Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntfs.sys and atapi.sys trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 Notlethal

Notlethal

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 31 December 2009 - 12:31 PM

Hello

AVG Free 8.5 identified these two virus and I know for a fact that removing system files can be dangerous :(

I read the prep guide and ran the script with the rootkit scan.

Many thanks for the support in advance.

Oh and my windows is in french so if you need a translation for certain words I can probably help with that.

Here is the DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Frederic at 20:51:30,71 on 2009-12-30
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.1220 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Frederic\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [<NO NAME>]
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [MacDrive 8 application] "c:\program files\mediafour\macdrive 8\MacDrive.exe"
mRun: [Getting started with MacDrive 8] "c:\program files\mediafour\macdrive 8\MDGetStarted.exe" /auto
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
dRun: [braviax]
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204686826359
DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - hxxp://www.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_2_0_4_6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {24E9519B-3F70-429B-99BC-4B2B49B96F66} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnnlJCT
Hosts: 192.168.0.1 wootman.dyndns.ws
Hosts: 24.200.15.158 wootman.dyndns.ws
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\frederic\applic~1\mozilla\firefox\profiles\920445o6.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\frederic\application data\mozilla\firefox\profiles\920445o6.default\extensions\{bb628310-0ab7-11db-9cd8-0800200c9a66}\plugins\nphardwaredetection.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-9-28 259176]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2009-7-31 27488]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-12 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 297752]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\mediafour\macdrive 8\MacDrive8Service.exe [2009-9-23 150528]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-11-21 57440]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-11-21 434688]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-4 25832]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link xtreme n dual band dwa-160\jswutil\jswpsapi.exe [2009-11-21 356434]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2009-5-29 234864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-12-28 17:34:34 8743 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-28 17:34:33 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-28 17:34:32 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-28 02:14:36 0 d-----w- c:\program files\KAPITALSIN
2009-12-28 00:37:11 0 d-----w- c:\program files\ReflexiveArcade
2009-12-26 16:46:17 0 d-----w- c:\program files\LucasArts
2009-12-20 00:11:29 0 d-----w- c:\program files\TheMoltenCore
2009-12-18 18:28:22 0 d-----w- c:\docume~1\frederic\applic~1\Xfire
2009-12-18 18:28:20 0 d-----w- c:\program files\Xfire
2009-12-16 18:49:57 62060 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 18:20:15 0 d-----w- c:\program files\AviSynth 2.5
2009-12-16 18:20:07 0 d-----w- c:\program files\Red Kawa
2009-12-12 23:03:52 0 d-----w- c:\program files\fichiers communs\Mediafour
2009-12-12 23:03:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Mediafour
2009-12-12 23:03:34 0 d-----w- c:\program files\Mediafour
2009-12-12 19:07:11 0 d-----w- c:\program files\Western Digital Corporation
2009-12-12 19:07:02 0 d-----w- c:\program files\Western Digital
2009-12-12 18:03:13 147616 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-12 18:01:38 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-12 18:01:38 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-12 18:00:50 0 d-----w- c:\program files\iPod
2009-12-12 18:00:44 0 d-----w- c:\program files\iTunes
2009-12-12 18:00:44 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-12 17:59:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-12 17:59:18 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-12-12 17:58:43 0 d-----w- c:\program files\fichiers communs\Apple
2009-12-09 14:09:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-12-09 02:46:56 0 d-----w- c:\program files\fichiers communs\Blizzard Entertainment
2009-12-09 02:38:18 0 d-----w- c:\program files\World of Warcraft
2009-12-03 16:49:27 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-03 16:49:25 0 d-----w- c:\program files\K-Lite Codec Pack
2009-12-03 16:38:38 0 d-----w- c:\docume~1\frederic\applic~1\Babylon
2009-12-03 16:38:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Babylon
2009-12-03 16:38:07 0 d-----w- c:\program files\TVersity Codec Pack
2009-12-03 16:37:52 0 d-----w- c:\program files\TVersity

==================== Find3M ====================

2009-12-26 23:51:27 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-26 23:10:09 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-24 15:49:40 86888 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-23 17:07:45 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-23 17:07:45 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-12 18:03:13 147616 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-30 19:37:34 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-21 02:34:54 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34:54 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34:54 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34:54 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34:54 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34:54 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34:54 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 15:51:18 86186 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-01 15:51:18 513336 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-08 15:08:59 216932 ----a-w- c:\windows\hpoins43.dat
2009-10-07 22:07:06 31232 ----a-w- c:\windows\system32\maplec.dll
2009-10-07 22:07:06 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2009-10-07 22:07:06 20480 ----a-w- c:\windows\system32\maplecompat.dll
2003-09-16 06:19:48 99544 ----a-w- c:\windows\inf\virprn.exe
2003-09-16 06:19:48 18950 ----a-w- c:\windows\inf\virpntd.dll
2003-09-16 06:19:48 10240 ----a-w- c:\windows\inf\virport.dll
2003-09-16 06:19:46 90624 ----a-w- c:\windows\inf\prtproc.dll
2008-04-08 23:23:38 6729 --sha-w- c:\windows\system32\TCJlnnpo.ini2

============= FINISH: 20:52:06,56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 09 January 2010 - 03:05 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 January 2010 - 11:29 AM

Hello again, I've run the DDS.sir but the GMER scan makes my computer restart when it's scanning my files.

