Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

identified MBR rootkit and BSs'OD


  • This topic is locked This topic is locked
51 replies to this topic

#1 4NICK8

4NICK8

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 01 February 2010 - 02:16 AM

For some time now my computer randomly and rarely shuts down with the BSOD saying "Kernal data inpage error". Also at random my hard drive vanishes, task manager stops working, no programs will open, and when i go to shut down the screen flickers once and then goes blank until i do a forced shutdown wacko.gif . I ran a hardware check through speedfan to see if my hard drive was failing, and according to that it's not too shabby (94%) thumbup2.gif .

I ran root repeal last week and found the MBR rootkit w00t.gif . I tried running it again to to give you the most updated report and it crashed twice.
1.) It ran halfway through the scan and stopped, eventually a small clear window popped up. i hit the X in the clear window and it stopped responding. I had the state of mind to bring up task manager and it was reading almost 2,000,000k dry.gif so i ended the process.
2.) i clicked to run and i get a BSOD " IRQL NOT LESS OR EQUAL" ?!

both times were run as admin just fyi


DDS (Ver_09-12-01.01) - NTFSx86
Run by J B at 23:53:13.85 on Sun 01/31/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3067.1829 [GMT -5:00]

SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Users\J B\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: c:\windows\system32\guard32.dll,avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-21 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-21 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-21 360584]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-17 99344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-17 25104]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-21 285392]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-8-20 159744]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-20 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-8-19 52736]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-8-19 93968]
R3 MAC607;MAC607 Filter;c:\windows\system32\drivers\MAC607.sys [2008-12-18 23808]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2009-8-3 569856]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\system32\drivers\RLVrtAuCbl.sys [2008-12-17 31616]
R3 XBox;XBox Filter;c:\windows\system32\drivers\Xbox.sys [2008-12-18 23936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PKWCap;PKWCap service;c:\windows\system32\drivers\PKWCap.sys [2008-8-19 995328]
S4 AQFBXHFSR;AQFBXHFSR;c:\users\jb0176~1\appdata\local\temp\aqfbxhfsr.exe --> c:\users\jb0176~1\appdata\local\temp\AQFBXHFSR.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-24 24652]
S4 ZXQEDUV;ZXQEDUV;c:\users\jb0176~1\appdata\local\temp\zxqeduv.exe --> c:\users\jb0176~1\appdata\local\temp\ZXQEDUV.exe [?]

=============== Created Last 30 ================

2010-01-29 05:35:45 0 d-----w- c:\program files\Belarc
2010-01-29 00:05:18 916 ----a-w- C:\mbam - Shortcut.lnk
2010-01-28 22:47:35 764898640 ----a-w- c:\windows\MEMORY.DMP
2010-01-28 21:19:15 0 d-----w- c:\users\jb0176~1\appdata\roaming\Malwarebytes
2010-01-28 21:19:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 21:19:05 0 d-----w- c:\programdata\Malwarebytes
2010-01-28 21:19:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-28 21:19:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:31:58 0 d-----w- c:\programdata\NOS
2010-01-27 15:58:55 77312 ----a-w- C:\mbr.exe
2010-01-25 01:03:06 0 d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2010-01-24 23:55:58 0 d---a-w- c:\programdata\TEMP
2010-01-24 23:55:52 0 d-----w- c:\program files\SpywareBlaster
2010-01-22 13:43:08 834048 ----a-w- c:\windows\system32\wininet.dll
2010-01-22 13:43:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-20 20:28:24 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-20 20:28:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-20 16:52:14 0 d-----w- c:\program files\SpeedFan
2010-01-20 16:51:55 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-01-15 23:54:07 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-15 23:54:07 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-05 08:25:56 0 d-----w- c:\program files\Trend Micro
2010-01-05 07:58:43 0 d-----w- c:\programdata\McAfee
2010-01-03 04:26:36 0 d-----w- c:\programdata\McAfee Security Scan

==================== Find3M ====================

2010-01-31 16:06:10 103781 ----a-w- c:\programdata\nvModes.dat
2009-11-30 23:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 23:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 22:01:24 162825 ----a-w- c:\windows\hpoins44.dat
2009-11-30 21:45:13 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-30 21:45:13 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-30 21:44:21 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-22 03:41:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-12 02:38:57 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-06 15:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 15:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-04 15:15:34 52224 ----a-w- c:\windows\ipuninst.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:54:05.19 ===============

I'm at my whits end with this bleeping computer lmfao.gif your help would be !!much appreciated!!
oh and p.s. since i couldn't get it to work i'll post last weeks root repeal results

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 01 February 2010 - 07:10 AM

Hello my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 01 February 2010 - 11:44 AM

Hi Sempai, I've always been told that two is better than one so an extra thanks goes out to you wink.gif

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 01 February 2010 - 05:17 PM

Hi Nick,


I can see in your log that you have mbr.exe. Did you use this tool already? Please tell me anything you did about this program.



