Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect / pop-up


  • This topic is locked This topic is locked
34 replies to this topic

#1 isawben

isawben

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 27 December 2009 - 04:20 PM

So this started with an infestation of Internet Security2010 (damn roommates), i removed that along with winlogon86/winupdate86/winhelper86/setunude.dll and all registry entries pointing to them. Now HJT logs look clean (to me anyways) but I'm getting this redirect problem and occasionaly a pop up (firefox throws an error, something like 'firefox is unable to open url', then opens a new window with like 20 tabs, every other one is c:/windows dir, the others are 404's)

Now i'm getting redirected from search results and NOD32 keeps blocking something every 5min or so(maybe only while firefox is open?)
'HTTP filter file hxxp://bfskul.com/loaderadv699.exe a variant of Win32/Kryptik.BKK trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.'

Spybot SD didn't find anything on last scan, but yesterday was finding virtumonde(sp?) and windows firewall program bypass thingy everytime i scanned(sorry for lack of certainty).

MBAM keeps finding this:
'Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00a (Generic.Bot.H) -> Quarantined and deleted successfully.'

ESET NOD32 comes up clean when i do a scan but is still bringing up the previous message.

RootRepeal is taking FOREVER to scan so I'll post that log when it's done. It has been scanning 'files' for over 2 hours and isn't even to the windows dir.

Attached Files



BC AdBot (Login to Remove)

 


#2 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 30 December 2009 - 11:22 PM

ok, the IS2010 crap came back and i attempted to get rid of it. I did, but i forgot to repair the winlogon registry key (it was pointing at winlogon86.exe, not userinit.exe like it should be). this caused windows to not log on. so i had to use the recovery console to copy the registry files to a temp folder, then copy the repair registry files to the config folder. then i was able to log on to windows using a default registry. from there, i imported the software registry hive file and fixed the winlogon key. then i restarted the recovery console and restored the rest of the registry files (i think i could have just imported all of the backed up registry files when i fixed the winlogon key... oh well).

then when i restarted windows logged on (yay) but my wallpaper was gone, again, so i ran MBAM again and there were 19 infections that i fixed. now i'm back to just the redirect issue. eset NOD32 is no longer constantly blocking 'hxxp://bfskul.com/loaderadv699.exe a variant of Win32/Kryptik.BKK' (yay) and i'm no longer getting the popup i mentioned.

i have some new dds logs and the mbam log, but every time i run rootrepeal windows slows WAY down and stutters. the last time i tried to run reootrepeal it took over 5 hours to scan the files and seemed to be scanning my c: drive by folder tiers (first c:\foldername then c:\foldername\folder2 then c:\foldername\folder2\folder3 etc). it was lagging so bad and was only on the second tier after 5+ hours that i closed it and moved on. is this normal or is it because i'm infected? is this log necessary at this point?

thanks for any forthcoming help you guys (or girls?) can offer :(

mbam-log-2009-12-30 (21-39-56).txt

Scan type: Quick Scan
Objects scanned: 129178
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00a (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) ->
Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\nmjhv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\uwlwfa.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\nbhfy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Master at 21:45:47.90 on Wed 12/30/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3126 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Master\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli mapat32.dll medemovo.dll
IFEO: taskmgr.exe - "c:\processexplorer\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\applic~1\mozilla\firefox\profiles\2xsgw7ie.default\
FF - component: c:\documents and settings\master\application data\mozilla\firefox\profiles\2xsgw7ie.default\extensions\
{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\master\application data\mozilla\firefox\profiles\2xsgw7ie.default\extensions\
npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows
presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2008-10-31 302728]
S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-9-21 271856]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-9-21 218608]
S3 mpr_freader;MPR FileReader Driver;\??\c:\docume~1\master\locals~1\temp\rarsfx1\mpr_freader.sys --> c:\docume~1\master\locals~1\temp\rarsfx1\mpr_freader.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010\RpcAgentSrv.exe [2009-12-17 93336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-12-31 02:06:11 1606 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-12-30 21:55:28 0 d-----w- c:\windows\tmp
2009-12-28 04:13:34 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2009-12-27 03:46:18 8 ----a-w- c:\windows\system32\nvModes.dat
2009-12-27 03:44:56 0 d-----w- c:\windows\SxsCaPendDel
2009-12-26 23:51:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 23:51:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 23:51:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 04:17:15 0 ----a-w- c:\windows\system32\regsvr32
2009-12-26 03:52:14 2855 ----a-w- c:\windows\system32\41.PIF
2009-12-26 03:51:57 0 d--h--w- c:\windows\PIF
2009-12-26 02:54:25 0 d-----w- C:\Autoruns
2009-12-26 02:26:50 0 d-----w- c:\program files\ESET
2009-12-25 03:30:52 2098 --sh--w- c:\windows\system32\buvoyaki.exe
2009-12-20 00:52:12 0 d-sh--r- C:\cmdcons
2009-12-20 00:52:11 0 d-----w- c:\windows\setup.pss
2009-12-20 00:51:57 0 d-----w- c:\windows\setupupd
2009-12-19 23:51:10 0 d-----w- c:\program files\Western Digital Corporation
2009-12-17 05:26:41 0 d-----w- c:\program files\SiSoftware
2009-12-13 07:00:31 8743 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-13 07:00:31 7655872 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2009-12-13 07:00:31 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-13 07:00:29 5900416 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2009-12-13 07:00:29 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-12-08 06:43:38 139264 ----a-w- c:\windows\system32\eax.dll
2009-12-08 06:43:38 0 d-----w- c:\program files\Creative
2009-12-08 06:36:45 0 d-----w- c:\program files\Mafia
2009-12-08 06:36:41 233472 ----a-r- c:\windows\system32\MafiaSetup.exe