I tried twice and I got the same result. :(

So here is the DDS

DDS (Ver_09-12-01.01) - NTFSx86
Run by Frederic at 23:23:31,56 on 2010-01-10
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.952 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\Frederic\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [<NO NAME>]
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [MacDrive 8 application] "c:\program files\mediafour\macdrive 8\MacDrive.exe"
mRun: [Getting started with MacDrive 8] "c:\program files\mediafour\macdrive 8\MDGetStarted.exe" /auto
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
dRun: [braviax]
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204686826359
DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - hxxp://www.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_2_0_4_6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {24E9519B-3F70-429B-99BC-4B2B49B96F66} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnnlJCT
Hosts: 192.168.0.1 wootman.dyndns.ws
Hosts: 24.200.15.158 wootman.dyndns.ws
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\frederic\applic~1\mozilla\firefox\profiles\920445o6.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\frederic\application data\mozilla\firefox\profiles\920445o6.default\extensions\{bb628310-0ab7-11db-9cd8-0800200c9a66}\plugins\nphardwaredetection.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-9-28 259176]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2009-7-31 27488]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-12 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 297752]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\mediafour\macdrive 8\MacDrive8Service.exe [2009-9-23 150528]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-11-21 57440]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-11-21 434688]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-4 25832]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link xtreme n dual band dwa-160\jswutil\jswpsapi.exe [2009-11-21 356434]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2009-5-29 234864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-01-07 04:37:38 0 ----a-w- c:\documents and settings\frederic\ntuser.tmp
2010-01-05 05:32:59 0 d-----w- c:\docume~1\frederic\applic~1\Conor O'Kane
2010-01-05 05:18:51 4096 ----a-w- c:\windows\d3dx.dat
2009-12-28 17:34:34 8743 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-28 17:34:33 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-28 17:34:32 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-28 02:14:36 0 d-----w- c:\program files\KAPITALSIN
2009-12-28 00:37:11 0 d-----w- c:\program files\ReflexiveArcade
2009-12-26 16:46:17 0 d-----w- c:\program files\LucasArts
2009-12-20 00:11:29 0 d-----w- c:\program files\TheMoltenCore
2009-12-18 18:28:22 0 d-----w- c:\docume~1\frederic\applic~1\Xfire
2009-12-18 18:28:20 0 d-----w- c:\program files\Xfire
2009-12-16 18:49:57 62060 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 18:20:15 0 d-----w- c:\program files\AviSynth 2.5
2009-12-16 18:20:07 0 d-----w- c:\program files\Red Kawa
2009-12-12 23:03:52 0 d-----w- c:\program files\fichiers communs\Mediafour
2009-12-12 23:03:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Mediafour
2009-12-12 23:03:34 0 d-----w- c:\program files\Mediafour
2009-12-12 19:07:11 0 d-----w- c:\program files\Western Digital Corporation
2009-12-12 19:07:02 0 d-----w- c:\program files\Western Digital
2009-12-12 18:03:13 147616 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-12 18:01:38 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-12 18:01:38 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-12 18:00:50 0 d-----w- c:\program files\iPod
2009-12-12 18:00:44 0 d-----w- c:\program files\iTunes
2009-12-12 18:00:44 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-12 17:59:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-12-12 17:59:18 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-12-12 17:58:43 0 d-----w- c:\program files\fichiers communs\Apple

==================== Find3M ====================

2010-01-04 23:55:01 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-04 23:31:01 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-24 15:49:40 86888 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-23 17:07:45 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-23 17:07:45 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-12 18:03:13 147616 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-30 19:37:34 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-21 02:34:54 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34:54 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34:54 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34:54 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34:54 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34:54 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34:54 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 15:51:18 86186 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-01 15:51:18 513336 ----a-w- c:\windows\system32\perfh00C.dat
2003-09-16 06:19:48 99544 ----a-w- c:\windows\inf\virprn.exe
2003-09-16 06:19:48 18950 ----a-w- c:\windows\inf\virpntd.dll
2003-09-16 06:19:48 10240 ----a-w- c:\windows\inf\virport.dll
2003-09-16 06:19:46 90624 ----a-w- c:\windows\inf\prtproc.dll
2008-04-08 23:23:38 6729 --sha-w- c:\windows\system32\TCJlnnpo.ini2

============= FINISH: 23:23:55,98 ===============


And here is the Attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professionnel
Boot Device: \Device\HarddiskVolume1
Install Date: 2007-07-12 15:14:38
System Uptime: 2010-01-10 21:41:10 (2 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+ | CPU 1 | 2812/200mhz
Processor: AMD Athlon™ 64 X2 Dual Core Processor 5600+ | CPU 1 | 2812/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 29,263 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()
K: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Logitech PS/2 Keyboard
Device ID: ACPI\PNP0303\4&38D79619&0
Manufacturer: Logitech
Name: Logitech PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&38D79619&0
Service: i8042prt

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C4700 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: C4700,192.168.1.7
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4700 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4700 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Officejet Pro 8500 A909g
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:

==== System Restore Points ===================

RP562: 2009-10-12 13:31:33 - Point de vérification système
RP563: 2009-10-13 17:30:16 - Software Distribution Service 3.0
RP564: 2009-10-15 12:08:37 - Point de vérification système
RP565: 2009-10-15 19:44:16 - Software Distribution Service 3.0
RP566: 2009-10-16 17:49:36 - Avg8 Update
RP567: 2009-10-17 15:09:12 - Removed Far Cry 2
RP568: 2009-10-17 15:10:32 - Configuré Jurassic Park Operation Genesis
RP569: 2009-10-17 15:13:14 - Supprimé NVIDIA PhysX
RP570: 2009-10-17 15:14:21 - Removed Prototype™
RP571: 2009-10-17 20:52:27 - Installed OF Dragon Rising
RP572: 2009-10-18 13:03:12 - SPTD setup V1.58
RP573: 2009-10-18 13:10:54 - Installed Oblivion
RP574: 2009-10-18 13:11:09 - DirectX 9.0 installé
RP575: 2009-10-18 13:20:02 - Installed Oblivion - Shivering Isles/Knights of the Nine
RP576: 2009-10-18 13:23:47 - Installed Oblivion - Horse Armor Pack
RP577: 2009-10-18 13:24:01 - Installed Oblivion - Mehrunes Razor
RP578: 2009-10-18 13:24:12 - Installed Oblivion - Orrery
RP579: 2009-10-18 13:24:22 - Installed Oblivion - Spell Tomes
RP580: 2009-10-18 13:24:33 - Installed Oblivion - Thieves Den
RP581: 2009-10-18 13:24:46 - Installed Oblivion - Vile Lair
RP582: 2009-10-18 13:24:55 - Installed Oblivion - Wizard's Tower
RP583: 2009-10-18 13:25:05 - Installed Oblivion - The Fighter's Stronghold
RP584: 2009-10-20 17:33:29 - Avg8 Update
RP585: 2009-10-20 17:53:55 - Software Distribution Service 3.0
RP586: 2009-10-20 18:26:05 - DirectX est installé
RP587: 2009-10-22 19:48:40 - Software Distribution Service 3.0
RP588: 2009-10-23 18:56:42 - Installed League of Legends
RP589: 2009-10-24 19:04:37 - Point de vérification système
RP590: 2009-10-26 21:37:40 - Point de vérification système
RP591: 2009-10-25 19:49:31 - Point de vérification système
RP592: 2009-10-26 16:08:18 - DirectX est installé
RP593: 2009-10-27 18:15:43 - Point de vérification système
RP594: 2009-10-28 19:51:56 - Point de vérification système
RP595: 2009-10-29 11:37:37 - Software Distribution Service 3.0
RP596: 2009-10-29 16:45:54 - Installed Seagate Manager Installer
RP597: 2009-10-31 12:17:59 - Installed Bully Scholarship Edition
RP598: 2009-11-02 16:56:51 - Avg8 Update
RP599: 2009-11-03 17:14:05 - Software Distribution Service 3.0
RP600: 2009-11-04 19:59:54 - Point de vérification système
RP601: 2009-11-06 17:37:07 - Avg8 Update
RP602: 2009-11-06 17:57:38 - Software Distribution Service 3.0
RP603: 2009-11-09 16:11:48 - Software Distribution Service 3.0
RP604: 2009-11-11 14:28:32 - Supprimé Nero 7 Essentials
RP605: 2009-11-11 14:31:45 - Installed LightScribe System Software.
RP606: 2009-11-11 14:49:28 - Installed LightScribe Template Labeler.
RP607: 2009-11-12 11:30:39 - Software Distribution Service 3.0
RP608: 2009-11-15 20:36:01 - Point de vérification système
RP609: 2009-11-17 16:43:37 - Software Distribution Service 3.0
RP610: 2009-11-18 20:21:24 - Point de vérification système
RP611: 2009-11-19 20:05:31 - DirectX est installé
RP612: 2009-11-20 02:21:10 - Software Distribution Service 3.0
RP613: 2009-11-21 13:13:43 - Point de vérification système
RP614: 2009-11-21 15:37:19 - Installé D-Link Xtreme N Dual Band DWA-160
RP615: 2009-11-21 15:37:30 - Installed ANIO Service
RP616: 2009-11-21 15:37:50 - Installed ANIWZCS2 Service
RP617: 2009-11-22 22:18:50 - Point de vérification système
RP618: 2009-11-24 14:10:40 - Software Distribution Service 3.0
RP619: 2009-11-26 11:20:36 - Avg8 Update
RP620: 2009-11-26 16:13:01 - Software Distribution Service 3.0
RP621: 2009-11-27 16:54:18 - Point de vérification système
RP622: 2009-11-29 13:48:23 - Point de vérification système
RP623: 2009-11-30 20:55:14 - Point de vérification système
RP624: 2009-12-01 17:05:58 - Software Distribution Service 3.0
RP625: 2009-12-03 11:06:59 - Point de vérification système
RP626: 2009-12-03 19:10:01 - Software Distribution Service 3.0
RP627: 2009-12-04 21:52:47 - Point de vérification système
RP628: 2009-12-06 12:03:46 - Point de vérification système
RP629: 2009-12-08 15:57:38 - Software Distribution Service 3.0
RP630: 2009-12-09 08:34:01 - Avg8 Update
RP631: 2009-12-11 11:49:37 - Avg8 Update
RP632: 2009-12-11 11:51:13 - Avg8 Update
RP633: 2009-12-11 12:11:01 - Software Distribution Service 3.0
RP634: 2009-12-12 13:00:36 - Installé iTunes
RP635: 2009-12-12 18:03:50 - Installed MacDrive 8
RP636: 2009-12-12 18:32:37 - Supprimé TuneUp Utilities 2008
RP637: 2009-12-12 19:45:30 - Removed Seagate Manager Installer
RP638: 2009-12-13 12:35:29 - Supprimé PhotoStudio
RP639: 2009-12-13 12:36:31 - Configured Bully Scholarship Edition
RP640: 2009-12-13 12:51:01 - Removed Oblivion - Wizard's Tower
RP641: 2009-12-13 12:52:54 - Removed Oblivion - Vile Lair
RP642: 2009-12-13 12:53:18 - Removed Oblivion - Horse Armor Pack
RP643: 2009-12-13 12:53:40 - Removed Oblivion - Mehrunes Razor
RP644: 2009-12-13 12:54:43 - Removed Oblivion - Orrery
RP645: 2009-12-13 12:55:06 - Removed Oblivion - Spell Tomes
RP646: 2009-12-13 12:55:25 - Removed Oblivion - The Fighter's Stronghold
RP647: 2009-12-13 12:58:45 - Removed Oblivion - Thieves Den
RP648: 2009-12-13 12:59:31 - Removed LightScribe Template Labeler.
RP649: 2009-12-13 13:02:19 - Removed LightScribe System Software.
RP650: 2009-12-14 16:33:29 - Point de vérification système
RP651: 2009-12-15 17:04:53 - Point de vérification système
RP652: 2009-12-16 10:43:35 - Software Distribution Service 3.0
RP653: 2009-12-18 12:15:28 - Software Distribution Service 3.0
RP654: 2009-12-19 13:19:30 - Installed Microsoft AppLocale
RP655: 2009-12-20 14:07:11 - Point de vérification système
RP656: 2009-12-21 11:50:46 - Avg8 Update
RP657: 2009-12-22 10:56:03 - Software Distribution Service 3.0
RP658: 2009-12-23 12:08:09 - DirectX est installé
RP659: 2009-12-23 12:15:12 - DirectX est installé
RP660: 2009-12-24 19:39:53 - Point de vérification système
RP661: 2009-12-25 01:41:10 - Software Distribution Service 3.0
RP662: 2009-12-26 11:46:27 - Installed Star Wars Jedi Knight Jedi Academy
RP663: 2009-12-27 12:43:00 - Point de vérification système
RP664: 2009-12-28 12:28:06 - Avg8 Update
RP665: 2009-12-29 02:01:39 - Software Distribution Service 3.0
RP666: 2009-12-30 15:24:08 - Point de vérification système
RP667: 2009-12-31 16:31:30 - Point de vérification système
RP668: 2010-01-01 02:30:45 - Software Distribution Service 3.0
RP669: 2010-01-02 18:26:34 - Point de vérification système
RP670: 2010-01-03 19:13:11 - Point de vérification système
RP671: 2010-01-04 16:03:33 - Avg8 Update
RP672: 2010-01-05 01:50:57 - Software Distribution Service 3.0
RP673: 2010-01-06 02:28:06 - Point de vérification système
RP674: 2010-01-07 15:01:10 - Point de vérification système
RP675: 2010-01-08 16:38:56 - Installed GTA San Andreas
RP676: 2010-01-09 01:57:53 - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7-Zip 4.42
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ANIO Service
ANIWZCS2 Service
Antidote RX v3
Any Video Converter 2.7.8
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
Ask & Record Toolbar 4.01
Ask Toolbar
Assistant de connexion Windows Live
µTorrent
Audacity 1.2.6
AVG Free 8.5
AviSynth 2.5
Battlefield 2142
Blaze Media Pro
Bonjour
Borderlands
BufferChm
C4700
Call of Duty Modern Warfare 2
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.2 Patch
Call of Duty® 4 - Modern Warfare™ 1.3 Patch
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Patch
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
ConvertXtoDVD 3.1.0.24
Correctif pour Lecteur Windows Media 11 (KB939683)
Correctif pour Windows XP (KB914440)
Correctif Windows XP - KB873339
Correctif Windows XP - KB885835
Correctif Windows XP - KB885836
Correctif Windows XP - KB886185
Correctif Windows XP - KB887472
Correctif Windows XP - KB888302
