Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - Cannot Remove


  • Please log in to reply
13 replies to this topic

#1 Dex36

Dex36

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 18 December 2009 - 07:34 AM

Hi everyone,

I'm having some trouble with my browsers, both Firefox and IE. I am not willing to download another browser.
Every time I click a link in a search engine, I am taken to a random webpage like http://www.newserversearch.com/?q=bleeping+computer. This only happens on my first page of results, and not on every link. It seems to be random.
I have tried doing scans & cleans with Iobit Security, Advanced System Care, AVG Antivirus, CCleaner, Malware Bytes Anti Malware, and about 7 others that I can't remember the name of because I uninstalled them when they didn't work.
I also tried disabling system restore, restarting in safe mode, running all of the scans again, and restarting, this also did nothing.
There is nothing unusual in my processes or tasks.

In previous scans I have done, there were some registry keys & trojans found and deleted. Before this, I was also getting about 150 random pop ups in internet explorer (I never use IE) but this stopped after the first few scans. The Hijack does not seem to be resolved completely though, as the problem above is still occurring.

Here are my logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dex at 23:13:45.14 on Fri 12/18/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT 11:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Dex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [GEST] "c:\program files\gigabyte\gest\run.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251724714156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dex\applic~1\mozilla\firefox\profiles\g43zdvov.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-31 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-31 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-31 108552]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-31 297752]
S4 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2009-8-31 47624]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-8-31 312592]
S4 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]

=============== Created Last 30 ================

2009-12-18 10:26:11 0 d-----w- c:\program files\Trend Micro
2009-12-18 08:17:48 0 d-----w- c:\program files\AutoGK
2009-12-18 08:09:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-12-18 08:09:43 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-18 08:07:42 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-12-18 08:07:42 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-12-18 08:07:42 465920 ------w- c:\windows\system32\imapi2fs.dll
2009-12-18 08:07:42 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-12-18 08:07:42 317952 ------w- c:\windows\system32\imapi2.dll
2009-12-18 06:16:01 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-12-18 05:52:12 0 d-----w- c:\program files\SEGA
2009-12-18 04:59:00 0 d-----w- c:\program files\TVersity
2009-12-16 07:01:50 0 d-----w- c:\docume~1\dex\applic~1\AVG8
2009-12-14 11:08:53 0 d-----w- C:\CxDTemp
2009-12-14 11:05:26 132096 --sha-r- c:\windows\system32\ativvaxxh.dll
2009-12-14 10:55:45 87608 ----a-w- c:\docume~1\dex\applic~1\inst.exe
2009-12-14 10:55:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-14 10:55:45 47360 ----a-w- c:\docume~1\dex\applic~1\pcouffin.sys
2009-12-14 10:55:43 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-12-14 10:55:43 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-12-14 10:55:43 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-12-14 10:55:36 0 d-----w- c:\program files\VSO
2009-12-14 10:33:01 0 d-----w- c:\docume~1\dex\applic~1\DVD Flick
2009-12-14 10:32:28 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2009-12-14 10:32:28 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2009-12-14 10:32:27 662288 ----a-w- c:\windows\system32\mscomct2.ocx
2009-12-14 10:32:27 609824 ----a-w- c:\windows\system32\comctl32.ocx
2009-12-14 10:32:27 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2009-12-14 10:32:27 164144 ----a-w- c:\windows\system32\comct232.ocx
2009-12-14 10:32:26 212240 ----a-w- c:\windows\system32\richtx32.ocx
2009-12-14 10:32:26 0 d-----w- c:\program files\DVD Flick
2009-12-12 23:08:37 0 d-----w- c:\program files\common files\PCSuite
2009-12-12 23:08:32 0 d-----w- c:\program files\common files\Nokia
2009-12-12 23:07:32 0 d-----w- c:\program files\PC Connectivity Solution

==================== Find3M ====================

2009-12-18 11:44:14 16608 ----a-w- c:\windows\gdrv.sys
2009-12-03 05:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 00:52:36 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-09-25 06:45:30 26260 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 23:14:35.03 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/18 23:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: mquygji.sys
Image Path: mquygji.sys
Address: 0xF7610000 Size: 54016 File Visible: No Signed: -
Status: -

Name: PCI_PNP8360
Image Path: \Driver\PCI_PNP8360
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB64E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sppi.sys
Image Path: sppi.sys
Address: 0xF740E000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sppi.sys" at address 0xf740f0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sppi.sys" at address 0xf742dca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sppi.sys" at address 0xf742e032

#: 119 Function Name: NtOpenKey
Status: Hooked by "sppi.sys" at address 0xf740f0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sppi.sys" at address 0xf742e10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sppi.sys" at address 0xf742df8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sppi.sys" at address 0xf742e19c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86fd61f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86d611f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86fd81f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86cb41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86f681f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x865dd1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86d7d470 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_CREATE]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_CLOSE]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_POWER]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: a5uxko3jЅ扏煓Ёం扏济E:, IRP_MJ_PNP]
Process: System Address: 0x86c801f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x865ca1f8 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_CREATE]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_CLOSE]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_READ]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_CLEANUP]
Process: System Address: 0x86585500 Size: 121

Object: Hidden Code [Driver: SCSI#CdR, IRP_MJ_PNP]
Process: System Address: 0x86585500 Size: 121

==EOF==


Please help!
I really don't want to reformat again.

Thanks!

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 18 December 2009 - 08:40 AM

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



NEXT


Please download OTL by OldTimer and save it to your desktop.

Under the Custom Scans/Fixes box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Don't change any setting... Just click on the Run Scan button.. Let it scan till finish..

Then a log will pop-up at your Desktop. Post the content of the log here



NEXT


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Post me these logs in your next reply.. Post each log in separate post..