==================== Find3M ====================

2009-12-22 22:48:51 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-22 22:42:53 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-17 17:09:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-16 02:44:12 2097152 ----a-w- c:\windows\sample5x.dat
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 21:46:24.75 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 6/12/2008 5:11:49 PM
System Uptime: 12/30/2009 9:40:44 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-SLI DELUXE
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+ | Socket AM2 | 2913/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 110 GiB total, 25.553 GiB free.
D: is CDROM (CDFS)
E: is FIXED (NTFS) - 56 GiB total, 4.972 GiB free.
F: is CDROM ()
G: is FIXED (NTFS) - 28 GiB total, 4.289 GiB free.
H: is FIXED (FAT) - 0 GiB total, 0.008 GiB free.
I: is FIXED (NTFS) - 356 GiB total, 8.043 GiB free.
J: is CDROM ()
W: is NetworkDisk (NTFS) - 466 GiB total, 119.269 GiB free.
X: is NetworkDisk (NTFS) - 36 GiB total, 11.143 GiB free.
Z: is NetworkDisk (NTFS) - 75 GiB total, 25.587 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
7-Zip 4.60 beta
AAC Decoder
Adobe Anchor Service CS4
Adobe Audition 3.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Any Video Converter Professional 2.7.3
AutoUpdate
Call of Duty® - World at War™
Call of Duty® - World at War™ 1.1 Patch
Call of Duty® - World at War™ 1.2 Patch
Call of Duty® - World at War™ 1.3 Patch
Call of Duty® - World at War™ 1.4 Patch
Call of Duty® - World at War™ 1.5 Patch
Call of Duty® - World at War™ 1.6 Patch
Call of Duty® - World at War™ 1.7 Patch
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Call of Duty: Modern Warfare 2
Call of Duty: Modern Warfare 2 - Multiplayer
CCleaner (remove only)
CoD RconTool 10
Connect
CSI - Deadly Intent
Data Lifeguard Diagnostic for Windows
Delta
DH Driver Cleaner Professional Edition
DivX Codec
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Driver Sweeper 2.0.5
Dual-Core Optimizer
Dungeons and Dragons Online™ - Eberron Unlimited™ - Live
DVD Decrypter (Remove Only)
EAX Unified
Electricsheep Screensaver 2.7b17
ESET NOD32 Antivirus
Fallout 3
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Incoming
iPrep v009
Java™ 6 Update 12
K-Lite Codec Pack 3.9.5 (Full)
kuler
Logitech Gaming Software 5.02
Magic Video Converter Trial Version (English) 8.0.2.18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office FrontPage 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
MKV Splitter
Mozilla Firefox (3.0.16)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
Nero 8 Micro 8.3.6.0
neroxml
Netflix Movie Viewer
NetTools 5.0
Neverwinter Nights 2
No File Recovery
Norton PartitionMagic 8.0
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nTune
NVIDIA Photoshop Plug-ins
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
OpenAL
PDF Settings CS4
Photoshop Camera Raw
Primo
QuickTime Alternative 2.6.0
Reason 4.0
Security Update for Windows XP (KB956802)
SiSoftware Sandra Lite 2010
Sony Picture Utility
SPORE™
Spybot - Search & Destroy
Steam
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
TBS WMP Plug-in
TextPad 5
Turbine Download Manager - Live
Unigine Tropics Demo
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
WD Diagnostics
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/27/2009 12:27:50 AM, error: nvgts [9] - The device, \Device\Scsi\nvgts1, did not respond within the timeout period.
12/27/2009 12:21:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: NVTCP
12/27/2009 12:21:42 PM, error: Service Control Manager [7024] - The Forceware Web Interface service terminated with service-specific error 1 (0x1).
12/27/2009 12:21:42 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The system cannot find the file
specified.
12/27/2009 10:37:06 PM, error: SRService [104] - The System Restore initialization process failed.
12/27/2009 10:37:06 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find
the file specified.
12/27/2009 1:57:57 PM, error: nvgts [5] - A parity error was detected on \Device\Scsi\nvgts1.
12/26/2009 7:58:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvata NVTCP
12/26/2009 6:47:37 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/26/2009 10:39:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file nv4_mini.sys. This file was
restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
12/26/2009 10:39:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file nv4_disp.dll. This file was
restored to the original version to maintain system stability. The file version of the system file is 6.14.10.5673.
12/25/2009 10:59:57 PM, error: Service Control Manager [7000] - The FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe service failed to start due to the
following error: The system cannot find the file specified.
12/25/2009 1:06:01 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12/24/2009 12:01:05 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Nero\AudioPlugins\msaxp.dll. Reference
error message: The operation completed successfully. .
12/24/2009 12:01:05 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Common Files\Nero\AudioPlugins\msaxp.dll" on line 9.

==== End Of File ===========================

Edited by isawben, 30 December 2009 - 11:32 PM.


#3 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 02 January 2010 - 02:27 AM

well, no trace of IS2010, but the trojan nod keeps blocking is back, though slightly different: "http://bfskul.com/loaderadv699.exe a variant of Win32/Kryptik.BOI trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe." - every 5 min this is blocked.

still getting the redirect from google.


every time i restart, MBAM finds generic.bot.h

Malwarebytes' Anti-Malware 1.43
Database version: 3475
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/2/2010 2:24:28 AM
mbam-log-2010-01-02 (02-24-25).txt

Scan type: Quick Scan
Objects scanned: 130388
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44bba855-cc51-11cf-aafa-00a (Generic.Bot.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




i also have OTL logs

OTL logfile created on: 1/1/2010 12:39:26 AM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Master\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.87 Gb Total Space | 25.50 Gb Free Space | 23.21% Space Free | Partition Type: NTFS
Drive D: | 622.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 55.89 Gb Total Space | 4.97 Gb Free Space | 8.90% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 27.95 Gb Total Space | 4.29 Gb Free Space | 15.35% Space Free | Partition Type: NTFS
Drive H: | 7.78 Mb Total Space | 7.77 Mb Free Space | 99.90% Space Free | Partition Type: FAT
Drive I: | 355.89 Gb Total Space | 8.04 Gb Free Space | 2.26% Space Free | Partition Type: NTFS
Drive W: | 465.76 Gb Total Space | 119.45 Gb Free Space | 25.65% Space Free | Partition Type: NTFS
Drive X: | 35.82 Gb Total Space | 11.14 Gb Free Space | 31.11% Space Free | Partition Type: NTFS
Drive Z: | 74.53 Gb Total Space | 25.58 Gb Free Space | 34.33% Space Free | Partition Type: NTFS

Computer Name: BEN
Current User Name: Master
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/01 00:35:59 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Master\Desktop\OTL.exe
PRC - [2009/12/22 17:48:51 | 00,189,184 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe
PRC - [2009/12/17 18:25:50 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/29 13:03:46 | 00,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/09/29 13:02:52 | 02,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/09/27 18:19:46 | 00,172,100 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/02/28 23:37:25 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/18 13:31:49 | 00,075,064 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008/04/14 07:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/03 09:13:50 | 00,236,040 | ---- | M] () -- C:\WINDOWS\system32\DeltaIITray.exe
PRC - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2006/10/18 20:46:20 | 00,064,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
PRC - [2006/09/11 18:56:02 | 00,135,227 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
PRC - [2006/09/11 18:55:42 | 00,065,599 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe


========== Modules (SafeList) ==========

MOD - [2010/01/01 00:35:59 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Master\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - [2009/12/22 17:48:51 | 00,189,184 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrB.exe -- (PnkBstrB)
SRV - [2009/11/17 21:17:14 | 00,271,856 | ---- | M] (Turbine, Inc.) [On_Demand | Stopped] -- C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe -- (LiveTurbineMessageService)
SRV - [2009/11/17 21:17:14 | 00,218,608 | ---- | M] (Turbine, Inc.) [On_Demand | Stopped] -- C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe -- (LiveTurbineNetworkService)
SRV - [2009/09/29 13:11:10 | 00,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/09/29 13:03:46 | 00,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/09/27 18:19:46 | 00,172,100 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (nvsvc)
SRV - [2009/08/24 18:01:08 | 00,093,336 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009/02/28 23:37:25 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/02/18 13:31:49 | 00,075,064 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/12/27 03:30:56 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/06/12 05:01:54 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2006/09/11 18:56:02 | 00,135,227 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)
SRV - [2006/09/11 18:55:42 | 00,065,599 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -- (nSvcLog)
SRV - [2006/04/13 15:14:26 | 00,020,543 | ---- | M] (Apache Software Foundation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe -- (ForcewareWebInterface)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: NPDyyno@dyyno.com:1.0.0.24

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/25 04:46:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/22 21:02:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/12/25 21:26:51 | 00,000,000 | ---D | M]

[2008/08/26 21:00:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Mozilla\Extensions
[2009/12/30 01:52:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\2xsgw7ie.default\extensions
[2009/02/20 16:45:14 | 00,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\2xsgw7ie.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/06/24 21:04:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\2xsgw7ie.default\extensions\NPDyyno@dyyno.com
[2009/12/30 01:52:21 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/11/04 21:02:56 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: (371896 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 12820 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe ()
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\DeltaIITray.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKLM\..Trusted Ranges: 1 range(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.134 68.87.72.134
O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O27 - HKLM IFEO\taskmgr.exe: Debugger - "C:\PROCESSEXPLORER\PROCEXP.EXE" (Sysinternals - www.sysinternals.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/12 16:10:25 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/12/26 18:48:04 | 00,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 06:00:00 | 00,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2003/05/03 14:20:42 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##Cathy-c50c216ce#F\Shell - "" = AutoRun
O33 - MountPoints2\##Cathy-c50c216ce#F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Cathy-c50c216ce#F\Shell\AutoRun\command - "" = Z:\WD_Windows_Tools\setup.exe -- File not found
O33 - MountPoints2\{38cf9042-38a1-11dd-a1b1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{38cf9042-38a1-11dd-a1b1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{38cf9042-38a1-11dd-a1b1-806d6172696f}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2008/04/13 23:42:14 | 01,314,816 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{54ba09cf-e75c-11dd-b4e7-001fc6119e28}\Shell - "" = AutoRun
O33 - MountPoints2\{54ba09cf-e75c-11dd-b4e7-001fc6119e28}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{54ba09cf-e75c-11dd-b4e7-001fc6119e28}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d1edfbe8-ce53-11dd-a9a9-806d6172696f}\Shell\AutoRun\command - "" = G:\Info.exe -- File not found
O33 - MountPoints2\{dfb54422-4c8d-11dd-9ba6-806d6172696f}\Shell\AutoRun\command - "" = G:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/06/12 11:52:49 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 14 Days ==========