Correctif Windows XP - KB890859
Correctif Windows XP - KB891781
D-Link Xtreme N Dual Band DWA-160
Data Lifeguard Diagnostic for Windows
Destinations
DeviceDiscovery
DivX Content Uploader
DivX Web Player
Dragon Age: Origins
DVD Suite
EA Download Manager
Easy-WebPrint
Encyclopaedia Britannica 2006 Deluxe Edition CD-ROM
Fallout 3
Fallout Mod Manager 0.9.15
FLV Player
Fraps (remove only)
Free WMA to MP3 Converter 1.08
Free YouTube to Mp3 Converter version 3.1
GPBaseService2
GTA San Andreas
Guitar Pro 5.2
Hamachi 1.0.3.0
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 13.0
HP Imaging Device Functions 13.0
HP Photosmart C4700 All-In-One Driver Software 13.0 Rel .6
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
hpPrintProjects
HPProductAssistant
HPSSupply
hpWLPGInstaller
Installer
iTunes
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
K-Lite Codec Pack 5.5.1 (Basic)
LAME v3.98.2 for Audacity
League of Legends
Lecteur Windows Media 11
Logitech Desktop Messenger
Logitech GamePanel Software 2.02
Logitech SetPoint
Ma-Config.com
MacDrive 8
Maple 13
MarketResearch
Mass Effect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - FRA
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - FRA
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Language Pack - fra
Microsoft .NET Framework 3.5 SP1
Microsoft AppLocale
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (French) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office InfoPath MUI (French) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (French) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Application Compatibility Database
Microsoft Xbox 360 Accessories 1.1
Mise à jour de sécurité pour Lecteur Windows Media (KB911564)
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB936782)
Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398)
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB917734)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB929969)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB933566)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)
Mise à jour de sécurité pour Windows XP (KB890046)
Mise à jour de sécurité pour Windows XP (KB893756)
Mise à jour de sécurité pour Windows XP (KB896358)
Mise à jour de sécurité pour Windows XP (KB896423)
Mise à jour de sécurité pour Windows XP (KB896428)
Mise à jour de sécurité pour Windows XP (KB899587)
Mise à jour de sécurité pour Windows XP (KB899591)
Mise à jour de sécurité pour Windows XP (KB900725)
Mise à jour de sécurité pour Windows XP (KB901017)
Mise à jour de sécurité pour Windows XP (KB901214)
Mise à jour de sécurité pour Windows XP (KB902400)
Mise à jour de sécurité pour Windows XP (KB904706)
Mise à jour de sécurité pour Windows XP (KB905414)
Mise à jour de sécurité pour Windows XP (KB905749)
Mise à jour de sécurité pour Windows XP (KB908519)
Mise à jour de sécurité pour Windows XP (KB911562)
Mise à jour de sécurité pour Windows XP (KB911927)
Mise à jour de sécurité pour Windows XP (KB913580)
Mise à jour de sécurité pour Windows XP (KB914388)
Mise à jour de sécurité pour Windows XP (KB914389)
Mise à jour de sécurité pour Windows XP (KB917344)
Mise à jour de sécurité pour Windows XP (KB917953)
Mise à jour de sécurité pour Windows XP (KB918118)
Mise à jour de sécurité pour Windows XP (KB918439)
Mise à jour de sécurité pour Windows XP (KB919007)
Mise à jour de sécurité pour Windows XP (KB920213)
Mise à jour de sécurité pour Windows XP (KB920670)
Mise à jour de sécurité pour Windows XP (KB920683)
Mise à jour de sécurité pour Windows XP (KB920685)
Mise à jour de sécurité pour Windows XP (KB922819)
Mise à jour de sécurité pour Windows XP (KB923191)
Mise à jour de sécurité pour Windows XP (KB923414)
Mise à jour de sécurité pour Windows XP (KB923689)
Mise à jour de sécurité pour Windows XP (KB923789)
Mise à jour de sécurité pour Windows XP (KB923980)
Mise à jour de sécurité pour Windows XP (KB924191)
Mise à jour de sécurité pour Windows XP (KB924270)
Mise à jour de sécurité pour Windows XP (KB924496)
Mise à jour de sécurité pour Windows XP (KB924667)
Mise à jour de sécurité pour Windows XP (KB925902)
Mise à jour de sécurité pour Windows XP (KB926255)
Mise à jour de sécurité pour Windows XP (KB926436)
Mise à jour de sécurité pour Windows XP (KB927779)
Mise à jour de sécurité pour Windows XP (KB927802)
Mise à jour de sécurité pour Windows XP (KB928255)
Mise à jour de sécurité pour Windows XP (KB928843)
Mise à jour de sécurité pour Windows XP (KB929123)
Mise à jour de sécurité pour Windows XP (KB930178)
Mise à jour de sécurité pour Windows XP (KB931261)
Mise à jour de sécurité pour Windows XP (KB931784)
Mise à jour de sécurité pour Windows XP (KB932168)
Mise à jour de sécurité pour Windows XP (KB933566)
Mise à jour de sécurité pour Windows XP (KB933729)
Mise à jour de sécurité pour Windows XP (KB935839)
Mise à jour de sécurité pour Windows XP (KB935840)
Mise à jour de sécurité pour Windows XP (KB936021)
Mise à jour de sécurité pour Windows XP (KB937894)
Mise à jour de sécurité pour Windows XP (KB938829)
Mise à jour de sécurité pour Windows XP (KB941202)
Mise à jour de sécurité pour Windows XP (KB941568)
Mise à jour de sécurité pour Windows XP (KB941569)
Mise à jour de sécurité pour Windows XP (KB941644)
Mise à jour de sécurité pour Windows XP (KB943055)
Mise à jour de sécurité pour Windows XP (KB943460)
Mise à jour de sécurité pour Windows XP (KB943485)
Mise à jour de sécurité pour Windows XP (KB944653)
Mise à jour de sécurité pour Windows XP (KB946026)
Mise à jour pour Windows XP (KB894391)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB900485)
Mise à jour pour Windows XP (KB904942)
Mise à jour pour Windows XP (KB908531)
Mise à jour pour Windows XP (KB910437)
Mise à jour pour Windows XP (KB911164)
Mise à jour pour Windows XP (KB911280)
Mise à jour pour Windows XP (KB916595)
Mise à jour pour Windows XP (KB920342)
Mise à jour pour Windows XP (KB920872)
Mise à jour pour Windows XP (KB922582)
Mise à jour pour Windows XP (KB925720)
Mise à jour pour Windows XP (KB925876)
Mise à jour pour Windows XP (KB927891)
Mise à jour pour Windows XP (KB930916)
Mise à jour pour Windows XP (KB931836)
Mise à jour pour Windows XP (KB938828)
Mise à jour pour Windows XP (KB942763)
Module linguistique Microsoft .NET Framework 3.5 - fra
Mozilla Firefox (3.0.17)
MP4 to MP3 Converter 1.01
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
neroxml
Network
Network Addon Mod Version January 2009
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Oblivion
OF Dragon Rising
OpenAL
Package de base Microsoft de service de chiffrement pour cartes à puce
Package de pilotes Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Panasonic Office Add-in del
PDF Settings
PFPortChecker 1.0.31
PlayNC Launcher
Power Tab Editor 1.7
PowerDVD
PowerProducer
PS_AIO_06_C4700_SW_Min
PunkBuster Services
QuickTime
RayV
Rome - Total War
Rosetta Stone Version 3
San Andreas Mod Installer
SAPI5_Common
Scan
ScanSoft OmniPage SE 4.0
Shop for HP Supplies
SimCity 4 Deluxe
Skype™ 4.1
SmartWebPrinting
SolutionCenter
SoundMAX
SQLyog Enterprise 6.13
Star Wars Jedi Knight Jedi Academy
Status
Steam
SWAT 4
SWAT 4 - The Stetchkov Syndicate
System Requirements Lab
Team Fortress 2
TeamSpeak 2 RC2
The KMPlayer (remove only)
TheMoltenCore
TI Connect 1.6
Toolbox
TrayApp
Trine
TVersity Codec Pack 1.2
UltraISO Premium V9.12
Uninstall 1.0.0.0
Unlocker 1.8.7
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Videora iPod Converter 5.03
Warcraft III: All Products
WD Drive Manager (x86)
WebFldrs XP
WebReg
Winamp
WindowBlinds
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
WinZip 11.1
World of Warcraft
Xfire (remove only)
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0
Zero Gear Demo

