Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware after effects? help.


  • This topic is locked This topic is locked
5 replies to this topic

#1 ethikal

ethikal

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 13 January 2010 - 12:45 AM

Well to start it off, my files got malware defense corrupted and I went through the steps on that turoial on how to remove it. I did so successfuly. Now my pc is running large exe's *IE CounterStrike-Source, Borderlands, any game im willing to assume* VERY slowly, and also on reboots i get a google installer windows error, without having any internet windows open on a shutdown i dont know why its doing this. Thats pretty much all ive seen so far. *EDIT* Also I dont see what I do with the RootRepeal info I saved, did I miss something there?


DDS (Ver_09-12-01.01) - NTFSx86
Run by Bo Bellt at 23:32:55.40 on Tue 01/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bo Bellt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.19\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [twunk_32x.exe] c:\docume~1\bobell~1\locals~1\temp\twunk_32x.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTHelper] CTHELPER.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218683397437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {E0D8FD38-6F36-4C9F-AE43-EDFA2BB266BA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bobell~1\applic~1\mozilla\firefox\profiles\6cr9wa3r.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\bo bellt\application data\mozilla\firefox\profiles\6cr9wa3r.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\bo bellt\application data\mozilla\firefox\profiles\6cr9wa3r.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\SymDS.sys [2010-1-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\SymEFA.sys [2010-1-12 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20091013.001\BHDrvx86.sys [2010-1-12 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys [2010-1-12 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.013\Ironx86.sys [2010-1-12 114736]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20090911.001\IDSxpx86.sys [2010-1-12 329080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091020.006\NAVENG.SYS [2010-1-12 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091020.006\NAVEX15.SYS [2010-1-12 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-3 133104]
S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.19\ccSvcHst.exe [2010-1-12 126392]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-27 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 PLISp50;PLISp50 NDIS Protocol Driver;c:\windows\system32\drivers\PLISp50.sys [2008-1-16 27072]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]

=============== Created Last 30 ================

2010-01-12 20:59:51 0 d-----w- c:\docume~1\bobell~1\applic~1\Malwarebytes
2010-01-12 20:57:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 20:57:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 20:57:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-12 08:14:56 0 d-----w- c:\docume~1\bobell~1\applic~1\Tific
2010-01-12 07:59:29 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-12 07:59:29 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-12 07:59:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-12 07:59:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-12 07:59:29 0 d-----w- c:\program files\Symantec
2010-01-12 07:59:29 0 d-----w- c:\program files\common files\Symantec Shared
2010-01-12 07:59:03 0 d-----w- c:\windows\system32\drivers\NAV
2010-01-12 07:59:01 0 d-----w- c:\program files\Norton AntiVirus
2010-01-12 07:59:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-12 07:58:55 0 d-----w- c:\program files\NortonInstaller
2010-01-12 07:58:55 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-12 07:42:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 07:26:07 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-15 06:59:16 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-15 06:59:16 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-12-15 06:59:16 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-15 06:59:16 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-12-15 06:59:16 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-12-15 06:59:16 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-12-15 06:59:16 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-15 06:59:16 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-12-15 06:59:15 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-12-15 06:59:15 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-12-15 06:59:14 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-15 06:59:14 6144 ----a-w- c:\windows\system32\kbd106.dll

==================== Find3M ====================

2010-01-08 18:08:10 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-08 18:08:02 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-14 03:53:05 65536 ----a-w- c:\windows\IFinst27.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 23:34:00.31 ===============












RootRepeal LOG



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/12 23:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8DE5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B2C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTtvgrnsbite.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTtvgrnsbite.sys
Address: 0xA9146000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5C3C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF736D000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF732F000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTdwjsajbrpx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTiupppynmko.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTlitdkdedje.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTwkqdoqukvn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTwqjnyegymu.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Perflib_Perfdata_864.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT7162.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTba52.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTbed6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTc2be.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTtvgrnsbite.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Bo Bellt\Local Settings\Temp\H8SRT23e.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Bo Bellt\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Guest\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: c:\documents and settings\bo bellt\local settings\temp\werd7bf.dir00\borderlands.exe.hdmp
Status: Allocation size mismatch (API: 91553792, Raw: 34766848)

