000014 - Game13\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000015 - Game14 0 bytes
File H:\KOTOR\Saves\000015 - Game14\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000015 - Game14\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000015 - Game14\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000015 - Game14\PARTYTABLE.res 37251 bytes
File H:\KOTOR\Saves\000015 - Game14\SAVEGAME.sav 14297557 bytes
File H:\KOTOR\Saves\000015 - Game14\savenfo.res 1137 bytes
File H:\KOTOR\Saves\000015 - Game14\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000016 - Game15 0 bytes
File H:\KOTOR\Saves\000016 - Game15\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000016 - Game15\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000016 - Game15\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000016 - Game15\PARTYTABLE.res 37161 bytes
File H:\KOTOR\Saves\000016 - Game15\SAVEGAME.sav 14656155 bytes
File H:\KOTOR\Saves\000016 - Game15\savenfo.res 1133 bytes
File H:\KOTOR\Saves\000016 - Game15\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000036 - Game35 0 bytes
File H:\KOTOR\Saves\000036 - Game35\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000036 - Game35\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000036 - Game35\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000036 - Game35\PARTYTABLE.res 39369 bytes
File H:\KOTOR\Saves\000036 - Game35\SAVEGAME.sav 2442418 bytes
File H:\KOTOR\Saves\000036 - Game35\savenfo.res 1041 bytes
File H:\KOTOR\Saves\000036 - Game35\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000037 - Game36 0 bytes
File H:\KOTOR\Saves\000037 - Game36\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000037 - Game36\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000037 - Game36\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000037 - Game36\PARTYTABLE.res 39879 bytes
File H:\KOTOR\Saves\000037 - Game36\SAVEGAME.sav 3451843 bytes
File H:\KOTOR\Saves\000037 - Game36\savenfo.res 1053 bytes
File H:\KOTOR\Saves\000037 - Game36\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000038 - Game37 0 bytes
File H:\KOTOR\Saves\000038 - Game37\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000038 - Game37\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000038 - Game37\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000038 - Game37\PARTYTABLE.res 43800 bytes
File H:\KOTOR\Saves\000038 - Game37\SAVEGAME.sav 3429146 bytes
File H:\KOTOR\Saves\000038 - Game37\savenfo.res 1048 bytes
File H:\KOTOR\Saves\000038 - Game37\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000039 - Game38 0 bytes
File H:\KOTOR\Saves\000039 - Game38\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000039 - Game38\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000039 - Game38\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000039 - Game38\PARTYTABLE.res 43286 bytes
File H:\KOTOR\Saves\000039 - Game38\SAVEGAME.sav 3646957 bytes
File H:\KOTOR\Saves\000039 - Game38\savenfo.res 1052 bytes
File H:\KOTOR\Saves\000039 - Game38\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000040 - Game39 0 bytes
File H:\KOTOR\Saves\000040 - Game39\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000040 - Game39\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000040 - Game39\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000040 - Game39\PARTYTABLE.res 43883 bytes
File H:\KOTOR\Saves\000040 - Game39\SAVEGAME.sav 3666919 bytes
File H:\KOTOR\Saves\000040 - Game39\savenfo.res 1047 bytes
File H:\KOTOR\Saves\000040 - Game39\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000041 - Game40 0 bytes
File H:\KOTOR\Saves\000041 - Game40\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000041 - Game40\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000041 - Game40\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000041 - Game40\PARTYTABLE.res 42759 bytes