1. I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
If viewpoint is not listed in your program list:
Start firefox > click tools > click add-ons from there look for viewpoint or viewpoint media player then uninstall it.

Then, go to c: > program files and delete viewpoint folder.




2. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy




3. Let's check for MBR rootkit.
Download this tool to desktop: --> mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)




4. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). I need to see the file to find the cause of the crash.
Use Windows Advanced Search to find the file, to do that:
  • Press the Windows Key + F to open Advanced Search window.
  • On the right side of open window click on the drop down arrow by Advanced Search.
  • Click on the drop down arrow to the right of Location and select Computer.
  • Put a checkmark next to the Include non-indexed, hidden, and system files box.
  • On the right side in the Name field, type in mini*.dmp to search for and click search.
  • Zip the file and attach it to your reply. To attach the file:
    • When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
    • Highlight the zip-file and click Open then press the green UPLOAD button.




~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 01 February 2010 - 08:02 PM

I did use MBR.exe once before I saw it in another bleeping forum(after searching for it again i couldn't find it) but if i could remember corectly if gmer coudn't get rid of it then i put mbr.exe into C:\ and run it from the elevated comand promt typing C:\mbr.exe -f ... and again this is from memory so i'm not 100% sure on that

I did download it again and put it straight to desktop like you asked though. It did not crash the computer but I did find the log along with the other log that was created from using it the other way. I'll post both if there's any difference other than the date

As for viewpoint I could have sworn i got rid of it already! blink.gif but it is possible that i didn't get rid of all of it(viewpoint media player is all i found). I did look for in the advanced search<<< thanks for the trick! and found in C:\programdata instead of programfiles.....either way it's GONE!! another tidbit i found about this is that it was included before i bought my laptop... by the way that entry about viewpoints just a lil eerie....ha... just a lil

teatimer is disabled *edit* to your entry running spybot without admin won't allow the deselection of both items

*since it didn't crash i attached the latest dump file (early this morning when it did its famous dissapearing act)

I'll try a different approach and see if it will make it crash ohmy.gif

not thats a large concern but whats the security difference between .zip and .rar I tried uploading as a rar and it wouldn't work but as a zip it will either way is basically the same right?!

thanks a million!

Attached Files



#6 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 01 February 2010 - 08:25 PM

Almost forgot to add this

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

It couldn't read it the first time i tried, so trying again with admin it worked....Vista's way to fussy lol

Edited by 4NICK8, 01 February 2010 - 11:11 PM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 03 February 2010 - 11:09 AM

Hi Nick,

We're currently discussing the fix for you, I will post it ASAP.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 05 February 2010 - 07:59 AM

Hi Nick,

Sorry for the delay.


1. Disable Remote Desktop and disable HelpAssistant account.
On your desktop, Right click on Computer > Properties > Advanced settings > remote tab and select don’t allow connections to this computer > click apply then OK.

Now please disable the HelpAssistant account.
  • Please copy the contents of the code box below, open notepad and paste it there.
  • On the top toolbar in notepad select file, then save as. In the box that opens type in help.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the help.bat icon on your desktop and run it as administrator.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.

CODE
@echo off
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>"%userprofile%\desktop\log.txt"
"%userprofile%\desktop\log.txt"






2. Please open Malwarebytes Anti-Malware, go to logs tab and then open the latest log available, zip it and attach it when you reply. Then do the following:
Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




3. Download Combofix from any of the links below but rename it to CFScan before saving it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click (Run as administrator for Vista) on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.