Path: c:\documents and settings\bo bellt\application data\mozilla\firefox\profiles\6cr9wa3r.default\sessionstore.js
Status: Size mismatch (API: 30897, Raw: 30898)

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTwkqdoqukvn.dll]
Process: svchost.exe (PID: 844) Address: 0x00a90000 Size: 69632

Object: Hidden Module [Name: H8SRTiupppynmko.dll]
Process: svchost.exe (PID: 844) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: H8SRTdwjsajbrpx.dll]
Process: iexplore.exe (PID: 2196) Address: 0x00ce0000 Size: 151552

Object: Hidden Module [Name: H8SRTwkqdoqukvn.dll]
Process: iexplore.exe (PID: 2196) Address: 0x10000000 Size: 69632

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTtvgrnsbite.sys

Shadow SSDT
-------------------
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8619d2d8

==EOF==

Attached Files


Edited by ethikal, 13 January 2010 - 12:52 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,827 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 PM

Posted 19 January 2010 - 07:34 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ethikal

ethikal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 20 January 2010 - 01:56 AM

Since the original post I havent been getting as many IE error popups but I do still get them, everytime i turn my pc on and login, i get Google IE errors, everytime no matter what. Sometimes IE pages close I am assuming its because of streaming videos. I failed to mention that I cant run to many streaming videos because usualy when i play them my IE closes with an error. My rig is still a little slow but not as bad as before. I have done NOTHING but followed the tutorial that led me to the forums. Here are my up-to-date logs.

DDS



DDS (Ver_09-12-01.01) - NTFSx86
Run by Bo Bellt at 22:42:57.09 on Tue 01/19/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.592 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bo Bellt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.19\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [twunk_32x.exe] c:\docume~1\bobell~1\locals~1\temp\twunk_32x.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTHelper] CTHELPER.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218683397437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {E0D8FD38-6F36-4C9F-AE43-EDFA2BB266BA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bobell~1\applic~1\mozilla\firefox\profiles\6cr9wa3r.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\bo bellt\application data\mozilla\firefox\profiles\6cr9wa3r.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\bo bellt\application data\mozilla\firefox\profiles\6cr9wa3r.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\SymDS.sys [2010-1-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\SymEFA.sys [2010-1-12 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20091013.001\BHDrvx86.sys [2010-1-12 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys [2010-1-12 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.013\Ironx86.sys [2010-1-12 114736]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20090911.001\IDSxpx86.sys [2010-1-12 329080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091020.006\NAVENG.SYS [2010-1-12 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091020.006\NAVEX15.SYS [2010-1-12 1323568]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-3 133104]
S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.19\ccSvcHst.exe [2010-1-12 126392]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-27 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 PLISp50;PLISp50 NDIS Protocol Driver;c:\windows\system32\drivers\PLISp50.sys [2008-1-16 27072]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]

=============== Created Last 30 ================

2010-01-13 05:27:30 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 20:59:51 0 d-----w- c:\docume~1\bobell~1\applic~1\Malwarebytes
2010-01-12 20:57:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 20:57:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 20:57:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-12 08:14:56 0 d-----w- c:\docume~1\bobell~1\applic~1\Tific
2010-01-12 07:59:29 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-12 07:59:29 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-12 07:59:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-12 07:59:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-12 07:59:29 0 d-----w- c:\program files\Symantec
2010-01-12 07:59:29 0 d-----w- c:\program files\common files\Symantec Shared
2010-01-12 07:59:03 0 d-----w- c:\windows\system32\drivers\NAV
2010-01-12 07:59:01 0 d-----w- c:\program files\Norton AntiVirus
2010-01-12 07:59:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-12 07:58:55 0 d-----w- c:\program files\NortonInstaller
2010-01-12 07:58:55 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-12 07:42:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 07:26:07 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-01-08 18:08:10 138064 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-08 18:08:02 189184 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-14 03:53:05 65536 ----a-w- c:\windows\IFinst27.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 22:43:02.45 ===============




Attach



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/13/2008 10:11:10 PM
System Uptime: 1/19/2010 10:37:04 PM (0 hours ago)

