Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown virus removing virus scanners -win32kdiag log


  • This topic is locked This topic is locked
12 replies to this topic

#1 etSNEAK

etSNEAK

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 25 September 2009 - 07:43 PM

I was told to post this here in this post:

http://www.bleepingcomputer.com/forums/t/260056/unknown-name-of-virus-deletes-virus-scanners/

Win32kDiag.txt

Running from: C:\Documents and Settings\Roman\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Roman\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point	   : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32.tmp\ZAP32.tmp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Caps\CapLettersDF\CapLettersDF

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Caps\CapLettersFF\CapLettersFF

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Caps\CapLettersIF\CapLettersIF

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Caps\CapLettersMU\CapLettersMU

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Caps\CapLettersRS\CapLettersRS

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Media\New Folder\New Folder

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2003-06-20 06:00:00 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()



Found mount point	   : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point	   : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!


log.txt

Volume in drive C has no label.
 Volume Serial Number is B080-1D9F

 Directory of C:\WINDOWS\$NtServicePackUninstall$

06/20/2003  06:00 AM		   174,592 scecli.dll

 Directory of C:\WINDOWS\$NtServicePackUninstall$

06/20/2003  06:00 AM		   399,360 netlogon.dll

 Directory of C:\WINDOWS\$NtServicePackUninstall$

06/20/2003  06:00 AM			49,152 eventlog.dll
			   3 File(s)		623,104 bytes

 Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008  05:42 AM		   181,248 scecli.dll

 Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008  05:42 AM		   407,040 netlogon.dll
			   2 File(s)		588,288 bytes

 Directory of C:\WINDOWS\system32

04/14/2008  05:42 AM		   181,248 scecli.dll

 Directory of C:\WINDOWS\system32

04/14/2008  05:42 AM		   407,040 netlogon.dll

 Directory of C:\WINDOWS\system32

04/14/2008  05:41 AM			61,952 eventlog.dll
			   3 File(s)		650,240 bytes

 Directory of C:\WINDOWS\system32\dllcache

04/14/2008  05:42 AM		   181,248 scecli.dll

 Directory of C:\WINDOWS\system32\dllcache

04/14/2008  05:42 AM		   407,040 netlogon.dll
			   2 File(s)		588,288 bytes

	 Total Files Listed:
			  10 File(s)	  2,449,920 bytes
			   0 Dir(s)  63,905,755,136 bytes free


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 27 September 2009 - 12:40 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 etSNEAK

etSNEAK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 27 September 2009 - 02:27 PM

ComboFix 09-09-25.01 - Roman 09/27/2009 14:12.1.2 - NTFSx86

Running from: c:\documents and settings\Roman\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

 * Resident AV is active



.



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll

c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll

c:\windows\Installer\3728bda.msi

c:\windows\Installer\584f258.msi

c:\windows\system32\gasfkyayuiifuy.dll

c:\windows\system32\gasfkybxrsxuuf.dll

c:\windows\system32\gasfkycephsvtr.dat

c:\windows\system32\gasfkyowbxmigk.dat

c:\windows\system32\msconfig.exe

c:\windows\system32\ps2.bat

c:\windows\system32\tmp.reg



c:\windows\system32\eventlog.dll . . . is infected!!



.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}





(((((((((((((((((((((((((   Files Created from 2009-08-27 to 2009-09-27  )))))))))))))))))))))))))))))))

.



2009-09-27 20:08 . 2009-09-27 20:08	0	----a-r-	c:\windows\win32k.sys

2009-09-24 22:42 . 2009-09-24 22:42	--------	d-----w-	c:\program files\Trend Micro

2009-09-24 22:19 . 2009-09-25 10:47	--------	d-----w-	C:\!KillBox

2009-09-24 22:17 . 2009-09-24 22:17	--------	d-----w-	c:\program files\FileDeleter

2009-09-24 17:42 . 2009-09-24 17:42	--------	d-----w-	c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-24 17:33 . 2009-09-24 17:57	--------	d-----w-	c:\program files\UnHackMe

2009-09-24 09:53 . 2009-09-24 09:53	--------	d-----w-	c:\program files\InCode Solutions

2009-09-24 09:52 . 2009-09-24 09:52	22024	----a-w-	c:\windows\system32\drivers\pxscan.sys

2009-09-24 09:52 . 2009-09-24 17:39	--------	d-----w-	c:\program files\Prevx

2009-09-24 09:51 . 2009-09-24 09:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\PrevxCSI

2009-09-24 09:51 . 2009-09-24 17:34	2	--shatr-	c:\windows\winstart.bat

2009-09-23 23:20 . 2009-09-23 23:20	--------	d-----w-	c:\program files\MapRotation

2009-09-23 23:20 . 2009-09-23 23:20	73216	----a-w-	c:\windows\ST6UNST.EXE

2009-09-23 23:20 . 2009-09-23 23:20	249856	------w-	c:\windows\Setup1.exe

2009-09-23 10:35 . 2009-09-23 10:35	--------	d-----w-	c:\program files\RemoveIt Pro

2009-09-21 11:49 . 2009-09-24 10:55	--------	d-----w-	c:\program files\Anti Trojan Elite

2009-09-17 19:49 . 2009-09-17 20:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\GetRightToGo

2009-09-17 07:41 . 2009-09-17 07:41	--------	d-----w-	c:\program files\KLC

2009-09-16 01:25 . 2009-09-16 01:32	237568	----a-w-	c:\windows\system32\rmc_rtspdl.dll

2009-09-16 01:25 . 2009-09-16 01:32	156672	----a-w-	c:\windows\system32\rmc_fixasf.exe

2009-09-16 01:24 . 2009-09-21 11:47	--------	d-----w-	c:\program files\Replay Media Catcher

2009-09-16 01:24 . 2009-09-16 01:24	--------	d-----w-	c:\windows\Replay Media Catcher

2009-09-16 00:06 . 2009-09-21 11:48	--------	d-----w-	c:\program files\Common Files\Blizzard Entertainment

2009-09-15 20:24 . 2009-09-15 20:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\GrabPro

2009-09-15 20:24 . 2009-09-20 01:58	--------	d-----w-	c:\documents and settings\Roman\Application Data\Orbit

2009-09-15 20:24 . 2009-09-16 01:15	--------	d-----w-	C:\downloads

2009-09-15 20:24 . 2009-09-15 20:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\FMZilla

2009-09-15 20:23 . 2009-09-21 11:41	--------	d-----w-	c:\program files\Free Music Zilla

2009-09-15 16:43 . 2008-04-14 06:15	32128	-c--a-w-	c:\windows\system32\dllcache\usbccgp.sys

2009-09-15 16:42 . 2001-08-17 20:56	245632	-c--a-w-	c:\windows\system32\dllcache\s3savmx.dll

2009-09-15 16:41 . 2001-08-17 20:56	35392	-c--a-w-	c:\windows\system32\dllcache\n9i128.dll

2009-09-15 16:40 . 2001-08-18 04:36	90200	-c--a-w-	c:\windows\system32\dllcache\io8ports.dll

2009-09-15 16:39 . 2001-08-18 04:36	61952	-c--a-w-	c:\windows\system32\dllcache\eqnloop.exe

2009-09-15 16:38 . 2001-08-17 19:51	13824	-c--a-w-	c:\windows\system32\dllcache\bulltlp3.sys

2009-09-15 16:37 . 2008-04-14 06:16	48128	-c--a-w-	c:\windows\system32\dllcache\61883.sys

2009-09-15 16:37 . 2008-04-14 06:10	12288	-c--a-w-	c:\windows\system32\dllcache\4mmdat.sys