The logs I wanted to see when you reply are:
  1. Two logs from MBAM (one is zip and attach)
  2. ComboFix.txt


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 05 February 2010 - 10:06 AM

Okay, Help assisstant was already disabled and i did everything to a "T" twice on the help.bat but nothing came up in the log it created (blank) in the black box (C:\Windows\system32\cmd.exe) it says The user could not be found - There is no such global user or group - The user name could not be found

I'm atatching the mbam log, I updated mbam and i'm running as i type and haven't done combofix... i've gotta run but i'll be sure to post the rest up later - THANK YOU

Attached Files



#10 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 05 February 2010 - 01:54 PM

ComboFix 10-02-05.01 - J B 02/05/2010 13:22:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3067.1958 [GMT -5:00]
Running from: c:\users\J B\Desktop\cfscan.exe
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1364691680-1121060033-3344519950-501
c:\$recycle.bin\S-1-5-21-2674256907-3750108239-1999701387-500

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 18:38 . 2010-02-05 18:39 -------- d-----w- c:\users\J B\AppData\Local\temp
2010-02-05 18:38 . 2010-02-05 18:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-01 07:21 . 2010-02-01 07:21 15 ----a-w- c:\users\J B\settings.dat
2010-01-29 05:35 . 2010-01-29 05:35 -------- d-----w- c:\program files\Belarc
2010-01-28 21:19 . 2010-01-28 21:19 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-28 21:19 . 2010-01-28 21:19 -------- d-----w- c:\users\J B\AppData\Roaming\Malwarebytes
2010-01-28 21:19 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 21:19 . 2010-01-28 21:19 -------- d-----w- c:\programdata\Malwarebytes
2010-01-28 21:19 . 2010-01-28 23:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 21:19 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-28 02:31 . 2010-01-28 02:37 -------- d-----w- c:\programdata\NOS
2010-01-27 15:58 . 2010-01-27 15:58 77312 ----a-w- C:\mbr.exe
2010-01-27 14:48 . 2010-01-18 15:46 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-01-27 14:48 . 2010-01-18 15:46 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-25 01:03 . 2010-01-25 01:03 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2010-01-24 23:55 . 2010-01-24 23:57 -------- d-----w- c:\program files\SpywareBlaster
2010-01-22 13:43 . 2009-12-16 11:44 834048 ----a-w- c:\windows\system32\wininet.dll
2010-01-22 13:43 . 2009-12-18 13:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-20 20:28 . 2010-01-27 05:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-20 20:28 . 2010-01-24 14:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-20 16:52 . 2010-02-02 22:25 -------- d-----w- c:\program files\SpeedFan
2010-01-19 07:33 . 2009-05-26 16:43 1710392 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-01-19 07:33 . 2009-02-27 11:07 462848 ------w- c:\programdata\HP\Installer\Temp\hpzswp01.exe
2010-01-16 19:58 . 2010-01-16 19:58 -------- d-----w- c:\users\J B\AppData\Local\Yahoo!
2010-01-15 23:54 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-15 23:54 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 19:58 . 2009-11-11 00:39 -------- d-----w- c:\program files\OFFICE One Games
2010-02-04 16:05 . 2008-08-19 20:20 103781 ----a-w- c:\programdata\nvModes.dat
2010-01-27 05:07 . 2009-12-02 19:50 -------- d-----w- c:\program files\VstPlugins
2010-01-25 19:30 . 2009-11-11 01:07 -------- d-----w- c:\users\J B\AppData\Roaming\OFFICEOne7
2010-01-19 07:34 . 2009-12-02 19:47 -------- d-----w- c:\program files\Image-Line
2010-01-19 07:28 . 2008-12-25 02:54 -------- d-----w- c:\program files\Common Files\AOL
2010-01-16 08:03 . 2008-08-19 19:23 -------- d-----w- c:\programdata\Microsoft Help
2010-01-16 08:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-05 08:25 . 2010-01-05 08:25 -------- d-----w- c:\program files\Trend Micro
2010-01-05 07:58 . 2010-01-05 07:58 -------- d-----w- c:\programdata\McAfee
2010-01-03 04:26 . 2010-01-03 04:26 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-28 04:09 . 2009-09-15 09:28 -------- d-----w- c:\users\J B\AppData\Roaming\LimeWire
2009-11-30 23:02 . 2009-11-30 23:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 23:02 . 2009-11-30 23:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 22:01 . 2008-12-17 22:34 254848 ----a-w- c:\users\J B\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-30 22:01 . 2009-11-30 21:51 162825 ----a-w- c:\windows\hpoins44.dat
2009-11-22 03:41 . 2009-11-22 03:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-22 03:41 . 2009-11-22 03:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-22 03:41 . 2009-11-22 03:41 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-22 03:41 . 2009-11-22 03:41 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-12 02:38 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-11 00:41 . 2009-11-11 00:41 69632 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{74588E42-C78A-42A8-9A3A-9ED6BF747CFE}\NewShortcut1_74588E42C78A42A89A3A9ED6BF747CFE.exe