[2010/01/01 00:35:45 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Master\Desktop\OTL.exe
[2009/12/30 16:55:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\tmp
[2009/12/30 01:32:32 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Master\Recent
[2009/12/27 23:14:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2009/12/27 23:14:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Master\Local Settings\Application Data\NVIDIA Corporation
[2009/12/27 23:13:34 | 00,000,000 | ---D | C] -- C:\Program Files\NVIDIA nTune Performance Application
[2009/12/27 13:54:09 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Master\Desktop\RootRepeal.exe
[2009/12/26 22:44:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/12/26 18:51:38 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/26 18:51:36 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/26 18:51:35 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/25 22:51:57 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/12/25 21:54:25 | 00,000,000 | ---D | C] -- C:\Autoruns
[2009/12/25 21:26:50 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/19 19:52:12 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/19 19:52:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2009/12/19 19:51:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2009/12/19 18:51:10 | 00,000,000 | ---D | C] -- C:\Program Files\Western Digital Corporation
[2009/12/19 01:36:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/09/21 20:58:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/21 17:02:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/08/21 16:43:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/13 10:00:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/10 17:14:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Xfire
[2009/01/08 01:27:40 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/10/31 23:15:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
[2008/09/28 10:47:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\DivX
[2008/09/14 23:00:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Master\*.tmp files -> C:\Documents and Settings\Master\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/01 00:35:59 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Master\Desktop\OTL.exe
[2010/01/01 00:33:57 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\gmer.zip
[2010/01/01 00:12:28 | 09,699,328 | ---- | M] () -- C:\Documents and Settings\Master\ntuser.dat
[2010/01/01 00:09:26 | 00,254,076 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/12/31 22:32:39 | 00,371,896 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/31 21:43:51 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/31 21:43:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/31 21:43:05 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/31 01:35:14 | 00,441,300 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/31 01:35:14 | 00,071,234 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/30 21:33:39 | 26,738,688 | ---- | M] () -- C:\tmp
[2009/12/30 21:33:30 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Master\ntuser.ini
[2009/12/30 21:33:16 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2009/12/30 21:32:37 | 01,981,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/30 21:08:26 | 00,000,667 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/30 21:05:02 | 00,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/30 01:35:14 | 00,421,562 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\cc_20091230_0134.reg
[2009/12/30 01:29:53 | 00,103,424 | ---- | M] () -- C:\Documents and Settings\Master\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/27 23:14:12 | 00,001,741 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\NVIDIA Monitor.lnk
[2009/12/27 23:14:12 | 00,001,617 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\nTune.lnk
[2009/12/27 13:55:27 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\settings.dat
[2009/12/27 13:54:26 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Master\Desktop\RootRepeal.exe
[2009/12/27 13:51:38 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Master\Desktop\dds.scr
[2009/12/26 22:46:18 | 00,000,008 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/12/26 19:57:24 | 01,610,556 | -H-- | M] () -- C:\Documents and Settings\Master\Local Settings\Application Data\IconCache.db
[2009/12/26 18:51:40 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/25 23:20:09 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\regsvr32
[2009/12/25 22:52:25 | 00,002,855 | ---- | M] () -- C:\WINDOWS\System32\41.PIF
[2009/12/25 22:52:17 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/24 22:30:52 | 00,002,098 | -HS- | M] () -- C:\WINDOWS\System32\buvoyaki.exe
[2009/12/24 19:10:46 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/22 17:48:51 | 00,189,184 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/12/22 17:48:51 | 00,189,184 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009/12/22 17:42:53 | 00,138,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/12/19 19:52:25 | 00,000,294 | RHS- | M] () -- C:\boot.ini
[2009/12/19 18:46:05 | 00,521,444 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\Documents and Settings\Master\*.tmp files -> C:\Documents and Settings\Master\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/01 00:33:57 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\gmer.zip
[2009/12/30 01:34:36 | 00,421,562 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\cc_20091230_0134.reg
[2009/12/27 23:14:12 | 00,001,741 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\NVIDIA Monitor.lnk
[2009/12/27 23:14:12 | 00,001,617 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\nTune.lnk
[2009/12/27 13:55:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\settings.dat
[2009/12/27 13:51:22 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Master\Desktop\dds.scr
[2009/12/26 22:46:18 | 00,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/12/26 18:51:40 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/25 23:17:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\regsvr32
[2009/12/25 22:52:14 | 00,002,855 | ---- | C] () -- C:\WINDOWS\System32\41.PIF
[2009/12/24 22:30:52 | 00,002,098 | -HS- | C] () -- C:\WINDOWS\System32\buvoyaki.exe
[2009/12/19 19:52:24 | 00,000,223 | RHS- | C] () -- C:\BOOT.BAK
[2009/12/19 19:52:23 | 00,260,288 | RHS- | C] () -- C:\cmldr
[2009/12/17 00:26:43 | 12,177,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sandra.mda
[2009/11/30 14:33:46 | 00,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/10/31 18:44:44 | 00,000,635 | ---- | C] () -- C:\WINDOWS\STBC.INI
[2009/09/21 21:16:51 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\Master\Local Settings\Application Data\fusioncache.dat
[2009/08/24 01:53:05 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/08/02 23:21:54 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/02 23:21:54 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/02 23:21:52 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2009/06/05 02:01:06 | 09,214,464 | ---- | C] () -- C:\WINDOWS\avcodec-52.dll
[2009/06/05 02:01:06 | 00,745,984 | ---- | C] () -- C:\WINDOWS\avformat-52.dll
[2009/06/05 02:01:06 | 00,218,624 | ---- | C] () -- C:\WINDOWS\swscale-0.dll
[2009/06/05 02:01:06 | 00,070,144 | ---- | C] () -- C:\WINDOWS\avutil-50.dll
[2009/05/10 11:18:42 | 00,060,416 | ---- | C] () -- C:\WINDOWS\zlib1.dll
[2009/05/10 11:17:16 | 00,162,304 | ---- | C] () -- C:\WINDOWS\libpng13.dll
[2009/05/09 14:57:14 | 00,122,368 | ---- | C] () -- C:\WINDOWS\lua5.1.dll
[2009/03/04 01:57:34 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2009/01/03 20:55:32 | 00,138,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/12/26 23:48:00 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/25 11:22:50 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/10/22 05:29:06 | 00,173,550 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2008/09/28 16:09:12 | 00,001,138 | ---- | C] () -- C:\WINDOWS\vampire.ini
[2008/09/18 20:54:43 | 00,351,744 | ---- | C] () -- C:\WINDOWS\System32\mss32.dll
[2008/09/14 23:00:08 | 00,183,296 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/18 10:22:51 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/08/14 20:41:06 | 00,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/09 00:00:24 | 00,096,256 | ---- | C] () -- C:\WINDOWS\System32\SMACKW32.DLL
[2008/08/09 00:00:24 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\mcp.dll
[2008/07/06 23:57:06 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/06/22 13:10:18 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Master\Application Data\PnkBstrK.sys
[2008/06/15 14:26:06 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/06/15 03:57:39 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/06/13 05:03:04 | 00,103,424 | ---- | C] () -- C:\Documents and Settings\Master\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/12 16:17:06 | 00,000,804 | R--- | C] () -- C:\WINDOWS\System32\AsusSetup.ini
[2008/06/12 16:17:06 | 00,000,396 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2008/06/12 16:15:53 | 00,032,305 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/06/12 16:15:53 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/06/12 16:15:41 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/06/12 04:45:49 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/06/12 04:45:48 | 02,121,235 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2008/06/12 04:45:47 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/12 04:45:47 | 00,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/12 04:45:47 | 00,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/12 04:45:47 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/12 04:45:47 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/04/14 07:00:00 | 00,163,840 | ---- | C] () -- C:\WINDOWS\aneyuhaxovab.dll
[2007/12/04 00:03:59 | 00,001,084 | ---- | C] () -- C:\WINDOWS\System32\ASPRTMM8.DLL
[2007/03/12 12:01:30 | 00,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2005/04/13 11:34:22 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\ALut(2).dll
[2004/02/20 15:36:34 | 00,416,256 | ---- | C] () -- C:\WINDOWS\exchndl.dll

========== LOP Check ==========

[2009/03/04 02:28:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CrazyBump
[2009/06/22 23:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ElectricSheep
[2009/08/23 13:53:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/01/09 03:20:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2008/11/09 04:12:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fallout3
[2009/03/04 02:28:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\licensecb
[2008/11/01 21:41:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2008/06/15 14:32:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2009/07/27 18:48:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/21 20:56:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Turbine
[2009/07/27 18:43:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Any DVD Converter Professional
[2009/07/24 18:12:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Any Video Converter
[2009/10/22 04:19:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Any Video Converter Professional
[2008/09/13 14:07:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Bioshock
[2009/09/26 22:44:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/06/15 14:26:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\DAEMON Tools
[2009/04/27 01:22:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\FrostWire
[2009/02/06 17:44:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\GetRightToGo
[2009/02/06 00:16:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Helios
[2009/07/23 02:53:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\LimeWire
[2008/06/15 14:32:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Propellerhead Software
[2008/10/03 13:35:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\SPORE
[2009/12/25 11:36:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\uTorrent
[2009/06/15 22:48:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Xbins