2009-09-15 16:37 . 2001-08-17 18:48	148352	-c--a-w-	c:\windows\system32\dllcache\3dfxvsm.sys

2009-09-15 16:37 . 2001-08-17 20:55	689216	-c--a-w-	c:\windows\system32\dllcache\3dfxvs.dll

2009-09-15 16:37 . 2001-08-17 20:06	11264	-c--a-w-	c:\windows\system32\dllcache\1394vdbg.sys

2009-09-15 16:37 . 2001-08-17 19:28	762780	-c--a-w-	c:\windows\system32\dllcache\3cwmcru.sys

2009-09-15 16:37 . 2008-04-14 06:16	53376	-c--a-w-	c:\windows\system32\dllcache\1394bus.sys

2009-09-15 16:37 . 2001-08-17 20:56	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll

2009-09-15 16:37 . 2008-04-14 06:57	2188928	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe

2009-09-14 18:18 . 2009-09-14 18:19	--------	d-----w-	c:\documents and settings\Roman\Application Data\VMware

2009-09-14 18:15 . 2009-09-15 16:46	--------	d-----w-	c:\documents and settings\LocalService\Application Data\VMware

2009-09-14 18:13 . 2009-09-15 20:45	--------	d-----w-	c:\documents and settings\All Users\Application Data\VMware

2009-09-14 16:52 . 2009-09-14 16:53	--------	d-----w-	c:\program files\RAR Password Unlocker

2009-09-12 22:15 . 2009-09-12 22:15	153104	----a-w-	c:\windows\system32\drivers\tmcomm.sys

2009-09-11 19:54 . 2009-09-11 19:58	--------	d-----w-	c:\program files\RegCleaner

2009-09-11 19:43 . 2009-09-11 19:57	--------	d-----w-	c:\documents and settings\Roman\Application Data\VoipStunt

2009-09-11 18:11 . 2009-09-23 10:48	--------	d-----w-	c:\program files\SuperScan

2009-09-06 23:44 . 2009-09-24 11:16	--------	d-----w-	c:\program files\Top Password

2009-09-06 23:34 . 2009-09-06 23:34	--------	d-----w-	c:\program files\AIM Password Recovery

2009-09-03 18:07 . 2009-09-03 18:07	41872	----a-w-	c:\windows\system32\xfcodec.dll

2009-08-31 19:59 . 2009-08-31 19:59	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Xfire

2009-08-30 19:24 . 2009-08-30 19:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\HandBrake

2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\Publish Providers

2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Local Settings\Application Data\Sony

2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\Sony

2009-08-30 12:29 . 2009-08-30 12:29	--------	d-----w-	c:\documents and settings\All Users\Application Data\Sony

2009-08-30 12:29 . 2009-08-30 12:29	--------	d-----w-	c:\program files\Sony

2009-08-30 11:29 . 2009-08-30 11:29	--------	d-----w-	C:\cygwin

2009-08-30 11:22 . 2009-08-30 11:28	--------	d-----w-	c:\documents and settings\Roman\Application Data\Dev-Cpp

2009-08-30 11:22 . 2009-08-30 11:22	--------	d-----w-	C:\Dev-Cpp

2009-08-30 11:15 . 2009-08-30 11:15	--------	d-----w-	C:\Borland

2009-08-30 10:45 . 2009-08-30 11:15	--------	d-----w-	c:\documents and settings\Roman\Application Data\mIRC

2009-08-30 10:45 . 2009-08-30 10:46	--------	d-----w-	c:\program files\mIRC

2009-08-30 09:27 . 2009-08-30 09:27	--------	d-----w-	c:\program files\Microsoft SQL Server

2009-08-30 09:27 . 2009-08-30 09:27	--------	d-----w-	c:\program files\Microsoft Silverlight

2009-08-30 09:26 . 2009-08-30 09:26	--------	d-----w-	c:\documents and settings\Roman\Local Settings\Application Data\Microsoft Help

2009-08-30 09:25 . 2009-08-30 09:25	--------	d-----w-	c:\program files\Microsoft.NET

2009-08-30 09:24 . 2009-08-30 09:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-30 09:24 . 2009-08-30 09:26	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.0

2009-08-30 09:24 . 2009-08-30 09:25	--------	d-----w-	c:\program files\Common Files\Merge Modules

2009-08-30 09:23 . 2009-08-30 09:23	--------	d-----w-	c:\program files\Microsoft SDKs

2009-08-30 09:22 . 2009-08-30 09:22	125648	----a-w-	c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\windows\system32\XPSViewer

2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\program files\MSBuild

2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\program files\Reference Assemblies

2009-08-30 09:22 . 2008-07-06 12:06	89088	-c----w-	c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-30 09:22 . 2008-07-06 12:06	575488	-c----w-	c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-30 09:22 . 2008-07-06 12:06	575488	------w-	c:\windows\system32\xpsshhdr.dll

2009-08-30 09:22 . 2008-07-06 12:06	117760	------w-	c:\windows\system32\prntvpt.dll

2009-08-30 09:22 . 2008-07-06 10:50	597504	-c----w-	c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-30 09:22 . 2008-07-06 12:06	1676288	-c----w-	c:\windows\system32\dllcache\xpssvcs.dll

2009-08-30 09:22 . 2008-07-06 12:06	1676288	------w-	c:\windows\system32\xpssvcs.dll

2009-08-30 08:58 . 2009-08-30 09:22	--------	d-----w-	c:\windows\system32\wbem\AutoRecover

2009-08-30 08:54 . 2008-04-14 11:42	1306624	-c--a-w-	c:\windows\system32\dllcache\msxml6.dll

2009-08-30 08:54 . 2008-04-14 11:42	1306624	------w-	c:\windows\system32\msxml6.dll

2009-08-30 08:54 . 2008-04-14 04:57	79872	-c--a-w-	c:\windows\system32\dllcache\msxml6r.dll

2009-08-30 08:54 . 2008-04-14 04:57	79872	------w-	c:\windows\system32\msxml6r.dll

2009-08-30 08:54 . 2007-06-26 17:30	22060	-c----w-	c:\windows\system32\dllcache\npds.zip

2009-08-30 08:54 . 2007-06-26 17:26	403	-c----w-	c:\windows\system32\dllcache\npdrmv2.zip

2009-08-30 08:52 . 2008-04-14 11:41	397312	-c--a-w-	c:\windows\system32\dllcache\fxstiff.dll

2009-08-30 08:48 . 2009-08-30 08:48	--------	d-----w-	c:\windows\EHome

2009-08-29 15:40 . 2009-08-29 15:40	--------	d-----w-	c:\documents and settings\Roman\Local Settings\Application Data\HandBrake

2009-08-29 15:35 . 2009-08-29 15:35	--------	d-----w-	c:\program files\HandBrake



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-27 06:51 . 2009-05-01 09:05	--------	d-----w-	c:\documents and settings\Roman\Application Data\Xfire

2009-09-27 06:34 . 2009-05-01 09:45	139904	----a-w-	c:\windows\system32\drivers\PnkBstrK.sys

2009-09-27 06:34 . 2009-05-01 09:45	189744	----a-w-	c:\windows\system32\PnkBstrB.exe

2009-09-26 19:17 . 2009-07-18 12:07	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP

2009-09-26 19:08 . 2009-05-01 10:55	--------	d-----w-	c:\documents and settings\Roman\Application Data\FrostWire

2009-09-26 03:22 . 2009-05-01 09:05	--------	d-----w-	c:\program files\Xfire

2009-09-25 18:49 . 2009-05-01 09:30	--------	d-----w-	c:\documents and settings\Roman\Application Data\uTorrent

2009-09-24 17:57 . 2009-06-26 05:52	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft

2009-09-24 11:02 . 2009-08-17 11:32	--------	d-----w-	c:\program files\Flash4D v5 - Pro Edition

2009-09-24 06:30 . 2009-07-24 01:42	--------	d-----w-	c:\documents and settings\Roman\Application Data\HLSW

2009-09-23 10:48 . 2009-08-17 12:40	--------	d-----w-	c:\program files\Exterminate It!