2009-11-11 00:41 . 2009-11-11 00:41 69632 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{74588E42-C78A-42A8-9A3A-9ED6BF747CFE}\ARPPRODUCTICON.exe
2009-11-11 00:41 . 2009-11-11 00:41 1518600 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\oomenuv7.exe_EA542F1CBED04C70A916461950772FE1.exe
2009-11-11 00:41 . 2009-11-11 00:41 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\NewShortcut1_EA542F1CBED04C70A916461950772FE1.exe
2009-11-11 00:41 . 2009-11-11 00:41 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\ARPPRODUCTICON.exe
2009-11-11 00:40 . 2009-11-11 00:40 45056 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{1F12D560-D35A-4145-B408-8EF79A47C1A7}\NewShortcut1_1F12D560D35A4145B4088EF79A47C1A7.exe
2009-11-11 00:40 . 2009-11-11 00:40 45056 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{1F12D560-D35A-4145-B408-8EF79A47C1A7}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{17A1D828-4138-49EF-9376-1B37AA2BD3BF}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 221184 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{3183D9AD-AD6D-4C31-8403-D6F28A62EE10}\NewShortcut1_3183D9ADAD6D4C318403D6F28A62EE10.exe
2009-11-11 00:39 . 2009-11-11 00:39 221184 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{3183D9AD-AD6D-4C31-8403-D6F28A62EE10}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 10134 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{7DD97E1B-49EB-4C54-B7E1-7277994185D1}\ARPPRODUCTICON.exe
2009-11-11 00:38 . 2009-11-11 00:38 10134 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{194D323A-752E-4CF4-82A7-02FD35B80C35}\ARPPRODUCTICON.exe
2009-11-11 00:36 . 2009-11-11 00:36 331776 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{820A9A2C-1824-4FCF-9AA5-CCC84724583A}\NewShortcut1_820A9A2C18244FCF9AA5CCC84724583A.exe
2009-11-11 00:36 . 2009-11-11 00:36 331776 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{820A9A2C-1824-4FCF-9AA5-CCC84724583A}\ARPPRODUCTICON.exe
2009-11-09 12:31 . 2009-12-12 08:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-12 08:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-12 08:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Xpadder"="d:\program files\xpadder5-3\Xpadder.exe" [2008-08-29 932864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-22 1797880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-05 13560352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-05 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2007-09-28 23:03 75136 ----a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2008-08-12 18:40 704512 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-05-16 20:18 2483760 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2008-06-25 05:49 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-10-26 08:49 671744 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d6,1b,03,c6,86,3d,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/21/2009 10:41 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/21/2009 10:41 PM 360584]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [12/17/2008 9:18 PM 99344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [12/17/2008 9:18 PM 25104]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/21/2009 10:40 PM 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/20/2010 3:28 PM 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [8/19/2008 12:37 PM 52736]
R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [8/19/2008 12:23 PM 93968]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr28.sys [8/3/2009 1:54 PM 569856]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [8/21/2009 8:24 PM 66592]
R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\System32\drivers\RLVrtAuCbl.sys [12/17/2008 5:28 PM 31616]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [10/27/2009 9:34 PM 721904]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [8/20/2008 3:56 PM 159744]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 9:23 PM 21504]
S3 MAC607;MAC607 Filter;c:\windows\System32\drivers\MAC607.sys [12/18/2008 9:34 PM 23808]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PKWCap;PKWCap service;c:\windows\System32\drivers\PKWCap.sys [8/19/2008 12:38 PM 995328]
S3 XBox;XBox Filter;c:\windows\System32\drivers\Xbox.sys [12/18/2008 9:34 PM 23936]
S4 AQFBXHFSR;AQFBXHFSR;c:\users\JB0176~1\AppData\Local\Temp\AQFBXHFSR.exe --> c:\users\JB0176~1\AppData\Local\Temp\AQFBXHFSR.exe [?]
S4 ZXQEDUV;ZXQEDUV;c:\users\JB0176~1\AppData\Local\Temp\ZXQEDUV.exe --> c:\users\JB0176~1\AppData\Local\Temp\ZXQEDUV.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{7DAE07EF-0307-46E2-A3DF-6242BD0353B9}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 13:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1364691680-1121060033-3344519950-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,85,0b,a4,59,80,01,8d,4f,5b,50,49,9c,60,4f,24,53,6f,35,43,bd,e9,c8,
74,cd,0d,e2,4f,50,82,65,1b,e1,bf,4b,8d,4e,ac,6e,1c,f1,64,00,01,0f,6a,3f,9b,\
"??"=hex:bd,fa,f3,9f,7a,4a,a7,71,7c,5a,c7,18,14,27,42,b6