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/01/13 20:18:25 | 01,308,216 | ---- | M] (Trend Micro Inc.) -- C:\HiJackThis_v2.exe
[2009/02/06 00:12:48 | 02,815,998 | ---- | M] (Helios ) -- C:\txpeng520.exe


< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 07:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/08/21 05:24:28 | 00,105,344 | R--- | M] (NVIDIA Corporation) MD5=4D6C6B46B3EDF6F2E219A86B61D104AE -- C:\WINDOWS\system32\drivers\nvata.sys
[2006/08/21 05:24:28 | 00,105,344 | R--- | M] (NVIDIA Corporation) MD5=4D6C6B46B3EDF6F2E219A86B61D104AE -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\nvata.sys

< MD5 for: NVGTS.SYS >
[2008/08/18 17:54:00 | 00,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\Program Files\Driver Sweeper\Backup\09-11-07-17-36-36\NVIDIA - Display\Directories\NVIDIA\nForceWin2k\15.23\IS\IDE\WinXP\sataraid\nvgts.sys
[2008/08/18 17:54:00 | 00,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\Program Files\Driver Sweeper\Backup\09-11-07-17-36-36\NVIDIA - Display\Directories\NVIDIA\nForceWin2k\15.23\IS\IDE\WinXP\sata_ide\nvgts.sys
[2009/12/30 23:27:28 | 00,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\WINDOWS\system32\drivers\nvgts.sys

< MD5 for: NVRD32.SYS >
[2008/08/18 17:54:00 | 00,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\Program Files\Driver Sweeper\Backup\09-11-07-17-36-36\NVIDIA - Display\Directories\NVIDIA\nForceWin2k\15.23\IS\IDE\WinXP\sataraid\nvrd32.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/17 14:01:06 | 00,058,880 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\atl.dll
[2009/07/13 22:43:24 | 10,841,088 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\wmp.dll
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB1B13D8
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:661DFA1C
< End of report >

OTL Extras logfile created on: 1/1/2010 12:39:26 AM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Master\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.87 Gb Total Space | 25.50 Gb Free Space | 23.21% Space Free | Partition Type: NTFS
Drive D: | 622.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 55.89 Gb Total Space | 4.97 Gb Free Space | 8.90% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 27.95 Gb Total Space | 4.29 Gb Free Space | 15.35% Space Free | Partition Type: NTFS
Drive H: | 7.78 Mb Total Space | 7.77 Mb Free Space | 99.90% Space Free | Partition Type: FAT
Drive I: | 355.89 Gb Total Space | 8.04 Gb Free Space | 2.26% Space Free | Partition Type: NTFS
Drive W: | 465.76 Gb Total Space | 119.45 Gb Free Space | 25.65% Space Free | Partition Type: NTFS
Drive X: | 35.82 Gb Total Space | 11.14 Gb Free Space | 31.11% Space Free | Partition Type: NTFS
Drive Z: | 74.53 Gb Total Space | 25.58 Gb Free Space | 34.33% Space Free | Partition Type: NTFS

Computer Name: BEN
Current User Name: Master
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe" = C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"E:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe" = E:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s -- ()
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Heroes of Might and Magic III Complete\Heroes3.exe" = C:\Heroes of Might and Magic III Complete\Heroes3.exe:*:Enabled:Heroes of Might and Magic® III -- File not found
"E:\NeverwinterNights\NWN\nwmain.exe" = E:\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights -- File not found
"C:\WINDOWS\system32\ElectricSheep.scr" = C:\WINDOWS\system32\ElectricSheep.scr:*:Enabled:ElectricSheep -- File not found
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"I:\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe" = I:\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV -- File not found
"C:\Program Files\Xfire\xfire.exe" = C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Crazybump\cb.exe" = C:\Program Files\Crazybump\cb.exe:*:Enabled:CrazyBump -- File not found
"C:\Documents and Settings\Master\Local Settings\Application Data\Dyyno Receiver\DPPM.exe" = C:\Documents and Settings\Master\Local Settings\Application Data\Dyyno Receiver\DPPM.exe:*:Enabled:Dyyno Plugin Receiver -- ()
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe" = C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe:*:Enabled:TurbineMessageService -- (Turbine, Inc.)
"C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" = C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe:*:Enabled:TurbineNetworkService -- (Turbine, Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam 732897 -- (Valve Corporation)
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service -- (SiSoftware)
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\sandra.mui" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\sandra.mui:*:Enabled:SiSoftware Sandra Agent Service -- (SiSoftware)
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\RpcSandraSrv.exe" = C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service -- (SiSoftware)
"C:\WINDOWS\system32\winupdate86.exe" = C:\WINDOWS\system32\winupdate86.exe:*:Enabled:winupdate86 -- File not found
"C:\WINDOWS\system32\regsvr32.exe" = C:\WINDOWS\system32\regsvr32.exe:*:Enabled:regsvr32 -- (Microsoft Corporation)
"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe" = C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe:*:Enabled:ekrn -- (ESET)
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{064DC64E-7A2F-4FDF-B598-E3C0747BBB9C}" = Call of Duty® - World at War™ 1.6 Patch
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{149464D9-B06F-4505-9968-FD1206F67AD3}" = Call of Duty® - World at War™ 1.3 Patch
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"{23F79416-CAD1-41BF-99A3-040F6C814AAA}" = NVIDIA Photoshop Plug-ins
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{2BF0AE92-C3BC-4112-9066-1546342B1FAE}" = Call of Duty® - World at War™ 1.2 Patch
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{59E4543A-D49D-4489-B445-473D763C79AF}" = Microsoft Games for Windows - LIVE Redistributable
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{64B20B36-AEE7-4DD4-897C-C5DA5C218F60}" = Logitech Gaming Software 5.02
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{750C87B8-AF19-4C3C-B791-50D9C83AE572}" = Call of Duty® - World at War™ 1.7 Patch
"{75B61CF0-B8A8-46E2-8709-C4A79898AC1D}" = Data Lifeguard Diagnostic for Windows
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85C70286-A56F-4834-BD24-B34EB76A93A2}" = ESET NOD32 Antivirus
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9F01A67B-7D67-482F-9D4F-D5980A440FD4}" = Call of Duty® - World at War™ 1.4 Patch
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3DE3C22-F14E-470F-91B2-E538ECB98857}" = Unigine Tropics Demo
"{A4810699-E859-43A6-8F40-1743873E72AB}" = Delta
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B210130E-835C-4581-A695-CE10616B8B55}_is1" = Driver Sweeper 2.0.5
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010
"{C3DC2DF5-EFAC-4055-9010-31F7C545DD9E}" = Call of Duty® - World at War™ 1.5 Patch
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF3D660E-E5CC-47FD-8050-1B4DE3BA81A9}" = Dual-Core Optimizer
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons and Dragons Online™ - Eberron Unlimited™ - Live
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"62289540-dc30-11dc-95ff-0800200c9a66_is1" = Turbine Download Manager - Live
"7-Zip" = 7-Zip 4.60 beta
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Any Video Converter Professional_is1" = Any Video Converter Professional 2.7.3
"CCleaner" = CCleaner (remove only)
"CoD RconTool 10" = CoD RconTool 10
"CSI - Deadly Intent" = CSI - Deadly Intent
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Driver Cleaner Pro" = DH Driver Cleaner Professional Edition
"DVD Decrypter" = DVD Decrypter (Remove Only)
"EAX Unified" = EAX Unified
"Electricsheep Screensaver" = Electricsheep Screensaver 2.7b17
"HijackThis" = HijackThis 2.0.2
"Incoming" = Incoming
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{149464D9-B06F-4505-9968-FD1206F67AD3}" = Call of Duty® - World at War™ 1.3 Patch
"InstallShield_{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"InstallShield_{2BF0AE92-C3BC-4112-9066-1546342B1FAE}" = Call of Duty® - World at War™ 1.2 Patch
"InstallShield_{750C87B8-AF19-4C3C-B791-50D9C83AE572}" = Call of Duty® - World at War™ 1.7 Patch
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{9F01A67B-7D67-482F-9D4F-D5980A440FD4}" = Call of Duty® - World at War™ 1.4 Patch
"InstallShield_{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"InstallShield_{C3DC2DF5-EFAC-4055-9010-31F7C545DD9E}" = Call of Duty® - World at War™ 1.5 Patch
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"iPrep" = iPrep v009
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.9.5 (Full)
"Magic Video Converter_is1" = Magic Video Converter Trial Version (English) 8.0.2.18
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.16)" = Mozilla Firefox (3.0.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero8Lite_is1" = Nero 8 Micro 8.3.6.0
"NetTools_is1" = NetTools 5.0
"No File Recovery_is1" = No File Recovery
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"QuicktimeAlt_is1" = QuickTime Alternative 2.6.0
"Reason4_is1" = Reason 4.0
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/29/2009 6:50:57 PM | Computer Name = BEN | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3623, faulting module
shlwapi.dll, version 6.0.2900.5512, fault address 0x0002c4a8.