2009-09-23 10:48 . 2009-07-10 15:01	--------	d-----w-	c:\program files\SUPERAntiSpyware

2009-09-23 10:20 . 2009-08-10 09:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\SecTaskMan

2009-09-23 06:35 . 2009-05-01 09:57	--------	d-----w-	c:\program files\GlobalSCAPE

2009-09-21 11:48 . 2009-07-23 18:36	--------	d-----w-	c:\program files\Xara

2009-09-21 11:48 . 2009-08-13 14:04	--------	d-----w-	c:\program files\Workspace Macro 4.6

2009-09-21 11:46 . 2009-05-01 09:11	--------	d-----w-	c:\program files\Pando Networks

2009-09-21 11:46 . 2009-08-17 12:33	--------	d-----w-	c:\program files\KoolMoves

2009-09-21 11:46 . 2009-08-22 13:28	--------	d-----w-	c:\program files\Image-Line

2009-09-21 11:44 . 2009-08-17 11:38	--------	d-----w-	c:\program files\Flash Effect Maker

2009-09-21 11:43 . 2009-08-12 13:05	--------	d-----w-	c:\program files\NCH Software

2009-09-21 11:43 . 2009-08-12 13:05	--------	d-----w-	c:\documents and settings\Roman\Application Data\NCH Software

2009-09-21 11:42 . 2009-08-11 22:48	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\~0

2009-09-21 11:42 . 2009-08-11 23:00	--------	d-----w-	c:\program files\Blaze Media Pro

2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\program files\Trojan Remover

2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\documents and settings\Roman\Application Data\Simply Super Software

2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\documents and settings\All Users\Application Data\Simply Super Software

2009-09-21 11:30 . 2009-08-10 09:18	--------	d-----w-	c:\program files\Security Task Manager

2009-09-15 00:27 . 2009-08-14 12:22	--------	d-----w-	c:\program files\Cheat Engine

2009-09-15 00:27 . 2009-07-27 08:57	--------	d-----w-	c:\program files\Spyware Doctor

2009-09-14 08:10 . 2009-05-01 07:52	--------	d--h--w-	c:\program files\InstallShield Installation Information

2009-09-10 22:49 . 2009-05-13 18:55	--------	d-----w-	c:\documents and settings\Roman\Application Data\TeamViewer

2009-09-10 02:19 . 2009-08-16 08:47	--------	d-----w-	c:\program files\X-ray Anti-Cheat

2009-09-04 20:24 . 2009-05-14 23:48	--------	d-----w-	c:\documents and settings\Roman\Application Data\Hamachi

2009-08-31 18:40 . 2009-07-01 00:21	--------	d-----w-	c:\documents and settings\Roman\Application Data\VoipBuster

2009-08-30 12:29 . 2009-08-22 13:30	--------	d-----w-	c:\program files\VstPlugins

2009-08-30 10:33 . 2009-05-01 11:05	55176	----a-w-	c:\documents and settings\Roman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-30 01:06 . 2009-05-14 07:16	--------	d-----w-	c:\program files\Common Files\Adobe

2009-08-27 06:16 . 2009-08-27 06:16	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA

2009-08-26 04:39 . 2009-08-26 03:53	34	----a-w-	c:\documents and settings\Roman\jagex_runescape_preferences.dat

2009-08-25 06:32 . 2009-08-20 06:26	139152	----a-w-	c:\documents and settings\Roman\Application Data\PnkBstrK.sys

2009-08-25 06:32 . 2009-08-20 07:09	794408	----a-w-	c:\windows\system32\pbsvc.exe

2009-08-25 05:58 . 2009-08-25 05:58	--------	d-----w-	c:\program files\Alcohol Soft

2009-08-25 05:18 . 2009-08-25 05:18	721904	----a-w-	c:\windows\system32\drivers\sptd.sys

2009-08-25 02:07 . 2009-05-08 15:19	--------	d-----w-	c:\documents and settings\Roman\Application Data\Skype

2009-08-24 22:53 . 2009-05-07 12:56	--------	d-----w-	c:\documents and settings\Roman\Application Data\teamspeak2

2009-08-24 12:35 . 2009-08-24 12:35	--------	d-----w-	c:\documents and settings\Roman\Application Data\Sony Setup

2009-08-24 08:50 . 2009-08-24 08:50	--------	d-----w-	c:\documents and settings\Roman\Application Data\id Software

2009-08-24 08:50 . 2009-08-24 08:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\id Software

2009-08-22 13:29 . 2009-08-22 13:29	--------	d-----w-	c:\program files\Outsim

2009-08-22 07:06 . 2009-08-22 07:06	--------	d-----w-	c:\program files\AGEIA Technologies

2009-08-22 07:05 . 2009-05-01 09:33	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard

2009-08-22 07:05 . 2009-08-22 07:05	--------	d-----w-	c:\program files\NVIDIA Corporation

2009-08-22 07:05 . 2009-08-22 07:05	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-22 06:39 . 2009-08-22 06:39	--------	d-----w-	c:\program files\K-Lite Codec Pack

2009-08-22 06:09 . 2009-08-03 22:26	--------	d-----w-	c:\program files\SystemRequirementsLab

2009-08-22 06:09 . 2009-08-03 22:26	--------	d-----w-	c:\documents and settings\Roman\Application Data\SystemRequirementsLab

2009-08-21 06:00 . 2009-08-21 05:59	--------	d-----w-	c:\documents and settings\Roman\Application Data\PlaneShift

2009-08-21 05:59 . 2009-08-21 05:59	--------	d-----w-	c:\documents and settings\Roman\Application Data\CrystalSpace

2009-08-20 10:51 . 2009-08-20 10:51	--------	d-----w-	c:\documents and settings\Roman\Application Data\PE Explorer

2009-08-20 07:11 . 2009-05-01 09:44	75064	----a-w-	c:\windows\system32\PnkBstrA.exe

2009-08-18 12:47 . 2009-08-18 12:37	--------	d-----w-	c:\program files\Bus Simulator 2008 Demo

2009-08-18 07:21 . 2009-08-18 07:21	--------	d-----w-	c:\program files\CrossFire

2009-08-18 06:37 . 2009-08-18 06:07	--------	d-----w-	c:\program files\Install Creator Pro

2009-08-17 12:40 . 2009-08-17 12:40	--------	d-----w-	c:\program files\Eusing Free Registry Cleaner

2009-08-17 11:41 . 2009-08-16 16:26	--------	d-----w-	c:\program files\Common Files\SourceTec

2009-08-17 11:41 . 2009-08-16 16:26	--------	d-----w-	c:\program files\SourceTec

2009-08-17 11:32 . 2009-08-17 11:32	749568	----a-w-	c:\windows\system32\swfgen.dll

2009-08-17 11:32 . 2009-08-17 01:59	131584	----a-w-	c:\windows\system32\SpoonUninstall.exe

2009-08-17 09:04 . 2009-08-17 09:04	2173472	----a-w-	c:\windows\system32\nvcplui.exe