Motherboard: http://www.abit.com.tw/ | | AV8 (VIA K8T800P-8237)
Processor: AMD Athlon™ 64 FX-55 Processor | Socket 939 | 2656/204mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 68.694 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1106&DEV_3119&SUBSYS_1415147B&REV_11\3&13C0B0C5&0&70
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1106&DEV_3119&SUBSYS_1415147B&REV_11\3&13C0B0C5&0&70
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1415147B&REV_80\3&13C0B0C5&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_1415147B&REV_80\3&13C0B0C5&0&78
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_1415147B&REV_60\3&13C0B0C5&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_1415147B&REV_60\3&13C0B0C5&0&8D
Service:

==== System Restore Points ===================

RP372: 10/14/2009 12:58:06 PM - System Checkpoint
RP373: 10/15/2009 1:46:53 PM - System Checkpoint
RP374: 10/16/2009 3:02:34 AM - Software Distribution Service 3.0
RP375: 10/16/2009 11:14:24 AM - Software Distribution Service 3.0
RP376: 10/17/2009 11:32:31 AM - System Checkpoint
RP377: 10/18/2009 1:11:31 PM - System Checkpoint
RP378: 10/19/2009 3:49:33 PM - System Checkpoint
RP379: 10/20/2009 4:10:32 PM - System Checkpoint
RP380: 10/21/2009 12:16:05 AM - Installed DirectX
RP381: 10/22/2009 2:29:22 AM - System Checkpoint
RP382: 10/23/2009 12:57:40 AM - Software Distribution Service 3.0
RP383: 10/24/2009 2:46:00 PM - System Checkpoint
RP384: 10/25/2009 2:46:42 PM - System Checkpoint
RP385: 10/26/2009 2:49:01 PM - System Checkpoint
RP386: 10/27/2009 4:29:29 PM - System Checkpoint
RP387: 10/28/2009 4:35:22 PM - System Checkpoint
RP388: 10/29/2009 4:40:28 PM - System Checkpoint
RP389: 10/30/2009 6:41:41 PM - System Checkpoint
RP390: 10/31/2009 7:25:06 PM - System Checkpoint
RP391: 11/1/2009 7:38:30 PM - System Checkpoint
RP392: 11/2/2009 7:13:20 PM - Installed DirectX
RP393: 11/2/2009 7:14:23 PM - Installed Borderlands
RP394: 11/3/2009 8:06:27 PM - System Checkpoint
RP395: 11/5/2009 4:01:06 AM - Software Distribution Service 3.0
RP396: 11/6/2009 4:37:45 AM - System Checkpoint
RP397: 11/7/2009 3:58:23 PM - System Checkpoint
RP398: 11/9/2009 8:34:58 PM - System Checkpoint
RP399: 11/10/2009 2:31:07 AM - Installed DirectX
RP400: 11/11/2009 3:01:49 AM - Software Distribution Service 3.0
RP401: 11/12/2009 3:46:39 PM - System Checkpoint
RP402: 11/13/2009 4:23:17 PM - System Checkpoint
RP403: 11/14/2009 4:45:21 PM - System Checkpoint
RP404: 11/15/2009 6:04:36 PM - System Checkpoint
RP405: 11/16/2009 6:31:48 PM - System Checkpoint
RP406: 11/17/2009 7:17:50 PM - System Checkpoint
RP407: 11/18/2009 7:24:29 PM - System Checkpoint
RP408: 11/19/2009 7:56:06 PM - System Checkpoint
RP409: 11/20/2009 8:00:36 PM - System Checkpoint
RP410: 11/21/2009 9:00:37 PM - System Checkpoint
RP411: 11/22/2009 10:14:09 PM - System Checkpoint
RP412: 11/23/2009 11:39:26 PM - System Checkpoint
RP413: 11/24/2009 11:51:11 PM - System Checkpoint
RP414: 11/26/2009 3:00:17 AM - Software Distribution Service 3.0
RP415: 11/27/2009 3:00:37 AM - System Checkpoint
RP416: 11/28/2009 12:48:43 PM - System Checkpoint
RP417: 11/29/2009 1:55:31 PM - System Checkpoint
RP418: 11/30/2009 8:39:19 AM - Installed AruaROSE v834
RP419: 12/1/2009 9:18:41 AM - System Checkpoint
RP420: 12/2/2009 10:18:41 AM - System Checkpoint
RP421: 12/3/2009 12:48:18 PM - System Checkpoint
RP422: 12/5/2009 3:26:46 AM - System Checkpoint
RP423: 12/6/2009 1:58:09 PM - System Checkpoint
RP424: 12/8/2009 2:02:52 PM - System Checkpoint
RP425: 12/9/2009 3:00:49 AM - Software Distribution Service 3.0
RP426: 12/10/2009 3:27:54 AM - System Checkpoint
RP427: 12/11/2009 12:51:11 PM - System Checkpoint
RP428: 12/12/2009 5:39:48 PM - System Checkpoint
RP429: 12/13/2009 6:34:55 PM - System Checkpoint
RP430: 12/14/2009 7:34:57 PM - System Checkpoint
RP431: 12/15/2009 7:52:22 PM - System Checkpoint
RP432: 12/16/2009 8:52:22 PM - System Checkpoint
RP433: 12/17/2009 8:59:29 PM - System Checkpoint
RP434: 12/18/2009 9:33:39 PM - System Checkpoint
RP435: 12/19/2009 10:33:39 PM - System Checkpoint
RP436: 12/21/2009 2:56:26 AM - System Checkpoint
RP437: 12/22/2009 3:21:25 AM - System Checkpoint
RP438: 12/23/2009 3:41:06 AM - System Checkpoint
RP439: 12/24/2009 9:40:07 AM - System Checkpoint
RP440: 12/25/2009 10:14:39 AM - System Checkpoint
RP441: 12/27/2009 12:43:15 PM - System Checkpoint
RP442: 12/28/2009 1:22:45 PM - System Checkpoint
RP443: 12/29/2009 1:43:37 PM - System Checkpoint
RP444: 12/30/2009 2:34:55 PM - System Checkpoint
RP445: 12/31/2009 2:45:04 PM - System Checkpoint
RP446: 1/1/2010 3:45:00 PM - System Checkpoint
RP447: 1/3/2010 11:33:36 PM - System Checkpoint
RP448: 1/4/2010 11:52:52 PM - System Checkpoint
RP449: 1/5/2010 12:22:18 AM - Removed AruaROSE v834
RP450: 1/6/2010 3:28:44 AM - System Checkpoint
RP451: 1/7/2010 5:02:54 PM - System Checkpoint
RP452: 1/8/2010 5:36:57 PM - System Checkpoint
RP453: 1/9/2010 5:53:07 PM - System Checkpoint
RP454: 1/10/2010 6:53:07 PM - System Checkpoint
RP455: 1/11/2010 8:14:14 PM - System Checkpoint
RP456: 1/11/2010 9:55:51 PM - Installed Borderlands
RP457: 1/11/2010 9:59:14 PM - Installed Borderlands