1. OTL
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 22 December 2009 - 06:32 AM

Hi,
The Comedian failed.
When I opened it, it hung on the desktop for a minute or so, and then gave me "The_Comedian.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

The Error signature is:
AppName: the_comedian.exe AppVer: 0.0.0.0 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000000


How should I proceed?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 22 December 2009 - 07:12 AM

Ok, Lets do this one first.. Then proceed with OTL and GMER step :(


Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE


After that, please create a Restore Point via System Restore.. Here's the link on how to do it..

http://www.bleepingcomputer.com/tutorials/...l56.html#manual

After you successfully do these steps, please proceed with the next step as per above :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 07 January 2010 - 01:50 AM

OTL Results:

OTL logfile created on: 1/7/2010 5:39:21 PM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Dex\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 297.00 Mb Available Physical Memory | 29.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 372.58 Gb Free Space | 79.99% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 34.43 Gb Free Space | 14.79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MANDAPC
Current User Name: Dex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/06 20:15:19 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/22 22:28:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dex\Desktop\OTL.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/04 13:16:54 | 05,893,360 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Zune\ZuneNss.exe
PRC - [2009/09/04 13:16:54 | 00,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/09/04 13:16:54 | 00,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/08/31 16:34:11 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/28 20:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/17 22:54:54 | 12,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 11:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/14 20:39:06 | 00,281,096 | ---- | M] () -- C:\Program Files\GIGABYTE\GEST\gest.exe


========== Modules (SafeList) ==========

MOD - [2009/12/22 22:28:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dex\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (MyWebSearchService)
SRV - [2009/11/14 11:51:22 | 00,312,592 | ---- | M] (IObit) [Disabled | Stopped] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 09:26:36 | 00,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/04 13:17:00 | 00,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 13:16:54 | 05,893,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 13:16:54 | 00,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/08/31 21:05:31 | 00,072,704 | ---- | M] (Adobe Systems) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/08/31 16:34:10 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/08/28 20:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/25 06:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Disabled | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/03/30 17:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 02:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/09/11 13:07:50 | 00,581,632 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/09/10 22:05:00 | 00,593,920 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2007/12/14 12:46:28 | 00,047,624 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2007/05/29 03:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/01/07 10:16:36 | 00,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/12/14 21:55:45 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2009/09/02 00:28:46 | 00,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/08/31 22:50:15 | 00,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/31 16:34:21 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/08/31 16:34:21 | 00,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/08/31 16:34:13 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/31 16:34:12 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/28 20:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/07/09 12:24:04 | 00,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2009/05/18 15:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/09/11 14:08:10 | 03,331,072 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/08/26 09:26:12 | 00,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/07/03 06:38:14 | 00,089,600 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/04/14 03:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 03:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/10/11 12:10:52 | 00,030,008 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007/09/29 16:30:52 | 00,065,024 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2007/09/20 00:44:46 | 00,101,504 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/07/27 23:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2007/04/26 19:33:52 | 01,482,048 | R--- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmuda3.sys -- (cmuda3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "DAEMON Search"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: en-AU@dictionaries.addons.mozilla.org:2.1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.723
FF - prefs.js..extensions.enabledItems: Office2007Black@JBBS:1.4.4


FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/12/13 10:08:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/17 15:09:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 20:15:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 20:15:22 | 00,000,000 | ---D | M]