2009-08-17 09:04 . 2009-08-17 09:04	81920	----a-w-	c:\windows\system32\nvwddi.dll

2009-08-17 09:03 . 2009-08-17 09:03	3170304	----a-w-	c:\windows\system32\nvwss.dll

2009-08-17 09:03 . 2009-08-17 09:03	4026368	----a-w-	c:\windows\system32\nvvitvs.dll

2009-08-17 09:03 . 2009-08-17 09:03	188416	----a-w-	c:\windows\system32\nvmccss.dll

2009-08-17 09:03 . 2009-08-17 09:03	1286144	----a-w-	c:\windows\system32\nvmobls.dll

2009-08-17 09:03 . 2009-08-17 09:03	3547136	----a-w-	c:\windows\system32\nvgames.dll

2009-08-17 09:03 . 2009-08-17 09:03	4923392	----a-w-	c:\windows\system32\nvdisps.dll

2009-08-17 09:03 . 2009-08-17 09:03	86016	----a-w-	c:\windows\system32\nvmctray.dll

2009-08-17 09:03 . 2009-08-17 09:03	168004	----a-w-	c:\windows\system32\nvsvc32.exe

2009-08-17 09:03 . 2009-08-17 09:03	143360	----a-w-	c:\windows\system32\nvcolor.exe

2009-08-17 09:03 . 2009-08-17 09:03	13877248	----a-w-	c:\windows\system32\nvcpl.dll

2009-08-17 09:02 . 2009-08-17 09:02	229376	----a-w-	c:\windows\system32\nvmccs.dll

2009-08-17 06:57 . 2009-08-17 06:57	868352	----a-w-	c:\windows\system32\nvapi.dll

2009-08-17 06:57 . 2009-08-17 06:57	7729568	----a-w-	c:\windows\system32\drivers\nv4_mini.sys

2009-08-17 06:57 . 2009-08-17 06:57	5845760	----a-w-	c:\windows\system32\nv4_disp.dll

2009-08-17 06:57 . 2009-08-17 06:57	2189856	----a-w-	c:\windows\system32\nvcuvid.dll

2009-08-17 06:57 . 2009-08-17 06:57	2002944	----a-w-	c:\windows\system32\nvcuda.dll

2009-08-17 06:57 . 2009-08-17 06:57	1706528	----a-w-	c:\windows\system32\nvcuvenc.dll

2009-08-17 06:57 . 2009-08-17 06:57	1597690	----a-w-	c:\windows\system32\nvdata.bin

2009-08-17 06:57 . 2009-08-17 06:57	155648	----a-w-	c:\windows\system32\nvcodins.dll

2009-08-17 06:57 . 2009-08-17 06:57	155648	----a-w-	c:\windows\system32\nvcod.dll

2009-08-17 06:57 . 2009-08-17 06:57	10457088	----a-w-	c:\windows\system32\nvoglnt.dll

2009-08-17 06:57 . 2009-05-01 08:56	485920	----a-w-	c:\windows\system32\nvudisp.exe

2009-08-16 17:51 . 2009-08-16 17:51	--------	d-----w-	c:\program files\TrendyFlash Site  Builder

2009-08-16 17:29 . 2009-07-10 14:39	--------	d-----w-	c:\program files\Spybot - Search & Destroy

2009-08-15 08:28 . 2009-08-15 08:28	--------	d-----w-	c:\program files\FLV Player

2009-08-15 05:51 . 2009-08-15 05:45	43520	----a-w-	c:\windows\system32\CmdLineExt03.dll

2009-08-14 19:36 . 2009-08-14 19:36	70936	----a-w-	c:\windows\system32\PhysXLoader.dll

2009-08-14 10:20 . 2009-08-14 09:57	--------	d-----w-	c:\program files\ProxyFirewall

2009-08-14 10:19 . 2009-08-12 12:34	--------	d-----w-	c:\program files\Sytexis Software

2008-12-17 21:59 . 2009-05-01 09:14	67688	----a-w-	c:\program files\mozilla firefox\components\jar50.dll

2008-12-17 21:59 . 2009-05-01 09:14	54368	----a-w-	c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-17 21:59 . 2009-05-01 09:14	34944	----a-w-	c:\program files\mozilla firefox\components\myspell.dll

2008-12-17 21:59 . 2009-05-01 09:14	46712	----a-w-	c:\program files\mozilla firefox\components\spellchk.dll

2008-12-17 21:59 . 2009-05-01 09:14	172136	----a-w-	c:\program files\mozilla firefox\components\xpinstal.dll

2009-05-01 21:02 . 2009-05-01 21:02	1044480	----a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02	200704	----a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll

2006-05-03 09:06 . 2009-08-13 09:53	163328	--sh--r-	c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-08-13 09:53	31232	--sh--r-	c:\windows\system32\msfDX.dll

2007-12-17 12:43 . 2009-08-13 09:53	27648	--sh--w-	c:\windows\system32\Smab0.dll

2005-06-19 15:10 . 2005-06-19 15:10	581632	--sha-r-	c:\windows\system32\winlog.exe\plugin.dat

2005-11-09 14:15 . 2006-06-20 17:28	654061	--sha-r-	c:\windows\system32\winlog.exe\winlog.exe.exe.vir

2006-06-26 04:57 . 2006-06-26 04:57	581632	--sha-r-	c:\windows\system32\winlog.exe.vir\plugin.dat

2006-06-15 15:54 . 2006-06-15 15:54	654061	--sha-r-	c:\windows\system32\winlog.exe.vir\winlog.exe.exe

.



------- Sigcheck -------



[-] 2008-04-14 11:41 . 028C3E9C06BBEE764908254C0A9270D8 . 61952 . . [------] . . c:\windows\system32\eventlog.dll

[-] 2003-06-20 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Q3E Minimizer v1.40"="c:\documents and settings\Roman\Desktop\ROMAN\GAMES\Q3E Minimizer_v1.40.EXE" [2008-07-28 303104]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2009-08-17 13877248]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2009-08-17 86016]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]



c:\documents and settings\Roman\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-14 113664]

Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-9-3 3111824]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-7 809488]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 18:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-02-19 06:30	72208	----a-w-	c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll



[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute	REG_MULTI_SZ   	autocheck autochk *\0Partizan



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"MSPY2002"=c:\windows\System32\IME\PINTLGNT\ImScInst.exe /SYNC

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"PHIME2002ASync"=c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

"PHIME2002A"=c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe"

"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash



[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=



R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2009 2:58 AM 130936]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 11:11 AM 33800]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 11:08 AM 472320]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/7/2009 2:59 AM 10384]

R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [7/31/2009 3:34 AM 42496]

S2 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [6/20/2003 6:00 AM 3584]

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\Roman\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\Roman\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\DAC5.tmp --> c:\windows\system32\DAC5.tmp [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/27/2009 2:57 AM 348752]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [6/6/2009 4:10 PM 23480]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

mWindow Title = Microsoft Internet Explorer

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Roman\Application Data\Mozilla\Firefox\Profiles\mek2hwce.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/|https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

AddRemove-Exterminate It! - c:\program files\Exterminate It!\ExterminateIt_Uninst.exe

AddRemove-PCSI - c:\program files\Prevx\prevx.exe







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-27 14:22

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...  



scanning hidden autostart entries ... 



scanning hidden files ...  



scan completed successfully

hidden files: 0



**************************************************************************



[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\DAC5.tmp"



[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\System32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(784)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll



- - - - - - - > 'explorer.exe'(4080)

c:\program files\Xfire\xfire_toucan_39110.dll

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-09-27 14:27 - machine was rebooted

ComboFix-quarantined-files.txt  2009-09-27 20:27



Pre-Run: 63,559,942,144 bytes free

Post-Run: 63,752,196,096 bytes free



Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

379


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 28 September 2009 - 06:55 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
MEMSWEEP2

FCopy::
c:\windows\$NtServicePackUninstall$\eventlog.dll | c:\windows\system32\eventlog.dll
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



===================


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 etSNEAK

etSNEAK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 28 September 2009 - 02:16 PM

While dragging the script onto the combofix exe I had this error:

Posted Image

Heres my CF log:

ComboFix 09-09-27.05 - Roman 09/28/2009 13:58.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1399 [GMT -6:00]
Running from: c:\documents and settings\Roman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roman\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


(((((((((((((((((((((((((   Files Created from 2009-08-28 to 2009-09-28  )))))))))))))))))))))))))))))))
.