File H:\KOTOR\Saves\000041 - Game40\SAVEGAME.sav 3654472 bytes
File H:\KOTOR\Saves\000041 - Game40\savenfo.res 1047 bytes
File H:\KOTOR\Saves\000041 - Game40\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000042 - Game41 0 bytes
File H:\KOTOR\Saves\000042 - Game41\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000042 - Game41\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000042 - Game41\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000042 - Game41\PARTYTABLE.res 43669 bytes
File H:\KOTOR\Saves\000042 - Game41\SAVEGAME.sav 3830939 bytes
File H:\KOTOR\Saves\000042 - Game41\savenfo.res 1039 bytes
File H:\KOTOR\Saves\000042 - Game41\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000043 - Game42 0 bytes
File H:\KOTOR\Saves\000043 - Game42\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000043 - Game42\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000043 - Game42\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000043 - Game42\PARTYTABLE.res 41532 bytes
File H:\KOTOR\Saves\000043 - Game42\SAVEGAME.sav 3654908 bytes
File H:\KOTOR\Saves\000043 - Game42\savenfo.res 1047 bytes
File H:\KOTOR\Saves\000043 - Game42\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000044 - Game43 0 bytes
File H:\KOTOR\Saves\000044 - Game43\GLOBALVARS.res 52383 bytes
File H:\KOTOR\Saves\000044 - Game43\PARTYTABLE.res 33477 bytes
File H:\KOTOR\Saves\000044 - Game43\SAVEGAME.sav 5036597 bytes
File H:\KOTOR\Saves\000044 - Game43\savenfo.res 1135 bytes
File H:\KOTOR\Saves\000044 - Game43\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000027 - Game26 0 bytes
File H:\KOTOR\Saves\000027 - Game26\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000027 - Game26\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000027 - Game26\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000027 - Game26\PARTYTABLE.res 42099 bytes
File H:\KOTOR\Saves\000027 - Game26\SAVEGAME.sav 21352655 bytes
File H:\KOTOR\Saves\000027 - Game26\savenfo.res 1121 bytes
File H:\KOTOR\Saves\000027 - Game26\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000028 - Game27 0 bytes
File H:\KOTOR\Saves\000028 - Game27\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000028 - Game27\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000028 - Game27\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000028 - Game27\PARTYTABLE.res 42531 bytes
File H:\KOTOR\Saves\000028 - Game27\SAVEGAME.sav 24400654 bytes
File H:\KOTOR\Saves\000028 - Game27\savenfo.res 1041 bytes
File H:\KOTOR\Saves\000028 - Game27\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000029 - Game28 0 bytes
File H:\KOTOR\Saves\000029 - Game28\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000029 - Game28\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000029 - Game28\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000029 - Game28\PARTYTABLE.res 42099 bytes
File H:\KOTOR\Saves\000029 - Game28\SAVEGAME.sav 22614030 bytes
File H:\KOTOR\Saves\000029 - Game28\savenfo.res 1046 bytes
File H:\KOTOR\Saves\000029 - Game28\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000030 - Game29 0 bytes
File H:\KOTOR\Saves\000030 - Game29\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000030 - Game29\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000030 - Game29\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000030 - Game29\PARTYTABLE.res 42581 bytes
File H:\KOTOR\Saves\000030 - Game29\SAVEGAME.sav 4284048 bytes
File H:\KOTOR\Saves\000030 - Game29\savenfo.res 1087 bytes
File H:\KOTOR\Saves\000030 - Game29\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000031 - Game30 0 bytes
File H:\KOTOR\Saves\000031 - Game30\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000031 - Game30\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000031 - Game30\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000031 - Game30\PARTYTABLE.res 41279 bytes