[2009/08/31 17:01:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dex\Application Data\Mozilla\Extensions
[2010/01/06 18:39:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\extensions
[2009/08/31 21:53:53 | 00,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/08/31 21:57:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\extensions\en-AU@dictionaries.addons.mozilla.org
[2009/12/17 17:40:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\extensions\Office2007Black@JBBS
[2009/08/31 22:52:38 | 00,002,399 | ---- | M] () -- C:\Documents and Settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\searchplugins\daemon-search.xml
[2010/01/06 18:39:38 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (Gigabyte Technology Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CmPCIaudio] File not found
O4 - HKLM..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\run.exe ()
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 8 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} http://www.turntool.com/ViewerInstall.exe (Reg Error: Value error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1251724714156 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/31 15:38:24 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5cf2780a-99ca-11de-8ba0-001d7d0176b8}\Shell - "" = AutoRun
O33 - MountPoints2\{5cf2780a-99ca-11de-8ba0-001d7d0176b8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5cf2780a-99ca-11de-8ba0-001d7d0176b8}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{b676d000-cf1b-11de-8bf9-001d7d0176b8}\Shell\AutoRun\command - "" = G:\WD_Windows_Tools\Setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/31 15:38:03 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/07 17:36:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/07 17:36:35 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/06 18:52:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\My Documents\__MACOSX
[2010/01/05 18:09:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Desktop\Chinese Lessons
[2009/12/26 21:45:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/26 01:02:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Desktop\Family Guy
[2009/12/25 21:46:17 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/23 09:00:54 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/12/23 08:58:04 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/23 08:56:01 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/12/22 22:27:59 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dex\Desktop\OTL.exe
[2009/12/19 12:41:32 | 00,000,000 | ---D | C] -- C:\Program Files\RAR Password Recovery Magic
[2009/12/19 12:33:45 | 00,000,000 | ---D | C] -- C:\Program Files\RAR Password Cracker
[2009/12/18 21:26:11 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/18 19:17:48 | 00,000,000 | ---D | C] -- C:\Program Files\AutoGK
[2009/12/18 19:08:53 | 00,000,000 | ---D | C] -- C:\Program Files\Zune
[2009/12/18 19:07:42 | 00,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2009/12/18 19:07:42 | 00,465,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2fs.dll
[2009/12/18 19:07:42 | 00,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2009/12/18 19:07:42 | 00,317,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imapi2.dll
[2009/12/18 19:07:42 | 00,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2009/12/18 18:58:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Application Data\vlc
[2009/12/18 17:16:39 | 00,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2009/12/18 17:16:38 | 00,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2009/12/18 17:16:18 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2009/12/18 17:16:17 | 00,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2009/12/18 17:16:17 | 00,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2009/12/18 17:16:15 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2009/12/18 17:16:04 | 02,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2009/12/18 17:16:03 | 00,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2009/12/18 17:16:02 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2009/12/18 17:16:01 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2009/12/18 17:15:59 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2009/12/18 17:15:52 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2009/12/18 16:52:12 | 00,000,000 | ---D | C] -- C:\Program Files\SEGA
[2009/12/18 16:19:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/18 15:59:00 | 00,000,000 | ---D | C] -- C:\Program Files\TVersity
[2009/12/18 13:00:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/18 12:59:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\My Documents\Simply Super Software
[2009/12/17 13:57:31 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/17 13:57:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/17 13:47:01 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Dex\Recent
[2009/12/16 18:01:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Application Data\AVG8
[2009/12/14 22:08:53 | 00,000,000 | ---D | C] -- C:\CxDTemp
[2009/12/14 21:55:45 | 00,047,360 | ---- | C] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/12/14 21:55:45 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Dex\Application Data\pcouffin.sys
[2009/12/14 21:55:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Application Data\Vso
[2009/12/14 21:55:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\My Documents\PcSetup
[2009/12/14 21:55:43 | 00,273,408 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Pncrt.dll
[2009/12/14 21:55:43 | 00,217,127 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drv43260.dll
[2009/12/14 21:55:43 | 00,208,935 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drv33260.dll
[2009/12/14 21:55:43 | 00,176,165 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drv23260.dll
[2009/12/14 21:55:36 | 00,000,000 | ---D | C] -- C:\Program Files\VSO
[2009/12/14 21:34:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\My Documents\DVDs
[2009/12/14 21:33:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Application Data\DVD Flick
[2009/12/14 21:32:28 | 00,040,960 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\ssubtmr6.dll
[2009/12/14 21:32:28 | 00,036,864 | ---- | C] (Robdogg Inc.) -- C:\WINDOWS\System32\trayicon_handler.ocx
[2009/12/14 21:32:27 | 00,662,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mscomct2.ocx
[2009/12/14 21:32:27 | 00,609,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comctl32.ocx
[2009/12/14 21:32:27 | 00,164,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comct232.ocx
[2009/12/14 21:32:27 | 00,028,672 | ---- | C] (-) -- C:\WINDOWS\System32\mousewheel.ocx
[2009/12/14 21:32:26 | 00,212,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\richtx32.ocx
[2009/12/14 21:32:26 | 00,000,000 | ---D | C] -- C:\Program Files\DVD Flick
[2009/12/13 10:08:37 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PCSuite
[2009/12/13 10:08:32 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2009/12/13 10:07:32 | 00,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2009/12/12 16:05:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Desktop\Ebay
[2009/12/09 16:30:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dex\Local Settings\Application Data\BingoCafe
[2009/09/01 14:46:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/07 17:36:41 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\NTREGOPT.lnk
[2010/01/07 17:36:40 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\ERUNT.lnk
[2010/01/07 10:16:36 | 00,016,608 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2010/01/07 10:16:33 | 00,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\xqlrzti.job
[2010/01/07 10:16:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/07 10:16:32 | 00,013,754 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/07 10:16:31 | 00,054,376 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010/01/07 10:16:31 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/07 00:14:22 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Dex\NTUSER.DAT
[2010/01/07 00:14:22 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Dex\ntuser.ini
[2010/01/07 00:14:16 | 07,564,754 | -H-- | M] () -- C:\Documents and Settings\Dex\Local Settings\Application Data\IconCache.db
[2010/01/06 21:04:14 | 00,006,656 | ---- | M] () -- C:\Documents and Settings\Dex\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/06 18:51:12 | 01,427,126 | ---- | M] () -- C:\Documents and Settings\Dex\My Documents\File Juicer 4.8.3 (Universal Cracked + SN).dmg
[2010/01/05 13:20:10 | 00,163,304 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\cdb86692c179bcc0687fb00995a52aa20c2ef39940687212f235e2332391f0544492c916cd35dbd2abd20e72079b2b1ca0485219956c60eda016077f3901a34fcecdd3fe98cc2264b3931829c06b69c792164a34.pdf
[2010/01/05 13:19:17 | 00,148,148 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\ceb96797c57abcc0687fb30a95a52ea90d22f69442697517f134e5352596f2574593c91ecf36d7d2a9d403770b9a2018a64a5215966e63efa71001783802a648cfcfd0fd98cc2264b3931c2ac16e6ac692164a34.pdf
[2010/01/04 14:11:57 | 00,000,380 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/01/01 23:55:27 | 00,033,124 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\zukoseasontwogw5.jpg
[2009/12/30 01:40:25 | 00,093,968 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\Nathan-nathan-fillion-273057_1024_819.jpg
[2009/12/26 20:59:33 | 00,013,418 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\dooze & me.JPG