2009-09-28 04:55 . 2009-09-28 19:55	--------	d-----w-	c:\documents and settings\Roman\Application Data\BitTorrent
2009-09-28 04:55 . 2009-09-28 04:55	--------	d-----w-	c:\program files\BitTorrent
2009-09-27 20:08 . 2009-09-27 20:08	0	----a-r-	c:\windows\win32k.sys
2009-09-24 22:42 . 2009-09-24 22:42	--------	d-----w-	c:\program files\Trend Micro
2009-09-24 22:19 . 2009-09-25 10:47	--------	d-----w-	C:\!KillBox
2009-09-24 22:17 . 2009-09-24 22:17	--------	d-----w-	c:\program files\FileDeleter
2009-09-24 17:42 . 2009-09-24 17:42	--------	d-----w-	c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-24 17:33 . 2009-09-24 17:57	--------	d-----w-	c:\program files\UnHackMe
2009-09-24 09:53 . 2009-09-24 09:53	--------	d-----w-	c:\program files\InCode Solutions
2009-09-24 09:52 . 2009-09-24 09:52	22024	----a-w-	c:\windows\system32\drivers\pxscan.sys
2009-09-24 09:52 . 2009-09-24 17:39	--------	d-----w-	c:\program files\Prevx
2009-09-24 09:51 . 2009-09-24 09:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\PrevxCSI
2009-09-24 09:51 . 2009-09-24 17:34	2	--shatr-	c:\windows\winstart.bat
2009-09-23 23:20 . 2009-09-23 23:20	--------	d-----w-	c:\program files\MapRotation
2009-09-23 23:20 . 2009-09-23 23:20	73216	----a-w-	c:\windows\ST6UNST.EXE
2009-09-23 23:20 . 2009-09-23 23:20	249856	------w-	c:\windows\Setup1.exe
2009-09-23 10:35 . 2009-09-23 10:35	--------	d-----w-	c:\program files\RemoveIt Pro
2009-09-21 11:49 . 2009-09-24 10:55	--------	d-----w-	c:\program files\Anti Trojan Elite
2009-09-17 19:49 . 2009-09-17 20:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\GetRightToGo
2009-09-17 07:41 . 2009-09-17 07:41	--------	d-----w-	c:\program files\KLC
2009-09-16 01:25 . 2009-09-16 01:32	237568	----a-w-	c:\windows\system32\rmc_rtspdl.dll
2009-09-16 01:25 . 2009-09-16 01:32	156672	----a-w-	c:\windows\system32\rmc_fixasf.exe
2009-09-16 01:24 . 2009-09-21 11:47	--------	d-----w-	c:\program files\Replay Media Catcher
2009-09-16 01:24 . 2009-09-16 01:24	--------	d-----w-	c:\windows\Replay Media Catcher
2009-09-16 00:06 . 2009-09-21 11:48	--------	d-----w-	c:\program files\Common Files\Blizzard Entertainment
2009-09-15 20:24 . 2009-09-15 20:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\GrabPro
2009-09-15 20:24 . 2009-09-20 01:58	--------	d-----w-	c:\documents and settings\Roman\Application Data\Orbit
2009-09-15 20:24 . 2009-09-16 01:15	--------	d-----w-	C:\downloads
2009-09-15 20:24 . 2009-09-15 20:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\FMZilla
2009-09-15 20:23 . 2009-09-21 11:41	--------	d-----w-	c:\program files\Free Music Zilla
2009-09-15 16:43 . 2008-04-14 06:15	32128	-c--a-w-	c:\windows\system32\dllcache\usbccgp.sys
2009-09-15 16:42 . 2001-08-17 20:56	245632	-c--a-w-	c:\windows\system32\dllcache\s3savmx.dll
2009-09-15 16:41 . 2001-08-17 20:56	35392	-c--a-w-	c:\windows\system32\dllcache\n9i128.dll
2009-09-15 16:40 . 2001-08-18 04:36	90200	-c--a-w-	c:\windows\system32\dllcache\io8ports.dll
2009-09-15 16:39 . 2001-08-18 04:36	61952	-c--a-w-	c:\windows\system32\dllcache\eqnloop.exe
2009-09-15 16:38 . 2001-08-17 19:51	13824	-c--a-w-	c:\windows\system32\dllcache\bulltlp3.sys
2009-09-15 16:37 . 2008-04-14 06:16	48128	-c--a-w-	c:\windows\system32\dllcache\61883.sys
2009-09-15 16:37 . 2008-04-14 06:10	12288	-c--a-w-	c:\windows\system32\dllcache\4mmdat.sys
2009-09-15 16:37 . 2001-08-17 18:48	148352	-c--a-w-	c:\windows\system32\dllcache\3dfxvsm.sys
2009-09-15 16:37 . 2001-08-17 20:55	689216	-c--a-w-	c:\windows\system32\dllcache\3dfxvs.dll
2009-09-15 16:37 . 2001-08-17 20:06	11264	-c--a-w-	c:\windows\system32\dllcache\1394vdbg.sys
2009-09-15 16:37 . 2001-08-17 19:28	762780	-c--a-w-	c:\windows\system32\dllcache\3cwmcru.sys
2009-09-15 16:37 . 2008-04-14 06:16	53376	-c--a-w-	c:\windows\system32\dllcache\1394bus.sys
2009-09-15 16:37 . 2001-08-17 20:56	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll
2009-09-15 16:37 . 2008-04-14 06:57	2188928	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-14 18:18 . 2009-09-14 18:19	--------	d-----w-	c:\documents and settings\Roman\Application Data\VMware
2009-09-14 18:15 . 2009-09-15 16:46	--------	d-----w-	c:\documents and settings\LocalService\Application Data\VMware
2009-09-14 18:13 . 2009-09-15 20:45	--------	d-----w-	c:\documents and settings\All Users\Application Data\VMware
2009-09-14 16:52 . 2009-09-14 16:53	--------	d-----w-	c:\program files\RAR Password Unlocker
2009-09-12 22:15 . 2009-09-12 22:15	153104	----a-w-	c:\windows\system32\drivers\tmcomm.sys
2009-09-11 19:54 . 2009-09-11 19:58	--------	d-----w-	c:\program files\RegCleaner
2009-09-11 19:43 . 2009-09-11 19:57	--------	d-----w-	c:\documents and settings\Roman\Application Data\VoipStunt
2009-09-11 18:11 . 2009-09-23 10:48	--------	d-----w-	c:\program files\SuperScan
2009-09-06 23:44 . 2009-09-24 11:16	--------	d-----w-	c:\program files\Top Password
2009-09-06 23:34 . 2009-09-06 23:34	--------	d-----w-	c:\program files\AIM Password Recovery
2009-09-03 18:07 . 2009-09-03 18:07	41872	----a-w-	c:\windows\system32\xfcodec.dll
2009-08-31 19:59 . 2009-08-31 19:59	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Xfire
2009-08-30 19:24 . 2009-08-30 19:24	--------	d-----w-	c:\documents and settings\Roman\Application Data\HandBrake
2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\Publish Providers
2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Local Settings\Application Data\Sony
2009-08-30 12:40 . 2009-08-30 12:40	--------	d-----w-	c:\documents and settings\Roman\Application Data\Sony
2009-08-30 12:29 . 2009-08-30 12:29	--------	d-----w-	c:\documents and settings\All Users\Application Data\Sony
2009-08-30 12:29 . 2009-08-30 12:29	--------	d-----w-	c:\program files\Sony
2009-08-30 11:29 . 2009-08-30 11:29	--------	d-----w-	C:\cygwin
2009-08-30 11:22 . 2009-08-30 11:28	--------	d-----w-	c:\documents and settings\Roman\Application Data\Dev-Cpp
2009-08-30 11:22 . 2009-08-30 11:22	--------	d-----w-	C:\Dev-Cpp
2009-08-30 11:15 . 2009-08-30 11:15	--------	d-----w-	C:\Borland
2009-08-30 10:45 . 2009-08-30 11:15	--------	d-----w-	c:\documents and settings\Roman\Application Data\mIRC
2009-08-30 10:45 . 2009-08-30 10:46	--------	d-----w-	c:\program files\mIRC
2009-08-30 09:27 . 2009-08-30 09:27	--------	d-----w-	c:\program files\Microsoft SQL Server
2009-08-30 09:27 . 2009-08-30 09:27	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-08-30 09:26 . 2009-08-30 09:26	--------	d-----w-	c:\documents and settings\Roman\Local Settings\Application Data\Microsoft Help
2009-08-30 09:25 . 2009-08-30 09:25	--------	d-----w-	c:\program files\Microsoft.NET
2009-08-30 09:24 . 2009-08-30 09:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 09:24 . 2009-08-30 09:26	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.0
2009-08-30 09:24 . 2009-08-30 09:25	--------	d-----w-	c:\program files\Common Files\Merge Modules
2009-08-30 09:23 . 2009-08-30 09:23	--------	d-----w-	c:\program files\Microsoft SDKs
2009-08-30 09:22 . 2009-08-30 09:22	125648	----a-w-	c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\windows\system32\XPSViewer
2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\program files\MSBuild
2009-08-30 09:22 . 2009-08-30 09:22	--------	d-----w-	c:\program files\Reference Assemblies
2009-08-30 09:22 . 2008-07-06 12:06	89088	-c----w-	c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-30 09:22 . 2008-07-06 12:06	575488	-c----w-	c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-30 09:22 . 2008-07-06 12:06	575488	------w-	c:\windows\system32\xpsshhdr.dll
2009-08-30 09:22 . 2008-07-06 12:06	117760	------w-	c:\windows\system32\prntvpt.dll
2009-08-30 09:22 . 2008-07-06 10:50	597504	-c----w-	c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-30 09:22 . 2008-07-06 12:06	1676288	-c----w-	c:\windows\system32\dllcache\xpssvcs.dll
2009-08-30 09:22 . 2008-07-06 12:06	1676288	------w-	c:\windows\system32\xpssvcs.dll
2009-08-30 08:58 . 2009-08-30 09:22	--------	d-----w-	c:\windows\system32\wbem\AutoRecover
2009-08-30 08:54 . 2008-04-14 11:42	1306624	-c--a-w-	c:\windows\system32\dllcache\msxml6.dll
2009-08-30 08:54 . 2008-04-14 11:42	1306624	------w-	c:\windows\system32\msxml6.dll
2009-08-30 08:54 . 2008-04-14 04:57	79872	-c--a-w-	c:\windows\system32\dllcache\msxml6r.dll
2009-08-30 08:54 . 2008-04-14 04:57	79872	------w-	c:\windows\system32\msxml6r.dll
2009-08-30 08:54 . 2007-06-26 17:30	22060	-c----w-	c:\windows\system32\dllcache\npds.zip
2009-08-30 08:54 . 2007-06-26 17:26	403	-c----w-	c:\windows\system32\dllcache\npdrmv2.zip
2009-08-30 08:52 . 2008-04-14 11:41	397312	-c--a-w-	c:\windows\system32\dllcache\fxstiff.dll
2009-08-30 08:48 . 2009-08-30 08:48	--------	d-----w-	c:\windows\EHome