==== Installed Programs ======================

µTorrent
AAC Decoder
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
AudioShell 1.3.5
AutoUpdate
AVS4YOU Software Navigator 1.2
Bonjour
Borderlands
Call of Duty: World at War
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Counter-Strike
Counter-Strike: Source
Creative Audio Console
Critical Update for Windows Media Player 11 (KB959772)
CSE Demoplayer
D.I.P.R.I.P. Warm Up
DaredevilRO V4.3b
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Driver Detective
DyynoPlayer 0.8.6f
Google Gears
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
Half-Life 2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Insurgency
InterVideo WinDVD
iTunes
Java™ 6 Update 15
Java™ 6 Update 7
LimeWire 5.1.2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mini Ninjas - Demo
MKV Splitter
MobileMe Control Panel
Mozilla Firefox (3.5.7)
MPEG2 Decoder
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Norton AntiVirus
NVIDIA PhysX
OpenAL
OpenOffice.org 3.0
Powerline Utility
PunkBuster Services
PVK
Quake Live Mozilla Plugin
QuickTime
Ragnarok Online
Ragnarok Renewal
Ragnarok Sakray
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skins
Smashball
Source SDK
Source SDK Base
Spybot - Search & Destroy
Steam
Team Fortress 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
VLC media player 0.9.8a
WebFldrs XP
Winamp
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wootalyzer!
Xfire (remove only)
Zeta RO (Fusion)