==== Event Viewer Messages From Past Week ========

2010-01-10 23:21:52, error: Service Control Manager [7031] - Le service AVG Free8 WatchDog s'est terminé de manière inattendue. Ceci s'est produit 1 fois. L'action corrective suivante va être effectuée dans 0 millisecondes : Redémarrer le service.
2010-01-09 19:11:10, error: WMPNetworkSvc [14365] - La détection de proximité a échoué en raison de l’erreur inconnue « 0x80004004 ». La meilleure durée de proximité détectée a été de -1 millisecondes.
2010-01-07 12:49:19, error: Dhcp [1002] - Le bail de l'adresse IP 192.168.1.5 pour la carte réseau dont l'adresse réseau est 001A92926985 a été refusé par le serveur DHCP 192.168.1.1 (celui-ci a envoyé un message DHCPNACK).

==== End Of File ===========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 11 January 2010 - 12:52 PM

Hello Notlethal,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
Ask Toolbar

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 January 2010 - 07:09 PM

Hello Elise,

I've done as ask and here is the txt file. Thank you for all the help your giving me.

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 12 January 2010 - 12:25 PM

Do you have an XP CD at hand? We need to replace a system file. It doesn't necessarily have to be your own CD, you can also borrow one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 12 January 2010 - 01:42 PM

Yes, I do

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 12 January 2010 - 02:05 PM

Hello again :(

Please make sure your XP CD is in your CD drive (D:\). Note, if its located in anoter CD drive, make sure to replace d:\ in the fix below.

Click Start > Run, type notepad in the box that opens and press enter.
Copy/paste the text in the codebox below into Notepad and save it as copy.bat to your desktop.
@echo off
expand d:\i386\atapi.sy_ c:\windows\servicepackfiles\i386\atapi.sys
del %0
Exit Notepad and doubleclick on copy.bat to run it.

Now please verify the following file exists: c:\windows\servicepackfiles\i386\atapi.sys
If this file does NOT exist after following the above steps, post back here. If the file exists re-run Combofix and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 12 January 2010 - 03:24 PM

servicepackfiles doesn't exist and therefore atapi isn't there. I found atapi.sys in C:\WINDOWS\system32\drivers after looking for it.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 12 January 2010 - 04:17 PM

The atapi.sys in drivers is infected, so we need a replacement for that. If Combofix sees a replacement, it will use it.

Please run the same batch, but with the following script:

@echo off
expand d:\i386\atapi.sy_ c:\windows\atapi.sys
del %0

Afterwards verify there is a copy of atapi.sys in c:\windows. If so, run Combofix.

Do NOT do anything to the file in the drivers folder. Deleting that file will render your computer unbootable.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 12 January 2010 - 04:51 PM

Hello again,

Here you go

ComboFix 10-01-11.01 - Frederic 2010-01-12 16:35:25.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.1516 [GMT -5:00]
Lancé depuis: c:\documents and settings\Frederic\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\atapi.sys . . . est infecté!!

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-12-12 au 2010-01-12 ))))))))))))))))))))))))))))))))))))
.

2010-01-12 21:30 . 2001-08-18 02:51 86656 ----a-w- c:\windows\atapi.sys
2010-01-05 05:32 . 2010-01-05 05:32 -------- d-----w- c:\documents and settings\Frederic\Application Data\Conor O'Kane
2010-01-05 05:18 . 2010-01-05 05:18 4096 ----a-w- c:\windows\d3dx.dat
2009-12-28 17:34 . 2009-11-21 02:34 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-28 17:34 . 2009-11-21 02:34 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-28 02:14 . 2009-12-28 02:14 -------- d-----w- c:\program files\KAPITALSIN
2009-12-28 00:37 . 2009-12-28 00:37 -------- d-----w- c:\program files\ReflexiveArcade
2009-12-26 16:46 . 2009-12-26 16:46 -------- d-----w- c:\program files\LucasArts
2009-12-25 03:09 . 2009-12-25 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-20 00:11 . 2009-12-20 00:11 -------- d-----w- c:\program files\TheMoltenCore
2009-12-19 18:28 . 2009-12-19 18:28 -------- d-----w- c:\documents and settings\Frederic\Local Settings\Application Data\CAPCOM
2009-12-19 18:19 . 2009-12-19 18:19 29926 ----a-r- c:\documents and settings\Frederic\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2009-12-19 18:19 . 2009-12-19 18:19 29422 ----a-r- c:\documents and settings\Frederic\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2009-12-18 18:28 . 2009-12-18 19:16 -------- d-----w- c:\documents and settings\Frederic\Application Data\Xfire
2009-12-18 18:28 . 2009-12-18 18:30 -------- d-----w- c:\program files\Xfire
2009-12-16 18:49 . 2009-12-16 18:49 62060 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\documents and settings\Frederic\Local Settings\Application Data\Geckofx
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\program files\AviSynth 2.5
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\program files\Red Kawa