[2009/12/26 20:58:11 | 00,070,031 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\18139_218830047908_501832908_3128035_5489429_n.jpg
[2009/12/23 21:43:15 | 00,050,573 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\15845_210355552908_501832908_3087184_5353371_n.jpg
[2009/12/23 09:01:27 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/23 08:56:07 | 00,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/22 22:29:43 | 00,794,112 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\The_Comedian.exe
[2009/12/22 22:28:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dex\Desktop\OTL.exe
[2009/12/19 12:41:34 | 00,000,735 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\RAR Password Recovery Magic.lnk
[2009/12/18 22:13:12 | 00,000,693 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/18 22:13:12 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/18 22:13:12 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/18 21:26:14 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\HijackThis.lnk
[2009/12/18 20:05:56 | 00,000,587 | ---- | M] () -- C:\Documents and Settings\Dex\Application Data\AutoGK.ini
[2009/12/18 19:09:45 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2009/12/18 19:09:43 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/18 19:09:43 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2009/12/18 19:09:07 | 00,000,628 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2009/12/18 18:50:53 | 00,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2009/12/18 17:20:30 | 00,945,132 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\jake_sully__neytiri_in_avatar-wide.jpg
[2009/12/18 17:15:26 | 00,001,759 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2009/12/18 17:11:03 | 00,255,283 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\avatar01.jpg
[2009/12/18 17:10:59 | 00,504,434 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\Avatar-Game-Wallpapers.jpg
[2009/12/18 15:29:59 | 46,769,659 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/18 15:29:59 | 00,127,269 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/17 14:17:56 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/12/17 13:58:21 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 8.5.lnk
[2009/12/17 13:48:55 | 00,000,572 | ---- | M] () -- C:\Documents and Settings\Dex\My Documents\cc_20091217_134850.reg
[2009/12/16 17:55:16 | 00,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2009/12/14 23:54:26 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/14 22:05:26 | 00,132,096 | RHS- | M] () -- C:\WINDOWS\System32\ativvaxxh.dll
[2009/12/14 21:55:45 | 00,087,608 | ---- | M] () -- C:\Documents and Settings\Dex\Application Data\inst.exe
[2009/12/14 21:55:45 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/12/14 21:55:45 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Dex\Application Data\pcouffin.sys
[2009/12/14 21:55:45 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Dex\Application Data\pcouffin.cat
[2009/12/14 21:55:45 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Dex\Application Data\pcouffin.inf
[2009/12/14 21:55:43 | 00,000,810 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\ConvertXtoDvd.lnk
[2009/12/12 14:51:04 | 00,554,670 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/12 14:51:04 | 00,464,632 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/12 14:51:04 | 00,078,900 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/09 22:36:39 | 00,006,931 | ---- | M] () -- C:\Documents and Settings\Dex\My Documents\rc_button2.gif
[2009/12/09 22:32:34 | 00,004,213 | ---- | M] () -- C:\Documents and Settings\Dex\My Documents\rcLogo.gif
[2009/12/09 16:31:57 | 00,000,915 | ---- | M] () -- C:\Documents and Settings\Dex\Desktop\BingoCafe.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/07 17:36:41 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\NTREGOPT.lnk
[2010/01/07 17:36:40 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\ERUNT.lnk
[2010/01/06 18:51:12 | 01,427,126 | ---- | C] () -- C:\Documents and Settings\Dex\My Documents\File Juicer 4.8.3 (Universal Cracked + SN).dmg
[2010/01/05 13:20:10 | 00,163,304 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\cdb86692c179bcc0687fb00995a52aa20c2ef39940687212f235e2332391f0544492c916cd35dbd2abd20e72079b2b1ca0485219956c60eda016077f3901a34fcecdd3fe98cc2264b3931829c06b69c792164a34.pdf
[2010/01/05 13:19:17 | 00,148,148 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\ceb96797c57abcc0687fb30a95a52ea90d22f69442697517f134e5352596f2574593c91ecf36d7d2a9d403770b9a2018a64a5215966e63efa71001783802a648cfcfd0fd98cc2264b3931c2ac16e6ac692164a34.pdf
[2010/01/01 23:55:26 | 00,033,124 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\zukoseasontwogw5.jpg
[2009/12/30 01:40:24 | 00,093,968 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\Nathan-nathan-fillion-273057_1024_819.jpg
[2009/12/26 20:59:33 | 00,013,418 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\dooze & me.JPG
[2009/12/26 20:58:09 | 00,070,031 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\18139_218830047908_501832908_3128035_5489429_n.jpg
[2009/12/23 21:43:15 | 00,050,573 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\15845_210355552908_501832908_3087184_5353371_n.jpg
[2009/12/23 09:01:27 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/23 08:56:07 | 00,001,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/22 22:27:13 | 00,794,112 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\The_Comedian.exe
[2009/12/19 12:41:34 | 00,000,735 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\RAR Password Recovery Magic.lnk
[2009/12/18 21:26:14 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\HijackThis.lnk
[2009/12/18 20:05:56 | 00,000,587 | ---- | C] () -- C:\Documents and Settings\Dex\Application Data\AutoGK.ini
[2009/12/18 19:09:45 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2009/12/18 19:09:43 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2009/12/18 19:09:07 | 00,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2009/12/18 19:08:16 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/12/18 18:50:53 | 00,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2009/12/18 17:17:41 | 00,945,132 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\jake_sully__neytiri_in_avatar-wide.jpg
[2009/12/18 17:15:26 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2009/12/18 17:11:02 | 00,255,283 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\avatar01.jpg
[2009/12/18 17:10:56 | 00,504,434 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\Avatar-Game-Wallpapers.jpg
[2009/12/17 13:58:21 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 8.5.lnk
[2009/12/17 13:48:52 | 00,000,572 | ---- | C] () -- C:\Documents and Settings\Dex\My Documents\cc_20091217_134850.reg
[2009/12/16 17:55:16 | 00,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2009/12/14 22:05:27 | 00,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\xqlrzti.job
[2009/12/14 22:05:26 | 00,132,096 | RHS- | C] () -- C:\WINDOWS\System32\ativvaxxh.dll
[2009/12/14 21:55:53 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Dex\Application Data\pcouffin.log
[2009/12/14 21:55:45 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\Dex\Application Data\inst.exe
[2009/12/14 21:55:45 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Dex\Application Data\pcouffin.cat
[2009/12/14 21:55:45 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Dex\Application Data\pcouffin.inf
[2009/12/14 21:55:43 | 00,000,810 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\ConvertXtoDvd.lnk
[2009/12/09 22:36:38 | 00,006,931 | ---- | C] () -- C:\Documents and Settings\Dex\My Documents\rc_button2.gif
[2009/12/09 22:32:34 | 00,004,213 | ---- | C] () -- C:\Documents and Settings\Dex\My Documents\rcLogo.gif
[2009/12/09 16:31:19 | 00,000,915 | ---- | C] () -- C:\Documents and Settings\Dex\Desktop\BingoCafe.lnk
[2009/09/01 20:06:41 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\Dex\Local Settings\Application Data\fusioncache.dat
[2009/08/31 19:46:57 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/31 16:37:58 | 00,006,656 | ---- | C] () -- C:\Documents and Settings\Dex\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 16:17:33 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\CMRMDRV3.dll
[2009/08/31 16:17:33 | 00,000,199 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfl
[2009/08/31 16:17:08 | 00,003,087 | R--- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfg
[2009/01/29 05:50:44 | 00,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/29 05:50:44 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/09/27 11:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2002/10/16 09:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 05:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 05:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2007/07/27 23:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 11:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 11:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2007/07/27 23:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 11:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 11:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2007/07/27 23:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007/07/27 23:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 11:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 11:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >

#6 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 07 January 2010 - 06:41 AM

GMER results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-07 22:41:25
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Dex\LOCALS~1\Temp\uxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT sprb.sys ZwCreateKey [0xF740F0E0]
SSDT sprb.sys ZwEnumerateKey [0xF742DCA4]
SSDT sprb.sys ZwEnumerateValueKey [0xF742E032]
SSDT sprb.sys ZwOpenKey [0xF740F0C0]
SSDT sprb.sys ZwQueryKey [0xF742E10A]
SSDT sprb.sys ZwQueryValueKey [0xF742DF8A]
SSDT sprb.sys ZwSetValueKey [0xF742E19C]

INT 0x62 ? 86FD7BF8
INT 0x63 ? 86D2CF00
INT 0x63 ? 86D2CF00
INT 0x63 ? 86D2CF00
INT 0x82 ? 86FD7BF8
INT 0x83 ? 86FDABF8
INT 0x83 ? 86D2CF00
INT 0x83 ? 86FDABF8
INT 0x84 ? 86D2CF00
INT 0xA4 ? 86D2CF00
INT 0xB4 ? 86FD7BF8
INT 0xB4 ? 86FD7BF8
INT 0xB4 ? 86D2CF00
INT 0xB4 ? 86FD7BF8

---- Kernel code sections - GMER 1.0.15 ----

? sprb.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF66AE000, 0x1A5044, 0xE8000020]
.text USBPORT.SYS!DllUnload F66658AC 5 Bytes JMP 86D2C4E0
.text a01j5f59.SYS F6437386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a01j5f59.SYS F64373AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a01j5f59.SYS F64373C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a01j5f59.SYS F64373C9 1 Byte [30]
.text a01j5f59.SYS F64373C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7410042] sprb.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F741013E] sprb.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74100C0] sprb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7410800] sprb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74106D6] sprb.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F741FE9C] sprb.sys
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\a01j5f59.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F661F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 86CC41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C4E7BA9D-F3A1-4335-8FD3-728D27839094} 86A6E500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F681F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F681F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F681F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F681F8
Device \Driver\usbuhci \Device\USBPDO-1 86CC41F8
Device \Driver\usbuhci \Device\USBPDO-2 86CC41F8
Device \Driver\PCI_PNP2728 \Device\00000046 sprb.sys
Device \Driver\usbehci \Device\USBPDO-3 86CA0500
Device \Driver\usbuhci \Device\USBPDO-4 86CC41F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 86CC41F8
Device \Driver\usbuhci \Device\USBPDO-6 86CC41F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD81F8
Device \Driver\usbehci \Device\USBPDO-7 86CA0500
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD81F8
Device \Driver\Cdrom \Device\CdRom0 86C5E500
Device \Driver\Cdrom \Device\CdRom1 86C5E500
Device \Driver\atapi \Device\Ide\IdePort0 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F7363B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 86A6E500
Device \Driver\NetBT \Device\NetbiosSmb 86A6E500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 86CC41F8
Device \Driver\sptd \Device\2874252728 sprb.sys
Device \Driver\usbuhci \Device\USBFDO-1 86CC41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86A65500
Device \Driver\usbuhci \Device\USBFDO-2 86CC41F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86A65500
Device \Driver\usbehci \Device\USBFDO-3 86CA0500
Device \Driver\usbuhci \Device\USBFDO-4 86CC41F8
Device \Driver\Ftdisk \Device\FtControl 86FD81F8
Device \Driver\usbuhci \Device\USBFDO-5 86CC41F8
Device \Driver\usbuhci \Device\USBFDO-6 86CC41F8
Device \Driver\usbehci \Device\USBFDO-7 86CA0500
Device \Driver\a01j5f59 \Device\Scsi\a01j5f591Port5Path0Target0Lun0 86C3A1F8
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 86F671F8
Device \Driver\a01j5f59 \Device\Scsi\a01j5f591 86C3A1F8
Device \Driver\JRAID \Device\Scsi\JRAID1 86F671F8
Device \FileSystem\Cdfs \Cdfs 86BC7500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0x1E 0xA9 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD8 0x22 0x2A 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA2 0x8C 0x87 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0x1E 0xA9 0xAA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD8 0x22 0x2A 0x35 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA2 0x8C 0x87 0x33 ...

---- EOF - GMER 1.0.15 ----

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 19 January 2010 - 08:18 AM

Hello.. Apologies for the delay.. I was very-very ill for two weeks, and it affected my life.. Now I'm back..

Do you still need help?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 22 January 2010 - 04:11 AM

Hi, I'm sorry to hear that.
I definitely still need help. The problem is getting worse. It's now doing it to almost all links.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 22 January 2010 - 06:01 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 22 January 2010 - 06:27 AM