File H:\KOTOR\Saves\000031 - Game30\SAVEGAME.sav 6262550 bytes
File H:\KOTOR\Saves\000031 - Game30\savenfo.res 1130 bytes
File H:\KOTOR\Saves\000031 - Game30\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000032 - Game31 0 bytes
File H:\KOTOR\Saves\000032 - Game31\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000032 - Game31\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000032 - Game31\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000032 - Game31\PARTYTABLE.res 41461 bytes
File H:\KOTOR\Saves\000032 - Game31\SAVEGAME.sav 6149691 bytes
File H:\KOTOR\Saves\000032 - Game31\savenfo.res 1132 bytes
File H:\KOTOR\Saves\000032 - Game31\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000033 - Game32 0 bytes
File H:\KOTOR\Saves\000033 - Game32\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000033 - Game32\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000033 - Game32\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000033 - Game32\PARTYTABLE.res 42404 bytes
File H:\KOTOR\Saves\000033 - Game32\SAVEGAME.sav 6123835 bytes
File H:\KOTOR\Saves\000033 - Game32\savenfo.res 1134 bytes
File H:\KOTOR\Saves\000033 - Game32\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000034 - Game33 0 bytes
File H:\KOTOR\Saves\000034 - Game33\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000034 - Game33\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000034 - Game33\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000034 - Game33\PARTYTABLE.res 41969 bytes
File H:\KOTOR\Saves\000034 - Game33\SAVEGAME.sav 2372177 bytes
File H:\KOTOR\Saves\000034 - Game33\savenfo.res 1044 bytes
File H:\KOTOR\Saves\000034 - Game33\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000035 - Game34 0 bytes
File H:\KOTOR\Saves\000035 - Game34\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000035 - Game34\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000035 - Game34\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000035 - Game34\PARTYTABLE.res 39048 bytes
File H:\KOTOR\Saves\000035 - Game34\SAVEGAME.sav 2584716 bytes
File H:\KOTOR\Saves\000035 - Game34\savenfo.res 1045 bytes
File H:\KOTOR\Saves\000035 - Game34\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000017 - Game16 0 bytes
File H:\KOTOR\Saves\000017 - Game16\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000017 - Game16\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000017 - Game16\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000017 - Game16\PARTYTABLE.res 37739 bytes
File H:\KOTOR\Saves\000017 - Game16\SAVEGAME.sav 15297997 bytes
File H:\KOTOR\Saves\000017 - Game16\savenfo.res 1043 bytes
File H:\KOTOR\Saves\000017 - Game16\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000018 - Game17 0 bytes
File H:\KOTOR\Saves\000018 - Game17\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000018 - Game17\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000018 - Game17\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000018 - Game17\PARTYTABLE.res 39576 bytes
File H:\KOTOR\Saves\000018 - Game17\SAVEGAME.sav 18251785 bytes
File H:\KOTOR\Saves\000018 - Game17\savenfo.res 1038 bytes
File H:\KOTOR\Saves\000018 - Game17\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000019 - Game18 0 bytes
File H:\KOTOR\Saves\000019 - Game18\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000019 - Game18\OP_CACHE.ATR 144 bytes
File H:\KOTOR\Saves\000019 - Game18\OP_CACHE.IDX 72 bytes
File H:\KOTOR\Saves\000019 - Game18\PARTYTABLE.res 39260 bytes
File H:\KOTOR\Saves\000019 - Game18\SAVEGAME.sav 18117493 bytes
File H:\KOTOR\Saves\000019 - Game18\savenfo.res 1042 bytes
File H:\KOTOR\Saves\000019 - Game18\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000020 - Game19 0 bytes