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 20:52 . 2007-09-16 23:11 -------- d-----w- c:\documents and settings\Frederic\Application Data\Skype
2010-01-12 18:46 . 2009-10-08 15:35 -------- d-----w- c:\documents and settings\Frederic\Application Data\HPAppData
2010-01-12 18:40 . 2008-07-04 14:29 -------- d-----w- c:\documents and settings\Frederic\Application Data\skypePM
2010-01-11 23:22 . 2007-07-14 02:02 -------- d-----w- c:\program files\uTorrent
2010-01-11 23:22 . 2007-07-14 02:02 -------- d-----w- c:\documents and settings\Frederic\Application Data\uTorrent
2010-01-11 23:19 . 2009-09-29 02:48 -------- d-----w- c:\program files\Ask & Record Toolbar
2010-01-08 21:38 . 2009-10-31 16:19 -------- d-----w- c:\program files\Rockstar Games
2010-01-08 21:38 . 2007-07-12 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 23:55 . 2007-09-06 02:32 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-04 23:31 . 2007-09-06 02:32 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-03 21:47 . 2008-11-14 22:20 -------- d-----w- c:\program files\Steam
2010-01-03 19:27 . 2008-06-10 22:33 -------- d-----w- c:\documents and settings\Frederic\Application Data\CyberLink
2009-12-30 07:37 . 2007-08-26 02:06 -------- d-----w- c:\program files\Warcraft III
2009-12-29 17:16 . 2009-12-03 16:49 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-24 15:49 . 2008-01-19 17:16 86888 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-23 17:07 . 2009-09-05 01:31 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-23 17:07 . 2009-09-05 01:31 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-22 03:32 . 2007-07-14 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 03:31 . 2007-07-15 13:14 -------- d-----w- c:\program files\Fraps
2009-12-21 16:50 . 2009-12-11 16:51 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-13 17:52 . 2009-11-15 06:19 -------- d-----w- c:\program files\PeerGuardian2
2009-12-13 17:46 . 2007-07-13 01:15 -------- d-----w- c:\program files\Canon
2009-12-13 17:45 . 2007-09-26 21:57 -------- d-----w- c:\documents and settings\Frederic\Application Data\Canon
2009-12-12 23:33 . 2007-08-02 15:23 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\program files\Fichiers communs\Mediafour
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Mediafour
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\program files\Mediafour
2009-12-12 19:07 . 2009-12-12 19:07 -------- d-----w- c:\program files\Western Digital Corporation
2009-12-12 19:07 . 2009-12-12 19:07 -------- d-----w- c:\program files\Western Digital
2009-12-12 18:07 . 2009-12-12 18:01 -------- d-----w- c:\documents and settings\Frederic\Application Data\Apple Computer
2009-12-12 18:03 . 2006-03-02 12:00 147616 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-12 18:02 . 2009-12-12 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\program files\iTunes
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-12 18:00 . 2009-12-12 18:00 -------- d-----w- c:\program files\iPod
2009-12-12 18:00 . 2009-12-12 17:58 -------- d-----w- c:\program files\Fichiers communs\Apple
2009-12-12 18:00 . 2009-12-12 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-12 18:00 . 2007-07-13 12:59 -------- d-----w- c:\program files\Bonjour
2009-12-12 18:00 . 2007-11-18 20:25 -------- d-----w- c:\program files\QuickTime
2009-12-12 17:59 . 2009-12-12 17:59 -------- d-----w- c:\program files\Apple Software Update
2009-12-09 21:14 . 2009-12-09 02:38 -------- d-----w- c:\program files\World of Warcraft
2009-12-09 14:23 . 2009-12-09 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-12-09 02:46 . 2009-12-09 02:46 -------- d-----w- c:\program files\Fichiers communs\Blizzard Entertainment
2009-12-09 02:36 . 2007-09-01 22:41 -------- d-----w- c:\program files\NCSoft
2009-12-07 02:14 . 2008-01-07 23:36 -------- d-----w- c:\documents and settings\Frederic\Application Data\Hamachi
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\documents and settings\Frederic\Application Data\Babylon
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-03 16:37 . 2009-12-03 16:37 -------- d-----w- c:\program files\TVersity
2009-11-30 19:37 . 2009-11-30 19:37 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-30 01:28 . 2009-11-30 01:28 -------- d-----w- c:\program files\The KMPlayer
2009-11-22 05:03 . 2008-02-09 20:53 -------- d-----w- c:\documents and settings\Frederic\Application Data\U3
2009-11-21 20:37 . 2009-11-21 20:37 -------- d-----w- c:\program files\ANI
2009-11-21 20:36 . 2009-11-21 20:36 -------- d-----w- c:\program files\D-Link
2009-11-21 20:36 . 2009-11-21 20:36 -------- d-----w- c:\documents and settings\Frederic\Application Data\InstallShield
2009-11-21 02:34 . 2009-09-27 21:12 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34 . 2009-09-27 21:12 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2009-09-27 21:12 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2008-10-07 17:33 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34 . 2007-07-12 19:39 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2007-04-20 10:05 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34 . 2007-04-20 10:05 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34 . 2007-04-20 10:05 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34 . 2007-04-20 10:05 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34 . 2007-04-20 10:05 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34 . 2007-04-20 10:05 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 02:42 . 2007-07-12 19:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-20 00:26 . 2007-10-14 03:52 -------- d-----w- c:\program files\Activision
2009-11-17 02:42 . 2008-03-10 21:45 1924440 ----a-w- c:\documents and settings\Frederic\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-03 01:42 . 2009-10-03 05:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 15:51 . 2006-03-02 12:00 86186 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-01 15:51 . 2006-03-02 12:00 513336 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-23 22:57 . 2009-10-23 22:58 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 22:57 . 2009-10-23 22:57 38208 ----a-w- c:\documents and settings\Frederic\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 22:56 . 2009-10-23 22:56 555520 ------w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\ISSetup.dll
2009-10-23 22:56 . 2009-10-23 22:56 156984 ----a-w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\_Setup.dll
2009-10-23 22:56 . 2009-10-23 22:56 393216 ----a-w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\setup.exe
2009-10-18 17:03 . 2008-02-17 04:37 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
.

------- Sigcheck -------

[-] 2009-12-12 18:03 . 172C177E5FB49C9FC79606243941D692 . 147616 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2001-08-18 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\atapi.sys
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2009-06-15 202328]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2009-03-31 141312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-06-18 18:07 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link D-Link Xtreme N Dual Band DWA-160]
2008-07-11 20:19 1679360 ----a-w- c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gestionnaire Antidote.exe]
2007-04-16 17:38 534200 ----a-w- c:\program files\Druide\Antidote\Gestionnaire Antidote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 02:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-13 01:22 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 16:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
2009-12-09 02:36 38184 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 17:16 185896 ----a-w- c:\program files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
2007-09-15 14:48 3045376 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-07-24 20:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-02-25 21:26 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-03 13:59 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.dll"=
"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Codemasters\\OF Dragon Rising\\OFDR.exe"=
"c:\\Riot Games\\League of Legends\\Air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\Game\\League of Legends.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3784:TCP"= 3784:TCP:OYWQ
"28960:TCP"= 28960:TCP:cod4
"28960:UDP"= 28960:UDP:cod 4 udp
"8395:TCP"= 8395:TCP:League of Legends Launcher
"8395:UDP"= 8395:UDP:League of Legends Launcher
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"8397:TCP"= 8397:TCP:League of Legends Launcher
"8397:UDP"= 8397:UDP:League of Legends Launcher
"8398:TCP"= 8398:TCP:League of Legends Launcher
"8398:UDP"= 8398:UDP:League of Legends Launcher
"8399:TCP"= 8399:TCP:League of Legends Launcher
"8399:UDP"= 8399:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8384:TCP"= 8384:TCP:League of Legends Launcher
"8384:UDP"= 8384:UDP:League of Legends Launcher

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-09-28 259176]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2009-07-31 27488]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-12 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 297752]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [2009-09-23 150528]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-07-24 102400]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-11-21 57440]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-02-16 721904]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-11-21 434688]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-11-04 25832]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\JSWUtil\jswpsapi.exe [2009-11-21 356434]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2009-05-29 234864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Frederic\Application Data\Mozilla\Firefox\Profiles\920445o6.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\Frederic\Application Data\Mozilla\Firefox\Profiles\920445o6.default\extensions\{bb628310-0ab7-11db-9cd8-0800200c9a66}\plugins\nphardwaredetection.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 16:43
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1160)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Heure de fin: 2010-01-12 16:44:55
ComboFix-quarantined-files.txt 2010-01-12 21:44
ComboFix2.txt 2010-01-11 23:55

Avant-CF: 36 321 308 672 octets libres
Après-CF: 36 287 242 240 octets libres

- - End Of File - - 0E9DDA9C145327FFF1487655E3996217

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 13 January 2010 - 04:30 AM

That didn't work either, the file is too old. Lets try to use another copy.