==== Event Viewer Messages From Past Week ========

1/15/2010 7:12:25 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0060970812BA has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/15/2010 11:17:31 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0060970812BA has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/14/2010 11:20:06 PM, error: Service Control Manager [7031] - The Google Software Updater service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
1/13/2010 8:48:31 PM, error: System Error [1003] - Error code 100000d1, parameter1 a9094198, parameter2 00000002, parameter3 00000000, parameter4 a908be22.
1/13/2010 12:27:56 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/13/2010 12:27:52 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ImapiService with arguments "-Service" in order to run the server: {520CCA63-51A5-11D3-9144-00104BA11C5E}
1/13/2010 11:33:40 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/13/2010 11:33:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton AntiVirus service to connect.
1/13/2010 11:33:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
1/13/2010 11:33:14 AM, error: Service Control Manager [7000] - The Norton AntiVirus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/13/2010 11:33:14 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================


GMER ------ I recieved a warning hopefuly towards the end? I didnt catch what it said maybe you can tell?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-20 00:55:33
Windows 5.1.2600 Service Pack 3
Running: pxx3n5f3.exe; Driver: C:\DOCUME~1\BOBELL~1\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

Code 86AFAC88 ZwEnumerateKey
Code 86BD7CB0 ZwFlushInstructionCache
Code 86ADF2B6 IofCallDriver
Code 86AEE916 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 86ADF2BB
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 86AEE91B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC6 5 Bytes JMP 86BD7CB4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB72 5 Bytes JMP 86AFAC8C
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xF658C000, 0x1C5D58, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ntdll.dll!RtlValidateUnicodeString + 554 7C9163BE 10 Bytes JMP 055C003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!ReadFile + 211 7C801A23 7 Bytes JMP 055C0998
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 055C0E3E
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!LoadLibraryExW + 259 7C801D4E 7 Bytes JMP 055C0CEA
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!LoadLibraryExA + 23 7C801D76 7 Bytes JMP 055C08EE
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 055C0AEC
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!WriteProcessMemory + 11E 7C802331 7 Bytes JMP 055D003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!CreateProcessW + 30 7C802366 7 Bytes JMP 055D00E4
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!GetWindowsDirectoryW + 20 7C80AE3B 7 Bytes JMP 055C0A42
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!IsProcessorFeaturePresent + 1C 7C80AEE6 7 Bytes JMP 055D018E
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!SetEnvironmentVariableW + 269 7C8104C7 10 Bytes JMP 055C0EE8
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!CreateRemoteThread + 206 7C8106D2 7 Bytes JMP 055C0844
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!SwitchToFiber + E9 7C8107FB 7 Bytes JMP 055C0D94
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!GetProfileIntA + F7 7C8365D0 7 Bytes JMP 055C0C40
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] kernel32.dll!GetSystemRegistryQuota + 1A8 7C862508 7 Bytes JMP 055C0B96
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!GetSecurityDescriptorLength + 2AC 77DD7767 7 Bytes JMP 055C0646
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!ImpersonateLoggedOnUser + FA6 77DDE9EF 7 Bytes JMP 055C059C
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!RegSetValueExA + 1F9 77DDECE0 7 Bytes JMP 055C019D
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!RegDeleteValueA + 107 77DDEDEC 7 Bytes JMP 055C0247
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!ConvertStringSecurityDescriptorToSecurityDescriptorW + 1395 77DE429B 7 Bytes JMP 055C00F3
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!GetSidSubAuthorityCount + 14 77DE5596 7 Bytes JMP 055C04F2
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!SetFileSecurityW + 4C3 77DEA8A4 7 Bytes JMP 055C039B
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!LsaLookupPrivilegeValue + D3 77DFBA50 7 Bytes JMP 055C02F1
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!AccessCheckAndAuditAlarmW + 82 77DFBCEE 7 Bytes JMP 055C06F0
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!CreateProcessAsUserSecure + 206 77E10CE3 7 Bytes JMP 055C079A
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ADVAPI32.dll!MSChapSrvChangePassword2 + 811 77E15FF8 10 Bytes JMP 055C0445
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!RegisterDeviceNotificationA + 4A 7E421B85 7 Bytes JMP 055D0A54
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!CloseDesktop + DB 7E42820A 7 Bytes JMP 055D0900
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!GetKeyboardType + 31 7E43120C 7 Bytes JMP 055D09AA
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35201B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!InsertMenuA + 3E 7E43ED64 7 Bytes JMP 055D0AFE
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F63 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F9D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352091 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 055D0451
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 055D04FE
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 055D03A4
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 055D05AB
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ole32.dll!OleInitialize + E37 77500521 7 Bytes JMP 055D0238
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ole32.dll!CoImpersonateClient + 51 775156C0 7 Bytes JMP 055D02EE
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352253 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!HttpOpenRequestA + 652 3D94B0CD 7 Bytes JMP 055D0BA8
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!InternetConnectA + 11E9 3D94C2BB 7 Bytes JMP 055E018E
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!InternetUnlockRequestFile + 4C2 3D95307C 7 Bytes JMP 055D0CFC
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!InternetOpenA + 4D2 3D953553 7 Bytes JMP 055D0E50
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!HttpSendRequestA + 154 3D9536AC 7 Bytes JMP 055E00E4
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!FindNextUrlCacheEntryExA + 283B 3D956F55 7 Bytes JMP 055D0C52
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!InternetSetStatusCallback + EC9 3D958C44 7 Bytes JMP 055D0EFA
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!DeleteUrlCacheEntryW + 28B 3D95FDF4 7 Bytes JMP 055E003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!CreateMD5SSOHash + 286 3D998434 7 Bytes JMP 055E0238
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] WININET.dll!HttpCheckDavCompliance + 3E9 3D9AA929 7 Bytes JMP 055D0DA6
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSACleanup + 5C 71AB4049 7 Bytes JMP 055E038C
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSASocketW + 1BE 71AB420C 7 Bytes JMP 055E058A
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!socket + 26A 71AB447B 7 Bytes JMP 055E0436
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!getsockopt + 318 71AB4A02 7 Bytes JMP 055E0634
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSAEnumProtocolsW + 2D9 71AB8B65 7 Bytes JMP 055E02E2
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSAProviderConfigChange + AE 71AB8CCE 7 Bytes JMP 055E0788
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!shutdown + 86 71AC0C7C 7 Bytes JMP 055E0832
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSAGetOverlappedResult + A1 71AC0DBC 7 Bytes JMP 055E06DE
.text C:\Program Files\Internet Explorer\iexplore.exe[2228] ws2_32.dll!WSAJoinLeaf + CB 71AC103B 7 Bytes JMP 055E04E0