Error - 12/29/2009 8:24:17 PM | Computer Name = BEN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
wininet.dll, version 6.0.2900.5897, fault address 0x00066d67.

Error - 12/30/2009 10:06:08 PM | Computer Name = BEN | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2862, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 12/30/2009 10:06:08 PM | Computer Name = BEN | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/30/2009 10:06:11 PM | Computer Name = BEN | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2862, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 12/30/2009 10:07:05 PM | Computer Name = BEN | Source = Windows Product Activation | ID = 1002
Description = You have not successfully activated this product, or the current license
is incompatible with the existing operating system.

Error - 12/31/2009 2:31:07 AM | Computer Name = BEN | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> apache.exe:
could not open document config file C:/Program Files/NVIDIA Corporation/NetworkAccessManager/Apache
Group/Apache2/conf/httpd.conf .

Error - 12/31/2009 2:35:11 AM | Computer Name = BEN | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 6546, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 12/31/2009 2:35:11 AM | Computer Name = BEN | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 12/31/2009 2:35:14 AM | Computer Name = BEN | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 6546, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

[ System Events ]
Error - 12/31/2009 2:31:12 AM | Computer Name = BEN | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%2

Error - 12/31/2009 2:31:12 AM | Computer Name = BEN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 12/31/2009 10:43:49 PM | Computer Name = BEN | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 12/31/2009 10:43:49 PM | Computer Name = BEN | Source = Service Control Manager | ID = 7024
Description = The Forceware Web Interface service terminated with service-specific
error 1 (0x1).

Error - 12/31/2009 10:43:49 PM | Computer Name = BEN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 12/31/2009 10:43:49 PM | Computer Name = BEN | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%2

Error - 12/31/2009 10:43:50 PM | Computer Name = BEN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
nvata NVTCP

Error - 12/31/2009 11:07:18 PM | Computer Name = BEN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.104 for the Network Card with network
address 001FC6119E28 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/1/2010 1:39:40 AM | Computer Name = BEN | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 1/1/2010 1:39:40 AM | Computer Name = BEN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

Edited by isawben, 02 January 2010 - 02:28 AM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:33 PM

Posted 06 January 2010 - 06:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 11 January 2010 - 12:08 AM

sorry for my delay, i just got internet hooked up today. i'm getting redirected from google searches and there is a trojan trying to download an exe that keeps getting blocked every 5 min. also my onboard network adapters (nforce) stopped working, i don't get a green light with the cable plugged in. i am using a pci network adapter now with generic windows pnp i guess?

btw* is it ok to edit my earlier posts to make this page smaller?