First, make sure you delete c:\windows\atapi.sys

Please repeat the steps with the following batch. No need for a CD this time.

@echo off
expand C:\cmdcons\atapi.sy_ c:\windows\atapi.sys
del %0

After running this batch, verify c:\windows\atapi.sys is created and re-run combofix

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 January 2010 - 01:49 PM

I think that did it :(

Here is the log:

ComboFix 10-01-11.01 - Frederic 2010-01-13 13:26:26.3.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.1517 [GMT -5:00]
Lancé depuis: c:\documents and settings\Frederic\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

Une copie infectée de c:\windows\system32\Drivers\atapi.sys a été trouvée et désinfectée
Copie restaurée à partir de - c:\windows\atapi.sys

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-12-13 au 2010-01-13 ))))))))))))))))))))))))))))))))))))
.

2010-01-13 18:16 . 2004-08-04 03:59 95360 ------w- c:\windows\atapi.sys
2010-01-05 05:32 . 2010-01-05 05:32 -------- d-----w- c:\documents and settings\Frederic\Application Data\Conor O'Kane
2010-01-05 05:18 . 2010-01-05 05:18 4096 ----a-w- c:\windows\d3dx.dat
2009-12-28 17:34 . 2009-11-21 02:34 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-28 17:34 . 2009-11-21 02:34 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-28 02:14 . 2009-12-28 02:14 -------- d-----w- c:\program files\KAPITALSIN
2009-12-28 00:37 . 2009-12-28 00:37 -------- d-----w- c:\program files\ReflexiveArcade
2009-12-26 16:46 . 2009-12-26 16:46 -------- d-----w- c:\program files\LucasArts
2009-12-25 03:09 . 2009-12-25 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-20 00:11 . 2009-12-20 00:11 -------- d-----w- c:\program files\TheMoltenCore
2009-12-19 18:28 . 2009-12-19 18:28 -------- d-----w- c:\documents and settings\Frederic\Local Settings\Application Data\CAPCOM
2009-12-18 18:28 . 2009-12-18 19:16 -------- d-----w- c:\documents and settings\Frederic\Application Data\Xfire
2009-12-18 18:28 . 2009-12-18 18:30 -------- d-----w- c:\program files\Xfire
2009-12-16 18:49 . 2009-12-16 18:49 62060 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\documents and settings\Frederic\Local Settings\Application Data\Geckofx
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\program files\AviSynth 2.5
2009-12-16 18:20 . 2009-12-16 18:20 -------- d-----w- c:\program files\Red Kawa