ComboFix 10-01-21.06 - Dex 01/22/2010 22:13:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.735 [GMT 11:00]
Running from: c:\documents and settings\Dex\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dex\Application Data\inst.exe
c:\program files\INSTALL.LOG
c:\windows\system32\ativvaxxh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 09:25 . 2010-01-22 09:25 -------- d-----w- C:\CFdownloads
2010-01-22 09:25 . 2010-01-22 09:25 -------- d-----w- c:\program files\CinemaForge
2010-01-22 09:25 . 2009-08-28 07:27 1577792 ----a-w- c:\windows\screengenie.scr
2010-01-22 09:19 . 2010-01-22 09:19 4141117 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-01-22 09:19 . 2010-01-22 09:19 6516755 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-01-22 09:18 . 2010-01-22 09:18 15884 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2010-01-22 09:18 . 2010-01-22 09:18 102400 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2010-01-22 09:16 . 2010-01-22 09:16 -------- d-----w- c:\program files\TuneUpMedia
2010-01-22 09:16 . 2010-01-22 09:16 -------- d-----w- c:\documents and settings\Dex\Application Data\TuneUpMedia
2010-01-22 09:16 . 2010-01-22 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-01-22 09:14 . 2010-01-22 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-22 09:14 . 2010-01-22 09:25 -------- d-----w- c:\documents and settings\Dex\Application Data\Azureus
2010-01-22 09:13 . 2010-01-22 09:14 -------- d-----w- c:\program files\Vuze
2010-01-17 10:15 . 2004-08-25 06:52 409600 ----a-w- c:\windows\system32\Amoucplx.dll
2010-01-17 10:15 . 2004-08-25 06:46 389120 ----a-w- c:\windows\system32\Amsample.dll
2010-01-17 10:15 . 2004-08-25 06:32 102400 ----a-w- c:\windows\system32\Amuninst.exe
2010-01-17 10:15 . 2004-08-25 06:29 86016 ----a-w- c:\windows\system32\Amoures.dll
2010-01-17 10:15 . 2004-08-25 06:29 36864 ----a-w- c:\windows\system32\Amhooker.dll
2010-01-17 10:15 . 2004-08-25 06:09 7424 ----a-w- c:\windows\system32\drivers\Arfumftr.sys
2010-01-17 10:15 . 2004-08-25 06:09 10240 ----a-w- c:\windows\system32\drivers\Amusbprt.sys
2010-01-17 10:15 . 2004-08-25 06:09 20096 ----a-w- c:\windows\system32\drivers\Amserprt.sys
2010-01-17 10:15 . 2004-08-25 06:09 9984 ----a-w- c:\windows\system32\drivers\Amps2prt.sys
2010-01-17 10:15 . 2004-08-25 06:09 5120 ----a-w- c:\windows\system32\drivers\Amfilter.sys
2010-01-17 09:40 . 2010-01-17 09:40 -------- d-----w- c:\program files\A4Tech
2010-01-16 08:33 . 2010-01-16 08:33 -------- d--h--w- c:\windows\PIF
2010-01-16 05:25 . 2010-01-16 05:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\Dex\Local Settings\Application Data\Digsby
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\Dex\Application Data\Digsby
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\Digsby
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\windows\system32\drivers\NSS
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\Norton Security Scan
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\NortonInstaller
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-14 10:35 . 2010-01-14 10:35 -------- d-----w- c:\documents and settings\Dex\Application Data\dvdcss
2010-01-07 06:36 . 2010-01-07 06:36 -------- d-----w- c:\program files\ERUNT
2009-12-25 10:46 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 11:17 . 2009-08-31 04:48 16608 ----a-w- c:\windows\gdrv.sys
2010-01-22 09:16 . 2009-12-22 22:00 -------- d-----w- c:\program files\iTunes
2010-01-20 11:48 . 2009-12-18 07:58 -------- d-----w- c:\documents and settings\Dex\Application Data\vlc
2010-01-13 08:22 . 2009-08-31 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 06:13 . 2009-08-31 11:52 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-08 06:11 . 2009-08-31 08:55 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-08 06:11 . 2009-09-28 02:02 -------- d-----w- c:\program files\Sims 2 WTF Editor
2010-01-08 06:07 . 2009-08-31 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-08 05:59 . 2009-12-14 10:55 -------- d-----w- c:\program files\VSO
2010-01-08 05:59 . 2009-12-14 10:55 -------- d-----w- c:\documents and settings\Dex\Application Data\Vso
2010-01-08 05:59 . 2009-12-14 10:55 47360 ----a-w- c:\documents and settings\Dex\Application Data\pcouffin.sys
2010-01-08 05:59 . 2009-12-14 10:55 47360 ----a-w- c:\documents and settings\Dex\Application Data\pcouffin.sys
2010-01-06 08:17 . 2009-08-31 09:05 -------- d-----w- c:\documents and settings\Dex\Application Data\uTorrent
2009-12-26 10:19 . 2009-09-08 11:41 -------- d-----w- c:\documents and settings\Dex\Application Data\Apple Computer
2009-12-22 22:00 . 2009-09-08 11:39 -------- d-----w- c:\program files\iPod
2009-12-22 22:00 . 2009-09-10 03:37 -------- d-----w- c:\program files\Common Files\Apple
2009-12-22 21:58 . 2009-08-31 08:56 -------- d-----w- c:\program files\QuickTime
2009-12-22 21:56 . 2009-12-22 21:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-22 21:56 . 2009-12-22 21:56 -------- d-----w- c:\program files\Safari
2009-12-22 21:55 . 2009-12-22 21:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-22 05:21 . 2007-07-27 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:33 . 2009-08-31 06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 10:33 . 2009-12-18 10:33 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-18 10:26 . 2009-12-18 10:26 -------- d-----w- c:\program files\Trend Micro
2009-12-18 08:19 . 2009-08-31 08:55 -------- d-----w- c:\program files\Xvid
2009-12-18 08:09 . 2009-12-18 08:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-12-18 08:09 . 2009-12-18 08:09 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-18 05:52 . 2009-12-18 05:52 -------- d-----w- c:\program files\SEGA
2009-12-18 05:52 . 2009-08-31 04:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 04:59 . 2009-12-18 04:59 -------- d-----w- c:\program files\TVersity
2009-12-18 02:39 . 2009-12-18 02:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 08:23 . 2009-12-14 10:33 -------- d-----w- c:\documents and settings\Dex\Application Data\DVD Flick
2009-12-17 08:23 . 2009-12-14 10:32 -------- d-----w- c:\program files\DVD Flick
2009-12-14 12:54 . 2009-09-17 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-14 10:55 . 2009-12-14 10:55 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-14 10:48 . 2009-08-31 10:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-12 23:08 . 2009-12-12 23:08 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-12 23:08 . 2009-12-12 23:08 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-12 23:07 . 2009-12-12 23:07 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-12 23:07 . 2009-09-08 12:20 -------- d-----w- c:\program files\Nokia
2009-12-12 23:05 . 2009-12-12 23:05 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-12 23:05 . 2009-12-12 23:05 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-12 23:05 . 2009-12-12 23:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-12 23:05 . 2009-12-12 23:05 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-12 23:05 . 2009-12-12 23:06 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-12 23:05 . 2009-09-08 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-03 05:14 . 2009-08-31 06:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13 . 2009-08-31 06:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:20 . 2009-08-31 04:54 177152 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2009-11-21 15:51 . 2007-07-27 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"GEST"="c:\program files\GIGABYTE\GEST\run.exe" [2007-12-14 236040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-08-25 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 01:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-02 17:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2007-12-22 07:23 221568 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
2007-12-14 01:46 236040 ----a-w- c:\program files\GIGABYTE\GEST\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2009-11-14 00:51 1278736 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 05:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 12:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-01 05:23 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-24 19:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"helpsvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"WSearch"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"IS360service"=2 (0x2)
"GEST Service"=3 (0x3)
"CiSvc"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\The Sims 2 ContentManager\\CM_EN\\The Sims2 ContentManager\\TS2ContentManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36919:TCP"= 36919:TCP:UTorrentPorts
"36919:UDP"= 36919:UDP:UTorrentPorts2