here is a fresh dds log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Master at 0:02:45.85 on Mon 01/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3056 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Documents and Settings\Master\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {13EFF49B-0D15-417D-AF61-E41D0EA5C54A} = 4.2.2.1,4.2.2.2
TCP: {49C9C4FD-04AD-4349-8CB5-D32EFB6C5F51} = 4.2.2.1,4.2.2.2
TCP: {D1CD3A5B-766C-40F9-A31E-29EED829F7C3} = 4.2.2.1,4.2.2.2
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli mapat32.dll medemovo.dll
IFEO: taskmgr.exe - "c:\processexplorer\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\applic~1\mozilla\firefox\profiles\2xsgw7ie.default\
FF - plugin: c:\documents and settings\master\application data\mozilla\firefox\profiles\2xsgw7ie.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2008-10-31 302728]
S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-9-21 271856]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-9-21 218608]
S3 mpr_freader;MPR FileReader Driver;\??\c:\docume~1\master\locals~1\temp\rarsfx1\mpr_freader.sys --> c:\docume~1\master\locals~1\temp\rarsfx1\mpr_freader.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010\RpcAgentSrv.exe [2009-12-17 93336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2010-01-11 02:29:03 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-01-11 02:29:03 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2009-12-31 02:06:11 4724 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-12-30 21:55:28 0 d-----w- c:\windows\tmp
2009-12-28 04:13:34 0 d-----w- c:\program files\NVIDIA nTune Performance Application
2009-12-27 03:46:18 8 ----a-w- c:\windows\system32\nvModes.dat
2009-12-27 03:44:56 0 d-----w- c:\windows\SxsCaPendDel
2009-12-26 23:51:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 23:51:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 23:51:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 04:17:15 0 ----a-w- c:\windows\system32\regsvr32
2009-12-26 03:51:57 0 d--h--w- c:\windows\PIF
2009-12-26 02:54:25 0 d-----w- C:\Autoruns
2009-12-26 02:26:50 0 d-----w- c:\program files\ESET
2009-12-25 03:30:52 2098 --sh--w- c:\windows\system32\buvoyaki.exe
2009-12-20 00:52:12 0 d-sh--r- C:\cmdcons
2009-12-20 00:52:11 0 d-----w- c:\windows\setup.pss
2009-12-20 00:51:57 0 d-----w- c:\windows\setupupd
2009-12-19 23:51:10 0 d-----w- c:\program files\Western Digital Corporation
2009-12-17 05:26:41 0 d-----w- c:\program files\SiSoftware
2009-12-13 07:00:31 8743 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-13 07:00:31 7655872 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2009-12-13 07:00:31 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-13 07:00:29 5900416 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2009-12-13 07:00:29 5900416 ----a-w- c:\windows\system32\nv4_disp.dll

==================== Find3M ====================

2009-12-31 04:27:28 145952 ----a-w- c:\windows\system32\drivers\nvgts.sys
2009-12-22 22:48:51 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-22 22:42:53 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-17 17:09:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-16 02:44:12 2097152 ----a-w- c:\windows\sample5x.dat
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

============= FINISH: 0:03:27.24 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 6/12/2008 5:11:49 PM
System Uptime: 1/10/2010 9:27:04 PM (3 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-SLI DELUXE
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+ | Socket AM2 | 2913/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 110 GiB total, 25.336 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 56 GiB total, 5.074 GiB free.
F: is CDROM ()
G: is FIXED (NTFS) - 28 GiB total, 4.289 GiB free.
H: is FIXED (FAT) - 0 GiB total, 0.008 GiB free.
I: is FIXED (NTFS) - 356 GiB total, 8.035 GiB free.
J: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/10/2010 9:06:13 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
7-Zip 4.60 beta
AAC Decoder
Adobe Anchor Service CS4
Adobe Audition 3.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Any Video Converter Professional 2.7.3
AutoUpdate
Call of Duty® - World at War™
Call of Duty® - World at War™ 1.1 Patch
Call of Duty® - World at War™ 1.2 Patch
Call of Duty® - World at War™ 1.3 Patch
Call of Duty® - World at War™ 1.4 Patch
Call of Duty® - World at War™ 1.5 Patch
Call of Duty® - World at War™ 1.6 Patch
Call of Duty® - World at War™ 1.7 Patch
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Call of Duty: Modern Warfare 2
Call of Duty: Modern Warfare 2 - Multiplayer
CCleaner (remove only)
CoD RconTool 10
Connect
CSI - Deadly Intent
Data Lifeguard Diagnostic for Windows
Delta
DH Driver Cleaner Professional Edition
DivX Codec
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Driver Sweeper 2.0.5
Dual-Core Optimizer
Dungeons and Dragons Online™ - Eberron Unlimited™ - Live
DVD Decrypter (Remove Only)
EAX Unified
Electricsheep Screensaver 2.7b17
ESET NOD32 Antivirus
Fallout 3
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Incoming
iPrep v009
Java™ 6 Update 12
K-Lite Codec Pack 3.9.5 (Full)
kuler
Logitech Gaming Software 5.02
Magic Video Converter Trial Version (English) 8.0.2.18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office FrontPage 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
MKV Splitter
Mozilla Firefox (3.0.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
Nero 8 Micro 8.3.6.0
neroxml
Netflix Movie Viewer
NetTools 5.0
Neverwinter Nights 2
No File Recovery
Norton PartitionMagic 8.0
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nTune
NVIDIA Photoshop Plug-ins
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
OpenAL
PDF Settings CS4
Photoshop Camera Raw
Primo
QuickTime Alternative 2.6.0
Reason 4.0
Security Update for Windows XP (KB956802)
SiSoftware Sandra Lite 2010
Sony Picture Utility
SPORE™
Spybot - Search & Destroy
Steam
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
TBS WMP Plug-in
TextPad 5
Turbine Download Manager - Live
Unigine Tropics Demo
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
WD Diagnostics
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

1/6/2010 3:03:12 AM, error: AmdLLD [11] - AdjustCoreTSC() Node[ 0 ] Core[ 0 ] Cpu[ 0 ] Affinity[ 0x1 ] Error: HalGetBusDataByOffset() failed reading north-bridge TSC.
1/6/2010 1:07:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: NVTCP
1/6/2010 1:07:53 AM, error: Service Control Manager [7024] - The Forceware Web Interface service terminated with service-specific error 1 (0x1).
1/6/2010 1:07:53 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
1/6/2010 1:07:53 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The system cannot find the file specified.
1/6/2010 1:07:50 AM, error: SRService [104] - The System Restore initialization process failed.

==== End Of File ===========================

Edited by isawben, 11 January 2010 - 12:18 AM.


#6 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 11 January 2010 - 12:20 AM

here is a nod32 log entry showing the trojan: "1/11/2010 12:18:23 AM HTTP filter file hxxp://bfskul.com/loaderadv699.exe a variant of Win32/Kryptik.BPL trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe."

this pops up every 5 min. it does stop if i disconnect from the internet though.

* i'm also not able to open many programs because of dll errors.