File H:\KOTOR\Saves\000020 - Game19\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000020 - Game19\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000020 - Game19\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000020 - Game19\PARTYTABLE.res 38634 bytes
File H:\KOTOR\Saves\000020 - Game19\SAVEGAME.sav 21976434 bytes
File H:\KOTOR\Saves\000020 - Game19\savenfo.res 1042 bytes
File H:\KOTOR\Saves\000020 - Game19\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000021 - Game20 0 bytes
File H:\KOTOR\Saves\000021 - Game20\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000021 - Game20\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000021 - Game20\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000021 - Game20\PARTYTABLE.res 38401 bytes
File H:\KOTOR\Saves\000021 - Game20\SAVEGAME.sav 21575376 bytes
File H:\KOTOR\Saves\000021 - Game20\savenfo.res 1046 bytes
File H:\KOTOR\Saves\000021 - Game20\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000022 - Game21 0 bytes
File H:\KOTOR\Saves\000022 - Game21\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000022 - Game21\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000022 - Game21\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000022 - Game21\PARTYTABLE.res 40630 bytes
File H:\KOTOR\Saves\000022 - Game21\SAVEGAME.sav 25125050 bytes
File H:\KOTOR\Saves\000022 - Game21\savenfo.res 1123 bytes
File H:\KOTOR\Saves\000022 - Game21\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000023 - Game22 0 bytes
File H:\KOTOR\Saves\000023 - Game22\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000023 - Game22\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000023 - Game22\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000023 - Game22\PARTYTABLE.res 42095 bytes
File H:\KOTOR\Saves\000023 - Game22\SAVEGAME.sav 24973206 bytes
File H:\KOTOR\Saves\000023 - Game22\savenfo.res 1044 bytes
File H:\KOTOR\Saves\000023 - Game22\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000024 - Game23 0 bytes
File H:\KOTOR\Saves\000024 - Game23\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000024 - Game23\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000024 - Game23\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000024 - Game23\PARTYTABLE.res 42036 bytes
File H:\KOTOR\Saves\000024 - Game23\SAVEGAME.sav 25635880 bytes
File H:\KOTOR\Saves\000024 - Game23\savenfo.res 1043 bytes
File H:\KOTOR\Saves\000024 - Game23\Screen.tga 196626 bytes
File H:\KOTOR\Saves\000025 - Game24 0 bytes
File H:\KOTOR\Saves\000025 - Game24\GLOBALVARS.res 52338 bytes
File H:\KOTOR\Saves\000025 - Game24\OP_CACHE.ATR 120 bytes
File H:\KOTOR\Saves\000025 - Game24\OP_CACHE.IDX 60 bytes
File H:\KOTOR\Saves\000025 - Game24\PARTYTABLE.res 42663 bytes
File H:\KOTOR\Saves\000025 - Game24\SAVEGAME.sav 21903885 bytes
File H:\KOTOR\Saves\000025 - Game24\savenfo.res 1131 bytes
File H:\KOTOR\Saves\000025 - Game24\Screen.tga 196626 bytes
File H:\Emulators 0 bytes
File H:\Emulators\MOTHER3_EarthBound2_English_v1.0.zip 1301225 bytes
File H:\Emulators\2377 - Mother 3 (J).gba 33554432 bytes
File H:\Emulators\2377 - Mother 3 (J).gba.original 33554432 bytes
File H:\Emulators\2377 - Mother 3 (J).sav 65536 bytes
File H:\Emulators\2377-mother-3-j-.zip 15419768 bytes
File H:\Emulators\COPYING 18349 bytes
File H:\Emulators\docs 0 bytes
File H:\Emulators\docs\readme.htm 0 bytes
File H:\Emulators\docs\readme.htm\about.htm 16175 bytes
File H:\Emulators\docs\readme.htm\advanced.htm 36904 bytes
File H:\Emulators\docs\readme.htm\faq.htm 52778 bytes
File H:\Emulators\docs\readme.htm\games.htm 33936 bytes
File H:\Emulators\docs\readme.htm\gui.htm 114662 bytes
File H:\Emulators\docs\readme.htm\history.htm 188169 bytes
File H:\Emulators\docs\readme.htm\images 0 bytes
File H:\Emulators\docs\readme.htm\images\cheat.png 1512 bytes
File H:\Emulators\docs\readme.htm\images\config.png 2272 bytes