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 20:01 . 2009-05-01 09:05	--------	d-----w-	c:\documents and settings\Roman\Application Data\Xfire
2009-09-28 09:27 . 2009-07-18 12:07	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 08:57 . 2009-05-01 10:55	--------	d-----w-	c:\documents and settings\Roman\Application Data\FrostWire
2009-09-28 06:20 . 2009-05-01 09:30	--------	d-----w-	c:\documents and settings\Roman\Application Data\uTorrent
2009-09-28 02:36 . 2009-05-01 09:45	139904	----a-w-	c:\windows\system32\drivers\PnkBstrK.sys
2009-09-28 02:36 . 2009-05-01 09:45	189744	----a-w-	c:\windows\system32\PnkBstrB.exe
2009-09-26 03:22 . 2009-05-01 09:05	--------	d-----w-	c:\program files\Xfire
2009-09-24 17:57 . 2009-06-26 05:52	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft
2009-09-24 11:02 . 2009-08-17 11:32	--------	d-----w-	c:\program files\Flash4D v5 - Pro Edition
2009-09-24 06:30 . 2009-07-24 01:42	--------	d-----w-	c:\documents and settings\Roman\Application Data\HLSW
2009-09-23 10:48 . 2009-08-17 12:40	--------	d-----w-	c:\program files\Exterminate It!
2009-09-23 10:48 . 2009-07-10 15:01	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-09-23 10:20 . 2009-08-10 09:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\SecTaskMan
2009-09-23 06:35 . 2009-05-01 09:57	--------	d-----w-	c:\program files\GlobalSCAPE
2009-09-21 11:48 . 2009-07-23 18:36	--------	d-----w-	c:\program files\Xara
2009-09-21 11:48 . 2009-08-13 14:04	--------	d-----w-	c:\program files\Workspace Macro 4.6
2009-09-21 11:46 . 2009-05-01 09:11	--------	d-----w-	c:\program files\Pando Networks
2009-09-21 11:46 . 2009-08-17 12:33	--------	d-----w-	c:\program files\KoolMoves
2009-09-21 11:46 . 2009-08-22 13:28	--------	d-----w-	c:\program files\Image-Line
2009-09-21 11:44 . 2009-08-17 11:38	--------	d-----w-	c:\program files\Flash Effect Maker
2009-09-21 11:43 . 2009-08-12 13:05	--------	d-----w-	c:\program files\NCH Software
2009-09-21 11:43 . 2009-08-12 13:05	--------	d-----w-	c:\documents and settings\Roman\Application Data\NCH Software
2009-09-21 11:42 . 2009-08-11 22:48	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\~0
2009-09-21 11:42 . 2009-08-11 23:00	--------	d-----w-	c:\program files\Blaze Media Pro
2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\program files\Trojan Remover
2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\documents and settings\Roman\Application Data\Simply Super Software
2009-09-21 11:34 . 2009-09-21 11:34	--------	d-----w-	c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-21 11:30 . 2009-08-10 09:18	--------	d-----w-	c:\program files\Security Task Manager
2009-09-15 00:27 . 2009-08-14 12:22	--------	d-----w-	c:\program files\Cheat Engine
2009-09-15 00:27 . 2009-07-27 08:57	--------	d-----w-	c:\program files\Spyware Doctor
2009-09-14 08:10 . 2009-05-01 07:52	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-09-10 22:49 . 2009-05-13 18:55	--------	d-----w-	c:\documents and settings\Roman\Application Data\TeamViewer
2009-09-10 02:19 . 2009-08-16 08:47	--------	d-----w-	c:\program files\X-ray Anti-Cheat
2009-09-04 20:24 . 2009-05-14 23:48	--------	d-----w-	c:\documents and settings\Roman\Application Data\Hamachi
2009-08-31 18:40 . 2009-07-01 00:21	--------	d-----w-	c:\documents and settings\Roman\Application Data\VoipBuster
2009-08-30 12:29 . 2009-08-22 13:30	--------	d-----w-	c:\program files\VstPlugins
2009-08-30 10:33 . 2009-05-01 11:05	55176	----a-w-	c:\documents and settings\Roman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 01:06 . 2009-05-14 07:16	--------	d-----w-	c:\program files\Common Files\Adobe
2009-08-29 15:35 . 2009-08-29 15:35	--------	d-----w-	c:\program files\HandBrake
2009-08-27 06:16 . 2009-08-27 06:16	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA
2009-08-26 04:39 . 2009-08-26 03:53	34	----a-w-	c:\documents and settings\Roman\jagex_runescape_preferences.dat
2009-08-25 06:32 . 2009-08-20 06:26	139152	----a-w-	c:\documents and settings\Roman\Application Data\PnkBstrK.sys
2009-08-25 06:32 . 2009-08-20 07:09	794408	----a-w-	c:\windows\system32\pbsvc.exe
2009-08-25 05:58 . 2009-08-25 05:58	--------	d-----w-	c:\program files\Alcohol Soft
2009-08-25 05:18 . 2009-08-25 05:18	721904	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-08-25 02:07 . 2009-05-08 15:19	--------	d-----w-	c:\documents and settings\Roman\Application Data\Skype
2009-08-24 22:53 . 2009-05-07 12:56	--------	d-----w-	c:\documents and settings\Roman\Application Data\teamspeak2
2009-08-24 12:35 . 2009-08-24 12:35	--------	d-----w-	c:\documents and settings\Roman\Application Data\Sony Setup
2009-08-24 08:50 . 2009-08-24 08:50	--------	d-----w-	c:\documents and settings\Roman\Application Data\id Software
2009-08-24 08:50 . 2009-08-24 08:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\id Software
2009-08-22 13:29 . 2009-08-22 13:29	--------	d-----w-	c:\program files\Outsim
2009-08-22 07:06 . 2009-08-22 07:06	--------	d-----w-	c:\program files\AGEIA Technologies
2009-08-22 07:05 . 2009-05-01 09:33	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-08-22 07:05 . 2009-08-22 07:05	--------	d-----w-	c:\program files\NVIDIA Corporation