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/31/2009 7:46 PM 721904]
S3 Arfumftr;A4Tech USB RF-Mouse filter driver;c:\windows\system32\drivers\Arfumftr.sys [1/17/2010 9:15 PM 7424]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [8/31/2009 3:49 PM 47624]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/31/2009 4:57 PM 312592]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\Norton Security Scan for Dex.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-15 14:18]

2010-01-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-11-16 22:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe
FF - ProfilePath - c:\documents and settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 22:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spov.sys >>UNKNOWN [0x86D88938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf769cf28
\Driver\ACPI -> ACPI.sys @ 0xf73e6cb8
\Driver\atapi -> atapi.sys @ 0xf737bb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7271bb0
PacketIndicateHandler -> NDIS.sys @ 0xf727ea21
SendHandler -> NDIS.sys @ 0xf725c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3992)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-22 22:20:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 11:20

Pre-Run: 402,161,954,816 bytes free
Post-Run: 403,975,606,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0D61D9257C76B6D38CC83548D58E5A68

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 22 January 2010 - 10:41 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 23 January 2010 - 08:31 PM

Combo Fix:

ComboFix 10-01-23.02 - Dex 01/24/2010 12:18:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.683 [GMT 11:00]
Running from: c:\documents and settings\Dex\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dex\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 01:14 . 2010-01-24 01:17 -------- d-----w- C:\Combo-Fix
2010-01-22 09:25 . 2010-01-22 09:25 -------- d-----w- C:\CFdownloads
2010-01-22 09:25 . 2010-01-22 09:25 -------- d-----w- c:\program files\CinemaForge
2010-01-22 09:25 . 2009-08-28 07:27 1577792 ----a-w- c:\windows\screengenie.scr
2010-01-22 09:19 . 2010-01-22 09:19 4141117 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-01-22 09:19 . 2010-01-22 09:19 6516755 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-01-22 09:18 . 2010-01-22 09:18 15884 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2010-01-22 09:18 . 2010-01-22 09:18 102400 ----a-w- c:\documents and settings\Dex\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2010-01-22 09:16 . 2010-01-22 09:16 -------- d-----w- c:\program files\TuneUpMedia
2010-01-22 09:16 . 2010-01-22 12:19 -------- d-----w- c:\documents and settings\Dex\Application Data\TuneUpMedia
2010-01-22 09:16 . 2010-01-22 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-01-22 09:14 . 2010-01-22 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-22 09:14 . 2010-01-22 09:25 -------- d-----w- c:\documents and settings\Dex\Application Data\Azureus
2010-01-22 09:13 . 2010-01-22 09:14 -------- d-----w- c:\program files\Vuze
2010-01-17 10:15 . 2004-08-25 06:52 409600 ----a-w- c:\windows\system32\Amoucplx.dll
2010-01-17 10:15 . 2004-08-25 06:46 389120 ----a-w- c:\windows\system32\Amsample.dll
2010-01-17 10:15 . 2004-08-25 06:32 102400 ----a-w- c:\windows\system32\Amuninst.exe
2010-01-17 10:15 . 2004-08-25 06:29 86016 ----a-w- c:\windows\system32\Amoures.dll
2010-01-17 10:15 . 2004-08-25 06:29 36864 ----a-w- c:\windows\system32\Amhooker.dll
2010-01-17 10:15 . 2004-08-25 06:09 7424 ----a-w- c:\windows\system32\drivers\Arfumftr.sys
2010-01-17 10:15 . 2004-08-25 06:09 10240 ----a-w- c:\windows\system32\drivers\Amusbprt.sys
2010-01-17 10:15 . 2004-08-25 06:09 20096 ----a-w- c:\windows\system32\drivers\Amserprt.sys
2010-01-17 10:15 . 2004-08-25 06:09 9984 ----a-w- c:\windows\system32\drivers\Amps2prt.sys
2010-01-17 10:15 . 2004-08-25 06:09 5120 ----a-w- c:\windows\system32\drivers\Amfilter.sys
2010-01-17 09:40 . 2010-01-17 09:40 -------- d-----w- c:\program files\A4Tech
2010-01-16 08:33 . 2010-01-16 08:33 -------- d--h--w- c:\windows\PIF
2010-01-16 05:25 . 2010-01-23 05:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\Dex\Local Settings\Application Data\Digsby
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\Dex\Application Data\Digsby
2010-01-15 14:19 . 2010-01-15 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\Digsby
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\windows\system32\drivers\NSS
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\Norton Security Scan
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\program files\NortonInstaller
2010-01-15 14:18 . 2010-01-15 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-14 10:35 . 2010-01-14 10:35 -------- d-----w- c:\documents and settings\Dex\Application Data\dvdcss
2010-01-07 06:36 . 2010-01-07 06:36 -------- d-----w- c:\program files\ERUNT
2009-12-25 10:46 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 01:23 . 2009-08-31 04:48 16608 ----a-w- c:\windows\gdrv.sys
2010-01-23 08:16 . 2009-12-18 07:58 -------- d-----w- c:\documents and settings\Dex\Application Data\vlc
2010-01-22 09:16 . 2009-12-22 22:00 -------- d-----w- c:\program files\iTunes
2010-01-13 08:22 . 2009-08-31 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 06:13 . 2009-08-31 11:52 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-08 06:11 . 2009-08-31 08:55 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-08 06:11 . 2009-09-28 02:02 -------- d-----w- c:\program files\Sims 2 WTF Editor
2010-01-08 06:07 . 2009-08-31 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-08 05:59 . 2009-12-14 10:55 -------- d-----w- c:\program files\VSO
2010-01-08 05:59 . 2009-12-14 10:55 -------- d-----w- c:\documents and settings\Dex\Application Data\Vso
2010-01-08 05:59 . 2009-12-14 10:55 47360 ----a-w- c:\documents and settings\Dex\Application Data\pcouffin.sys
2010-01-08 05:59 . 2009-12-14 10:55 47360 ----a-w- c:\documents and settings\Dex\Application Data\pcouffin.sys
2010-01-06 08:17 . 2009-08-31 09:05 -------- d-----w- c:\documents and settings\Dex\Application Data\uTorrent
2009-12-26 10:19 . 2009-09-08 11:41 -------- d-----w- c:\documents and settings\Dex\Application Data\Apple Computer
2009-12-22 22:00 . 2009-09-08 11:39 -------- d-----w- c:\program files\iPod