File H:\Emulators\docs\readme.htm\images\f1_menu.png 2142 bytes
File H:\Emulators\docs\readme.htm\images\game.png 2220 bytes
File H:\Emulators\docs\readme.htm\images\gui.png 922 bytes
File H:\Emulators\docs\readme.htm\images\misc.png 2175 bytes
File H:\Emulators\docs\readme.htm\images\netplay.png 1195 bytes
File H:\Emulators\docs\readme.htm\images\quick.png 2087 bytes
File H:\Emulators\docs\readme.htm\images\saveslot.png 1749 bytes
File H:\Emulators\docs\readme.htm\images\zsneslogo.png 6921 bytes
File H:\Emulators\docs\readme.htm\index.htm 8819 bytes
File H:\Emulators\docs\readme.htm\license.htm 25633 bytes
File H:\Emulators\docs\readme.htm\netplay.htm 13108 bytes
File H:\Emulators\docs\readme.htm\readme.htm 65444 bytes
File H:\Emulators\docs\readme.htm\styles 0 bytes
File H:\Emulators\docs\readme.htm\styles\corner.png 300 bytes
File H:\Emulators\docs\readme.htm\styles\jipcy.css 2686 bytes
File H:\Emulators\docs\readme.htm\styles\plaintxt.css 399 bytes
File H:\Emulators\docs\readme.htm\styles\print.css 930 bytes
File H:\Emulators\docs\readme.htm\styles\radio.css 4867 bytes
File H:\Emulators\docs\readme.htm\styles\release.css 150 bytes
File H:\Emulators\docs\readme.htm\styles\shared.css 1519 bytes
File H:\Emulators\docs\readme.htm\support.htm 15484 bytes
File H:\Emulators\docs\readme.txt 0 bytes
File H:\Emulators\docs\readme.txt\about.txt 10896 bytes
File H:\Emulators\docs\readme.txt\advanced.txt 19407 bytes
File H:\Emulators\docs\readme.txt\faq.txt 36075 bytes
File H:\Emulators\docs\readme.txt\games.txt 23089 bytes
File H:\Emulators\docs\readme.txt\gui.txt 80057 bytes
File H:\Emulators\docs\readme.txt\history.txt 169384 bytes
File H:\Emulators\docs\readme.txt\index.txt 2821 bytes
File H:\Emulators\docs\readme.txt\license.txt 18332 bytes
File H:\Emulators\docs\readme.txt\netplay.txt 10550 bytes
File H:\Emulators\docs\readme.txt\readme.txt 39485 bytes
File H:\Emulators\docs\readme.txt\support.txt 10293 bytes
File H:\Emulators\jnes_0_6.exe 834153 bytes executable
File H:\Emulators\Marble Madness (E).nes 131088 bytes
File H:\Emulators\Marble Madness (E).zip 82570 bytes
File H:\Emulators\mother3.txt 63560 bytes
File H:\Emulators\mother3.ups 1254406 bytes
File H:\Emulators\mother3_linux 45604 bytes
File H:\Emulators\mother3_macosx.app 0 bytes
File H:\Emulators\mother3_macosx.app\Contents 0 bytes
File H:\Emulators\mother3_macosx.app\Contents\Info.plist 842 bytes
File H:\Emulators\mother3_macosx.app\Contents\MacOS 0 bytes
File H:\Emulators\mother3_macosx.app\Contents\MacOS\Mother3UPS 76256 bytes
File H:\Emulators\mother3_macosx.app\Contents\PkgInfo 8 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources 0 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources\English.lproj 0 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources\English.lproj\InfoPlist.strings 92 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources\English.lproj\MainMenu.nib 36185 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources\lucas.icns 88524 bytes
File H:\Emulators\mother3_macosx.app\Contents\Resources\patcher_logo.png 7745 bytes
File H:\Emulators\mother3_windows.exe 61440 bytes executable
File H:\Emulators\NEWS 25223 bytes
File H:\Emulators\README-win.txt 8178 bytes
File H:\Emulators\rominfo.txt 260 bytes
File H:\Emulators\Shortcut to Jnes.lnk 598 bytes
File H:\Emulators\super_mario_all_stars.srm 8192 bytes
File H:\Emulators\super_mario_all_stars.zip 982765 bytes
File H:\Emulators\super_mario_all_stars.zst 282459 bytes
File H:\Emulators\vba.ini 2122 bytes
File H:\Emulators\VisualBoyAdvance.exe 1757264 bytes executable
File H:\Emulators\zfont.txt 8952 bytes
File H:\Emulators\zinput.cfg 3820 bytes
File H:\Emulators\zmovie.cfg 2480 bytes
File H:\Emulators\zsnesw.cfg 20419 bytes
File H:\Emulators\zsnesw.exe 594432 bytes executable
File H:\Emulators\zsnesw151.zip 867785 bytes

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users