2009-08-22 07:05 . 2009-08-22 07:05	--------	d-----w-	c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-22 06:39 . 2009-08-22 06:39	--------	d-----w-	c:\program files\K-Lite Codec Pack
2009-08-22 06:09 . 2009-08-03 22:26	--------	d-----w-	c:\program files\SystemRequirementsLab
2009-08-22 06:09 . 2009-08-03 22:26	--------	d-----w-	c:\documents and settings\Roman\Application Data\SystemRequirementsLab
2009-08-21 06:00 . 2009-08-21 05:59	--------	d-----w-	c:\documents and settings\Roman\Application Data\PlaneShift
2009-08-21 05:59 . 2009-08-21 05:59	--------	d-----w-	c:\documents and settings\Roman\Application Data\CrystalSpace
2009-08-20 10:51 . 2009-08-20 10:51	--------	d-----w-	c:\documents and settings\Roman\Application Data\PE Explorer
2009-08-20 07:11 . 2009-05-01 09:44	75064	----a-w-	c:\windows\system32\PnkBstrA.exe
2009-08-18 12:47 . 2009-08-18 12:37	--------	d-----w-	c:\program files\Bus Simulator 2008 Demo
2009-08-18 07:21 . 2009-08-18 07:21	--------	d-----w-	c:\program files\CrossFire
2009-08-18 06:37 . 2009-08-18 06:07	--------	d-----w-	c:\program files\Install Creator Pro
2009-08-17 12:40 . 2009-08-17 12:40	--------	d-----w-	c:\program files\Eusing Free Registry Cleaner
2009-08-17 11:41 . 2009-08-16 16:26	--------	d-----w-	c:\program files\Common Files\SourceTec
2009-08-17 11:41 . 2009-08-16 16:26	--------	d-----w-	c:\program files\SourceTec
2009-08-17 11:32 . 2009-08-17 11:32	749568	----a-w-	c:\windows\system32\swfgen.dll
2009-08-17 11:32 . 2009-08-17 01:59	131584	----a-w-	c:\windows\system32\SpoonUninstall.exe
2009-08-17 09:04 . 2009-08-17 09:04	2173472	----a-w-	c:\windows\system32\nvcplui.exe
2009-08-17 09:04 . 2009-08-17 09:04	81920	----a-w-	c:\windows\system32\nvwddi.dll
2009-08-17 09:03 . 2009-08-17 09:03	3170304	----a-w-	c:\windows\system32\nvwss.dll
2009-08-17 09:03 . 2009-08-17 09:03	4026368	----a-w-	c:\windows\system32\nvvitvs.dll
2009-08-17 09:03 . 2009-08-17 09:03	188416	----a-w-	c:\windows\system32\nvmccss.dll
2009-08-17 09:03 . 2009-08-17 09:03	1286144	----a-w-	c:\windows\system32\nvmobls.dll
2009-08-17 09:03 . 2009-08-17 09:03	3547136	----a-w-	c:\windows\system32\nvgames.dll
2009-08-17 09:03 . 2009-08-17 09:03	4923392	----a-w-	c:\windows\system32\nvdisps.dll
2009-08-17 09:03 . 2009-08-17 09:03	86016	----a-w-	c:\windows\system32\nvmctray.dll
2009-08-17 09:03 . 2009-08-17 09:03	168004	----a-w-	c:\windows\system32\nvsvc32.exe
2009-08-17 09:03 . 2009-08-17 09:03	143360	----a-w-	c:\windows\system32\nvcolor.exe
2009-08-17 09:03 . 2009-08-17 09:03	13877248	----a-w-	c:\windows\system32\nvcpl.dll
2009-08-17 09:02 . 2009-08-17 09:02	229376	----a-w-	c:\windows\system32\nvmccs.dll
2009-08-17 06:57 . 2009-08-17 06:57	868352	----a-w-	c:\windows\system32\nvapi.dll
2009-08-17 06:57 . 2009-08-17 06:57	7729568	----a-w-	c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 06:57 . 2009-08-17 06:57	5845760	----a-w-	c:\windows\system32\nv4_disp.dll
2009-08-17 06:57 . 2009-08-17 06:57	2189856	----a-w-	c:\windows\system32\nvcuvid.dll
2009-08-17 06:57 . 2009-08-17 06:57	2002944	----a-w-	c:\windows\system32\nvcuda.dll
2009-08-17 06:57 . 2009-08-17 06:57	1706528	----a-w-	c:\windows\system32\nvcuvenc.dll
2009-08-17 06:57 . 2009-08-17 06:57	1597690	----a-w-	c:\windows\system32\nvdata.bin
2009-08-17 06:57 . 2009-08-17 06:57	155648	----a-w-	c:\windows\system32\nvcodins.dll
2009-08-17 06:57 . 2009-08-17 06:57	155648	----a-w-	c:\windows\system32\nvcod.dll
2009-08-17 06:57 . 2009-08-17 06:57	10457088	----a-w-	c:\windows\system32\nvoglnt.dll
2009-08-17 06:57 . 2009-05-01 08:56	485920	----a-w-	c:\windows\system32\nvudisp.exe
2009-08-16 17:51 . 2009-08-16 17:51	--------	d-----w-	c:\program files\TrendyFlash Site  Builder
2009-08-16 17:29 . 2009-07-10 14:39	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2009-08-15 08:28 . 2009-08-15 08:28	--------	d-----w-	c:\program files\FLV Player
2009-08-15 05:51 . 2009-08-15 05:45	43520	----a-w-	c:\windows\system32\CmdLineExt03.dll
2009-08-14 19:36 . 2009-08-14 19:36	70936	----a-w-	c:\windows\system32\PhysXLoader.dll
2009-08-14 10:20 . 2009-08-14 09:57	--------	d-----w-	c:\program files\ProxyFirewall
2008-12-17 21:59 . 2009-05-01 09:14	67688	----a-w-	c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-05-01 09:14	54368	----a-w-	c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-05-01 09:14	34944	----a-w-	c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-05-01 09:14	46712	----a-w-	c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-05-01 09:14	172136	----a-w-	c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02	1044480	----a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02	200704	----a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 09:06 . 2009-08-13 09:53	163328	--sh--r-	c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-13 09:53	31232	--sh--r-	c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2009-08-13 09:53	27648	--sh--w-	c:\windows\system32\Smab0.dll
2005-06-19 15:10 . 2005-06-19 15:10	581632	--sha-r-	c:\windows\system32\winlog.exe\plugin.dat
2005-11-09 14:15 . 2006-06-20 17:28	654061	--sha-r-	c:\windows\system32\winlog.exe\winlog.exe.exe.vir
2006-06-26 04:57 . 2006-06-26 04:57	581632	--sha-r-	c:\windows\system32\winlog.exe.vir\plugin.dat
2006-06-15 15:54 . 2006-06-15 15:54	654061	--sha-r-	c:\windows\system32\winlog.exe.vir\winlog.exe.exe
.