2009-12-22 22:00 . 2009-09-10 03:37 -------- d-----w- c:\program files\Common Files\Apple
2009-12-22 21:58 . 2009-08-31 08:56 -------- d-----w- c:\program files\QuickTime
2009-12-22 21:56 . 2009-12-22 21:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-22 21:56 . 2009-12-22 21:56 -------- d-----w- c:\program files\Safari
2009-12-22 21:55 . 2009-12-22 21:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-22 05:21 . 2007-07-27 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:33 . 2009-08-31 06:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 10:33 . 2009-12-18 10:33 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-18 10:26 . 2009-12-18 10:26 -------- d-----w- c:\program files\Trend Micro
2009-12-18 08:19 . 2009-08-31 08:55 -------- d-----w- c:\program files\Xvid
2009-12-18 08:09 . 2009-12-18 08:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-12-18 08:09 . 2009-12-18 08:09 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-18 05:52 . 2009-12-18 05:52 -------- d-----w- c:\program files\SEGA
2009-12-18 05:52 . 2009-08-31 04:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 04:59 . 2009-12-18 04:59 -------- d-----w- c:\program files\TVersity
2009-12-18 02:39 . 2009-12-18 02:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 08:23 . 2009-12-14 10:33 -------- d-----w- c:\documents and settings\Dex\Application Data\DVD Flick
2009-12-17 08:23 . 2009-12-14 10:32 -------- d-----w- c:\program files\DVD Flick
2009-12-14 12:54 . 2009-09-17 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-14 10:55 . 2009-12-14 10:55 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-14 10:48 . 2009-08-31 10:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-12 23:08 . 2009-12-12 23:08 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-12 23:08 . 2009-12-12 23:08 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-12 23:07 . 2009-12-12 23:07 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-12 23:07 . 2009-09-08 12:20 -------- d-----w- c:\program files\Nokia
2009-12-12 23:05 . 2009-12-12 23:05 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-12 23:05 . 2009-12-12 23:05 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-12 23:05 . 2009-12-12 23:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-12 23:05 . 2009-12-12 23:05 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-12 23:05 . 2009-12-12 23:06 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-12 23:05 . 2009-09-08 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-03 05:14 . 2009-08-31 06:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13 . 2009-08-31 06:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:20 . 2009-08-31 04:54 177152 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2009-11-21 15:51 . 2007-07-27 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_11.17.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 22:58 . 2008-04-13 17:39 23040 c:\windows\system32\drivers\mouclass.sys
- 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2004-08-03 22:58 . 2008-04-13 17:39 23040 c:\windows\system32\dllcache\mouclass.sys
+ 2007-07-27 12:00 . 2004-08-03 12:59 95360 c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"GEST"="c:\program files\GIGABYTE\GEST\run.exe" [2007-12-14 236040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-08-25 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 01:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-02 17:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2007-12-22 07:23 221568 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
2007-12-14 01:46 236040 ----a-w- c:\program files\GIGABYTE\GEST\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2009-11-14 00:51 1278736 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 05:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 12:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-01 05:23 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-24 19:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"helpsvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"WSearch"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"IS360service"=2 (0x2)
"GEST Service"=3 (0x3)
"CiSvc"=3 (0x3)
"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\The Sims 2 ContentManager\\CM_EN\\The Sims2 ContentManager\\TS2ContentManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36919:TCP"= 36919:TCP:UTorrentPorts
"36919:UDP"= 36919:UDP:UTorrentPorts2

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/31/2009 7:46 PM 721904]
R3 Arfumftr;A4Tech USB RF-Mouse filter driver;c:\windows\system32\drivers\Arfumftr.sys [1/17/2010 9:15 PM 7424]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [8/31/2009 3:49 PM 47624]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/31/2009 4:57 PM 312592]
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\Norton Security Scan for Dex.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-15 14:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe
FF - ProfilePath - c:\documents and settings\Dex\Application Data\Mozilla\Firefox\Profiles\g43zdvov.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 12:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86FD71F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7684f28
\Driver\ACPI -> ACPI.sys @ 0xf73cecb8
\Driver\atapi -> 0x86fd71f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7259bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7266a21
SendHandler -> NDIS.sys @ 0xf724487b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-24 12:27:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 01:27
ComboFix2.txt 2010-01-22 11:20

Pre-Run: 403,520,909,312 bytes free
Post-Run: 403,508,547,584 bytes free

- - End Of File - - B56D4E92150D4E0F4FA1BC2A0982678F

#13 Dex36

Dex36
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 23 January 2010 - 08:33 PM

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:48 PM, on 1/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Dex\Desktop\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1251724714156
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4119 bytes

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 25 January 2010 - 05:42 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users