Edited by isawben, 11 January 2010 - 08:32 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 PM

Posted 12 January 2010 - 02:24 PM

Hello and welcome from me as well! :(

Please provide a rootkit scan as well so that we get a better impression of what si going on on your PC:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 January 2010 - 01:10 AM

i ran gmer and the scan stopped while scanning program files and threw an error (something like: the scan can not be completed). here is the log it created:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 01:07:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Master\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT 88F358A0 ZwAssignProcessToJobObject
SSDT spep.sys ZwCreateKey [0xB7EA80E0]
SSDT spep.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT spep.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT spep.sys ZwOpenKey [0xB7EA80C0]
SSDT 88F34CB0 ZwOpenProcess
SSDT 88F350D0 ZwOpenThread
SSDT spep.sys ZwQueryKey [0xB7EC7108]
SSDT spep.sys ZwQueryValueKey [0xB7EC6F88]
SSDT spep.sys ZwSetValueKey [0xB7EC719A]
SSDT 88F356D0 ZwSuspendProcess
SSDT 88F354F0 ZwSuspendThread
SSDT 88F34EE0 ZwTerminateProcess
SSDT 88F35310 ZwTerminateThread

INT 0x62 ? 8AFCFBF8
INT 0x63 ? 8AFD2BF8
INT 0x73 ? 8AFCFBF8
INT 0x73 ? 8AFCFBF8
INT 0x73 ? 8AFCFBF8
INT 0x94 ? 8AD62F00
INT 0xA4 ? 8AFD2BF8
INT 0xB4 ? 8AFD2BF8
INT 0xB4 ? 8AD62F00
INT 0xB4 ? 8AFD2BF8

---- Kernel code sections - GMER 1.0.15 ----

? spep.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B64D08AC 5 Bytes JMP 8AD624E0
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5C14360, 0x3E57A5, 0xE8000020]
.text azsnu6vw.SYS B5B9B384 1 Byte [20]
.text azsnu6vw.SYS B5B9B384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text azsnu6vw.SYS B5B9B3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text azsnu6vw.SYS B5B9B3C4 3 Bytes [00, 00, 00]
.text azsnu6vw.SYS B5B9B3C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1888] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spep.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spep.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spep.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spep.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spep.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spep.sys
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\azsnu6vw.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AFCD1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8AB281F8
Device \Driver\usbohci \Device\USBPDO-0 8AC681F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B0411F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B0411F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B0411F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B0411F8
Device \Driver\usbehci \Device\USBPDO-1 8AC641F8
Device \Driver\PCI_PNP6288 \Device\00000052 spep.sys
Device \Driver\sptd \Device\908305038 spep.sys

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AFD01F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AFD01F8
Device \Driver\Cdrom \Device\CdRom0 8AC5B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AFD01F8
Device \Driver\Cdrom \Device\CdRom1 8AC5B1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AFD01F8
Device \Driver\Cdrom \Device\CdRom2 8AC5B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8AFD01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D1CD3A5B-766C-40F9-A31E-29EED829F7C3} 88F1A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88F1A1F8
Device \Driver\NetBT \Device\NetbiosSmb 88F1A1F8
Device \Driver\usbohci \Device\USBFDO-0 8AC681F8
Device \Driver\usbehci \Device\USBFDO-1 8AC641F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F121F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F121F8
Device \Driver\Ftdisk \Device\FtControl 8AFD01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{49C9C4FD-04AD-4349-8CB5-D32EFB6C5F51} 88F1A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{13EFF49B-0D15-417D-AF61-E41D0EA5C54A} 88F1A1F8
Device \Driver\nvgts \Device\Scsi\nvgts1Port4Path1Target1Lun0 8AFCE1F8
Device \Driver\azsnu6vw \Device\Scsi\azsnu6vw1 8AC8D1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 8AFCE1F8
Device \Driver\azsnu6vw \Device\Scsi\azsnu6vw1Port7Path0Target1Lun0 8AC8D1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8AFCE1F8
Device \Driver\nvgts \Device\Scsi\nvgts3 8AFCE1F8
Device \Driver\azsnu6vw \Device\Scsi\azsnu6vw1Port7Path0Target0Lun0 8AC8D1F8
Device \FileSystem\Fastfat \Fat 8AB281F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8AD2E500

---- Threads - GMER 1.0.15 ----

Thread System [4:416] 88F33930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0xCC 0x33 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x2C 0x1B 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF8 0xC1 0x1E 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x20 0xD9 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0xCC 0x33 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x2C 0x1B 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF8 0xC1 0x1E 0xB9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x20 0xD9 0x1B ...

---- EOF - GMER 1.0.15 ----

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 PM

Posted 14 January 2010 - 07:08 AM

Hi,

please run defogger and try to run a new scan of gmer afterwards:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 15 January 2010 - 11:52 PM

defogger worked just fine.

GMER on the other hand :(

after first scan completed I hit save and then plugged in my internet before the save dialogue fully loaded. then explorer.exe froze and i kept getting save errors.

reboot.

it was late so I left GMER on all night (it took like 4-6 hrs to scan). when i woke up, it was frozen and completely blank, explorer.exe had crashed.

today I ran it again and disabled my screensaver (well, i set it to 1050min so it wouldn't pop up while scanning)

SUCCESS!

but after i saved the log and closed GMER windows again froze.

but anyways, here is the log that i saved :(

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 23:42:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Master\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT 88FCF8A0 ZwAssignProcessToJobObject
SSDT 88FCECB0 ZwOpenProcess
SSDT 88FCF0D0 ZwOpenThread
SSDT 88FCF6D0 ZwSuspendProcess
SSDT 88FCF4F0 ZwSuspendThread
SSDT 88FCEEE0 ZwTerminateProcess
SSDT 88FCF310 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5E1F360, 0x3E57A5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[420] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\svchost.exe[1196] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0251000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:400] 88FCD930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0xCC 0x33 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x2C 0x1B 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF8 0xC1 0x1E 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x20 0xD9 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0xCC 0x33 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x2C 0x1B 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF8 0xC1 0x1E 0xB9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x53 0x20 0xD9 0x1B ...

---- EOF - GMER 1.0.15 ----

Edited by isawben, 15 January 2010 - 11:53 PM.


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 PM

Posted 16 January 2010 - 06:17 AM

Hi,

sorry to hear gmer gave you such trouble. I'll have to have you run another tool right now though. :( It shouldn't take more than 20 seconds though (at least not much more):

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 17 January 2010 - 06:22 PM

this one ran so fast I didn't see the box pop up :(

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 PM

Posted 17 January 2010 - 07:09 PM

Hi,

can you please check if a folder called helpAssistant is present in C:\documents and settings

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 isawben

isawben
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 17 January 2010 - 11:18 PM

it seems there is no folder, hidden or not, by that name in c:\documents and settings

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:33 PM

Posted 18 January 2010 - 07:26 AM

Hi,

that is good news! :(

Please provide a log from OTL:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
And a log from Rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users