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTtvgrnsbite.sys (*** hidden *** ) A9146000-A9163000 (118784 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTtvgrnsbite.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTtvgrnsbite.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTtvgrnsbite.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTiupppynmko.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwqjnyegymu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTwkqdoqukvn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTlitdkdedje.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdwjsajbrpx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTtvgrnsbite.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTtvgrnsbite.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTiupppynmko.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTwqjnyegymu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTwkqdoqukvn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTlitdkdedje.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdwjsajbrpx.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Bo Bellt\Local Settings\Temp\H8SRT23e.tmp 343040 bytes executable
File C:\Documents and Settings\Bo Bellt\Local Settings\Temp\h8srtmainqt.dll 769 bytes
File C:\Documents and Settings\Guest\Local Settings\Temp\h8srtmainqt.dll 16657 bytes
File C:\WINDOWS\system32\drivers\H8SRTtvgrnsbite.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTdwjsajbrpx.dll 40960 bytes executable
File C:\WINDOWS\system32\H8SRTiupppynmko.dll 23552 bytes executable
File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 781 bytes
File C:\WINDOWS\system32\H8SRTlitdkdedje.dll 16896 bytes executable
File C:\WINDOWS\system32\H8SRTwkqdoqukvn.dll 40960 bytes executable
File C:\WINDOWS\system32\H8SRTwqjnyegymu.dat 243 bytes
File C:\WINDOWS\Temp\H8SRT7162.tmp 245 bytes
File C:\WINDOWS\Temp\H8SRT7d49.tmp 237 bytes

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,827 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 PM

Posted 20 January 2010 - 08:59 AM

Hello ethikal,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent and LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent and LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ethikal

ethikal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 20 January 2010 - 01:46 PM

Since you have brought reformat I will go with this option, I thought of doing it to begin with so I guess that is what ill do. I cant afford any info on my pc to be stolen, tyvm for you help.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,827 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 PM

Posted 20 January 2010 - 01:53 PM

I am sorry to have been the bearer of bad news....

Good luck with the reformat.

This topic will now be closed. If you need it to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users