------- Sigcheck -------

[-] 2003-06-20 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2003-06-20 . BF3C8CF53C77B48206B39910B6D6CBCC . 49152 . . [5.1.2600.1106] . . c:\windows\system32\eventlog.dll
.
(((((((((((((((((((((((((((((   SnapShot@2009-09-27_20.22.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-28 20:05 . 2009-09-28 20:05	16384			  c:\windows\temp\Perflib_Perfdata_5ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Q3E Minimizer v1.40"="c:\documents and settings\Roman\Desktop\ROMAN\GAMES\Q3E Minimizer_v1.40.EXE" [2008-07-28 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2009-08-17 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-29 16859648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]

c:\documents and settings\Roman\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-14 113664]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-9-3 3111824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-7 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 06:30	72208	----a-w-	c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"MSPY2002"=c:\windows\System32\IME\PINTLGNT\ImScInst.exe /SYNC
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe"
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2009 2:58 AM 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 11:11 AM 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 11:08 AM 472320]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/7/2009 2:59 AM 10384]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [7/31/2009 3:34 AM 42496]
S2 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [6/20/2003 6:00 AM 3584]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\Roman\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\Roman\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/27/2009 2:57 AM 348752]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [6/6/2009 4:10 PM 23480]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Roman\Application Data\Mozilla\Firefox\Profiles\mek2hwce.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/|https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2580)
c:\program files\Xfire\xfire_toucan_39110.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-28 14:11 - machine was rebooted
ComboFix-quarantined-files.txt  2009-09-28 20:11
ComboFix2.txt  2009-09-27 20:27

Pre-Run: 42,404,974,592 bytes free
Post-Run: 42,439,294,976 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
362


Heres my Win32kdiag log:

Running from: C:\Documents and Settings\Roman\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Roman\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 28 September 2009 - 07:16 PM

Do you have your Windows disc?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 etSNEAK

etSNEAK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 28 September 2009 - 07:45 PM

No, sorry I do not have a SP3 windows CD, If I had one I would have inserted it when prompted to.

Heres my log:

Malwarebytes' Anti-Malware 1.41
Database version: 2869
Windows 5.1.2600 Service Pack 3

9/28/2009 7:42:54 PM
mbam-log-2009-09-28 (19-42-54).txt

Scan type: Quick Scan
Objects scanned: 115150
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{pq106536-va3u-08r5-3704-cfgif3q8l48n} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\odtexx86.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvmccs32.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 29 September 2009 - 07:48 AM

How is your computer behaving now? What issues are you still having?


Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\eventlog.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 etSNEAK

etSNEAK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 29 September 2009 - 02:32 PM

well things seem to run a little bit better now how they used to..faster and stuff. And when I had this problem originally my utorrent port warning had a yellow shield instead of a green check. Sometimes even the red question mark. I checked many times in IPCOP configuration if it was setup properly and tried using different ports and re-adding the port forward into the list and using bittorrent instead of utorrent... nothing seemed to work. Lastnight I had a green check again on bittorrent. So Im not really sure if its cleaned but when I scanned again with mbam it detected the same stuff.


Oh yea and on torrents if I were to enable the program and start downloading something, even if only downloading at 10 kb/sec, my internet pages woulld load very slow and I could not load hulu desktop because it would keep trying to re-load the progress bar checking for updates and stuff. When before I could download at 500-700 kb/sec and pages would load fine. I left it on overnight 2 nights ago and downloaded two files about 6GB each and it only gained about 30%. Last night it was on about 45% and when I wokeup today the file was done. So Im guessing that problem is solved.
My eventlog.dll

http://virusscan.jotti.org/en/scanresult/5...425a9ca2c026e35

Edited by etSNEAK, 29 September 2009 - 02:35 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 30 September 2009 - 08:00 AM

It's the position of this board, myself, and many in the malware fighting community that the use of file sharing programs actually contribute the spread of malware. And so they aren't recommended or supported in any way. It does appear that your malware issue is resolved, so I'll post some final steps for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 etSNEAK

etSNEAK
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 01 October 2009 - 12:58 AM

As stated in my previous replies I use IPCOP. It is a unix-based dedicated firewall router. What you did not know is I use NOD32 and it auto-updates all the time. Thankyou very much for your suggestions but I'd prefer not to run more than 1 anti-virus application at once :/

Also, I'm sure you have you're own moral beliefs on torrents and that is probably a major reason you suggested I not use them, which is np we can all have our opinion ^^, but I do know what I am doing, I was just tired one day screwing with something else...and this happened ^^. I'm not one of those dumbasses who calls a keygen a virus ^^.

Thankyou so much for all your assistance I know you are a very busy forum I'm so thankful you were here to help me.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 01 October 2009 - 07:23 AM

Just to be clear, I don't recommend ever running more than one antivirus. You have Nod32, which is excellent, but I do recommend adding Spybot, Malwarebytes, and Spywareblaster. None of those is an antivirus program and each bring their own strengths in protection. Collectively along with an antivirus and a firewall they offer layered protection.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:49 AM

Posted 17 October 2009 - 07:08 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users