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 18:36 . 2007-09-16 23:11 -------- d-----w- c:\documents and settings\Frederic\Application Data\Skype
2010-01-13 18:17 . 2009-10-08 15:35 -------- d-----w- c:\documents and settings\Frederic\Application Data\HPAppData
2010-01-13 18:13 . 2008-07-04 14:29 -------- d-----w- c:\documents and settings\Frederic\Application Data\skypePM
2010-01-11 23:22 . 2007-07-14 02:02 -------- d-----w- c:\program files\uTorrent
2010-01-11 23:22 . 2007-07-14 02:02 -------- d-----w- c:\documents and settings\Frederic\Application Data\uTorrent
2010-01-11 23:19 . 2009-09-29 02:48 -------- d-----w- c:\program files\Ask & Record Toolbar
2010-01-08 21:38 . 2009-10-31 16:19 -------- d-----w- c:\program files\Rockstar Games
2010-01-08 21:38 . 2007-07-12 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 23:55 . 2007-09-06 02:32 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-04 23:31 . 2007-09-06 02:32 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-03 21:47 . 2008-11-14 22:20 -------- d-----w- c:\program files\Steam
2010-01-03 19:27 . 2008-06-10 22:33 -------- d-----w- c:\documents and settings\Frederic\Application Data\CyberLink
2009-12-30 07:37 . 2007-08-26 02:06 -------- d-----w- c:\program files\Warcraft III
2009-12-29 17:16 . 2009-12-03 16:49 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-24 15:49 . 2008-01-19 17:16 86888 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-23 17:07 . 2009-09-05 01:31 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-23 17:07 . 2009-09-05 01:31 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-22 03:32 . 2007-07-14 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 03:31 . 2007-07-15 13:14 -------- d-----w- c:\program files\Fraps
2009-12-21 16:50 . 2009-12-11 16:51 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-19 18:19 . 2009-12-19 18:19 29926 ----a-r- c:\documents and settings\Frederic\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2009-12-19 18:19 . 2009-12-19 18:19 29422 ----a-r- c:\documents and settings\Frederic\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2009-12-13 17:52 . 2009-11-15 06:19 -------- d-----w- c:\program files\PeerGuardian2
2009-12-13 17:46 . 2007-07-13 01:15 -------- d-----w- c:\program files\Canon
2009-12-13 17:45 . 2007-09-26 21:57 -------- d-----w- c:\documents and settings\Frederic\Application Data\Canon
2009-12-12 23:33 . 2007-08-02 15:23 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\program files\Fichiers communs\Mediafour
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Mediafour
2009-12-12 23:03 . 2009-12-12 23:03 -------- d-----w- c:\program files\Mediafour
2009-12-12 19:07 . 2009-12-12 19:07 -------- d-----w- c:\program files\Western Digital Corporation
2009-12-12 19:07 . 2009-12-12 19:07 -------- d-----w- c:\program files\Western Digital
2009-12-12 18:07 . 2009-12-12 18:01 -------- d-----w- c:\documents and settings\Frederic\Application Data\Apple Computer
2009-12-12 18:02 . 2009-12-12 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\program files\iTunes
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-12 18:00 . 2009-12-12 18:00 -------- d-----w- c:\program files\iPod
2009-12-12 18:00 . 2009-12-12 17:58 -------- d-----w- c:\program files\Fichiers communs\Apple
2009-12-12 18:00 . 2009-12-12 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-12 18:00 . 2007-07-13 12:59 -------- d-----w- c:\program files\Bonjour
2009-12-12 18:00 . 2007-11-18 20:25 -------- d-----w- c:\program files\QuickTime
2009-12-12 17:59 . 2009-12-12 17:59 -------- d-----w- c:\program files\Apple Software Update
2009-12-09 21:14 . 2009-12-09 02:38 -------- d-----w- c:\program files\World of Warcraft
2009-12-09 14:23 . 2009-12-09 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-12-09 02:46 . 2009-12-09 02:46 -------- d-----w- c:\program files\Fichiers communs\Blizzard Entertainment
2009-12-09 02:36 . 2007-09-01 22:41 -------- d-----w- c:\program files\NCSoft
2009-12-07 02:14 . 2008-01-07 23:36 -------- d-----w- c:\documents and settings\Frederic\Application Data\Hamachi
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\documents and settings\Frederic\Application Data\Babylon
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-12-03 16:38 . 2009-12-03 16:38 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-03 16:37 . 2009-12-03 16:37 -------- d-----w- c:\program files\TVersity
2009-11-30 19:37 . 2009-11-30 19:37 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-30 01:28 . 2009-11-30 01:28 -------- d-----w- c:\program files\The KMPlayer
2009-11-22 05:03 . 2008-02-09 20:53 -------- d-----w- c:\documents and settings\Frederic\Application Data\U3
2009-11-21 20:37 . 2009-11-21 20:37 -------- d-----w- c:\program files\ANI
2009-11-21 20:36 . 2009-11-21 20:36 -------- d-----w- c:\program files\D-Link
2009-11-21 20:36 . 2009-11-21 20:36 -------- d-----w- c:\documents and settings\Frederic\Application Data\InstallShield
2009-11-21 02:34 . 2009-09-27 21:12 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34 . 2009-09-27 21:12 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2009-09-27 21:12 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2008-10-07 17:33 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34 . 2007-07-12 19:39 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2007-04-20 10:05 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34 . 2007-04-20 10:05 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34 . 2007-04-20 10:05 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34 . 2007-04-20 10:05 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34 . 2007-04-20 10:05 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34 . 2007-04-20 10:05 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-20 02:42 . 2007-07-12 19:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-20 00:26 . 2007-10-14 03:52 -------- d-----w- c:\program files\Activision
2009-11-17 02:42 . 2008-03-10 21:45 1924440 ----a-w- c:\documents and settings\Frederic\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-05 14:37 . 2009-11-05 14:37 290816 ----a-w- c:\documents and settings\Frederic\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-03 01:42 . 2009-10-03 05:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 15:51 . 2006-03-02 12:00 86186 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-01 15:51 . 2006-03-02 12:00 513336 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-23 22:57 . 2009-10-23 22:58 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 22:57 . 2009-10-23 22:57 38208 ----a-w- c:\documents and settings\Frederic\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-23 22:56 . 2009-10-23 22:56 555520 ------w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\ISSetup.dll
2009-10-23 22:56 . 2009-10-23 22:56 156984 ----a-w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\_Setup.dll
2009-10-23 22:56 . 2009-10-23 22:56 393216 ----a-w- c:\documents and settings\Frederic\Application Data\InstallShield Installation Information\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\setup.exe
2009-10-18 17:03 . 2008-02-17 04:37 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-11_23.48.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-13 18:37 . 2010-01-13 18:37 16384 c:\windows\Temp\Perflib_Perfdata_3e4.dat
+ 2006-03-02 12:00 . 2004-08-04 03:59 95360 c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2009-06-15 202328]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2009-03-31 141312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 13:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-06-18 18:07 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link D-Link Xtreme N Dual Band DWA-160]
2008-07-11 20:19 1679360 ----a-w- c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gestionnaire Antidote.exe]
2007-04-16 17:38 534200 ----a-w- c:\program files\Druide\Antidote\Gestionnaire Antidote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 02:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-13 01:22 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 16:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
2009-12-09 02:36 38184 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 17:16 185896 ----a-w- c:\program files\Fichiers communs\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
2007-09-15 14:48 3045376 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-07-24 20:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-02-25 21:26 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-03 13:59 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.dll"=
"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Codemasters\\OF Dragon Rising\\OFDR.exe"=
"c:\\Riot Games\\League of Legends\\Air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\Game\\League of Legends.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3784:TCP"= 3784:TCP:OYWQ
"28960:TCP"= 28960:TCP:cod4
"28960:UDP"= 28960:UDP:cod 4 udp
"8395:TCP"= 8395:TCP:League of Legends Launcher
"8395:UDP"= 8395:UDP:League of Legends Launcher
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"8397:TCP"= 8397:TCP:League of Legends Launcher
"8397:UDP"= 8397:UDP:League of Legends Launcher
"8398:TCP"= 8398:TCP:League of Legends Launcher
"8398:UDP"= 8398:UDP:League of Legends Launcher
"8399:TCP"= 8399:TCP:League of Legends Launcher
"8399:UDP"= 8399:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8384:TCP"= 8384:TCP:League of Legends Launcher
"8384:UDP"= 8384:UDP:League of Legends Launcher

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-09-28 259176]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2009-07-31 27488]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-02-16 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-12 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-31 297752]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [2009-09-23 150528]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-07-24 102400]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-11-21 57440]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-11-21 434688]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-11-04 25832]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\JSWUtil\jswpsapi.exe [2009-11-21 356434]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2009-05-29 234864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Frederic\Application Data\Mozilla\Firefox\Profiles\920445o6.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\Frederic\Application Data\Mozilla\Firefox\Profiles\920445o6.default\extensions\{bb628310-0ab7-11db-9cd8-0800200c9a66}\plugins\nphardwaredetection.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 13:35
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89BCE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764bfc3
\Driver\ACPI -> ACPI.sys @ 0xf746ccb8
\Driver\atapi -> 0x89bce1f8
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x8059e19a
ParseProcedure -> TUKERNEL.EXE @ 0x8057c74d
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x8059e19a
ParseProcedure -> TUKERNEL.EXE @ 0x8057c74d
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb865fba0
PacketIndicateHandler -> NDIS.sys @ 0xb864ea0b
SendHandler -> NDIS.sys @ 0xb8662b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3308)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Heure de fin: 2010-01-13 13:42:28 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-01-13 18:42
ComboFix2.txt 2010-01-12 21:44
ComboFix3.txt 2010-01-11 23:55

Avant-CF: 36 296 736 768 octets libres
Après-CF: 36 261 728 256 octets libres

- - End Of File - - 45887E30B98E4B77CD8B850401E4D5B8

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:57 AM

Posted 13 January 2010 - 01:58 PM

Hello Notlethal,

Gotcha, that did the trick :( Now lets see whats the matter with the MBR.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Please browse to the following file and doubleclick on it to run it: c:\windows\mbr.exe
A logfile will be created in the following location: c:\windows\mbr.log Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Notlethal

Notlethal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 January 2010 - 02:14 PM

Here you go

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users