[HKEY_USERS\S-1-5-21-1364691680-1121060033-3344519950-1000\Software\SecuROM\License information*]
"datasecu"=hex:3a,f8,ce,22,e2,d9,d8,ae,57,74,58,85,66,f9,17,d4,b9,55,ea,e0,2a,
3b,64,39,31,3a,c8,97,01,d5,47,d6,69,5a,c0,9d,9f,d0,b2,87,25,64,59,df,01,4e,\
"rkeysecu"=hex:74,5b,31,ba,ef,11,d9,a6,bf,26,4e,72,20,f5,4a,7a

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\guard32.dll
.
Completion time: 2010-02-05 13:43:36
ComboFix-quarantined-files.txt 2010-02-05 18:43

Pre-Run: 10,100,510,720 bytes free
Post-Run: 9,994,309,632 bytes free

- - End Of File - - 1BD434EA9630198FDDBBFBD0029DF343


Malwarebytes' Anti-Malware 1.44
Database version: 3693
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2/5/2010 1:06:46 PM
mbam-log-2010-02-05 (13-06-46).txt

Scan type: Full Scan (C:\|D:\|E:\|I:\|)
Objects scanned: 250117
Time elapsed: 1 hour(s), 1 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 06 February 2010 - 09:51 PM

Hi Nick,


1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



2. Download and run the Norton Removal Tool HERE.


3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



3. Open notepad and copy/paste the text in the code box below into it:

CODE
Rootkit::
c:\users\JB0176~1\AppData\Local\Temp\AQFBXHFSR.exe
c:\users\JB0176~1\AppData\Local\Temp\ZXQEDUV.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

Driver::
AQFBXHFSR
ZXQEDUV


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



4. Please create another Rootrepeal log and post it when you reply.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 07 February 2010 - 08:49 AM

1.) I removed limewire a while ago, but reminents remain...so i assume its safe just to delete it all?!
2.)I have no idea what version of norton was on here, as i deleted upon fist opening my computer. I found no files under norton or symantec
3.)Did exactly as it says to do (all security off) it had to shut down and restart saying a message about emulated drives (i'm assuming daemon tool [which i thought i had disabled])
a.)after cfscan started up it got to the second blue window(scanning) and froze... I waited nearly a half hour and still nothing in fact after i checked it my mouse even stopped moving
b.)rebooted computer and tried again turned every thing off and slipped the txt over cfscan. This time it didn't restart and imediately went to scan and again froze. my clock didn't change from the time i started it, so i waited 20 mins and got nothing, everything remained frozen
4.)Ran rootrepeal started up scanning and after a while it stopped responding and failed

Its just one of those mornings....
oh and i have another dump file if ur interested. I'm 98% sure that it was the bsod this time

#13 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 07 February 2010 - 12:48 PM

OK, after a few more tries i got the logs

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/07 08:04
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x904B8000 Size: 40960 File Visible: No Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x904C2000 Size: 147456 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9ED92000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{38db0c36-1326-11df-8a49-0021854f466b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{38db0c58-1326-11df-8a49-0021854f466b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: c:\$avg\$chjw\d3a1a929-1481-4c55-bbca-c976a002eee1
Status: Allocation size mismatch (API: 774144, Raw: 0)

Path: c:\$avg\$chjw\e4165021-5e07-4d1e-bea2-a0d9c2b8774a
Status: Allocation size mismatch (API: 274432, Raw: 0)

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1232 Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965ad8

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f966982

#: 022 Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965f0c

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964e8e

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965694

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964be8

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9654ea

#: 077 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965cbe

#: 078 Function Name: NtCreateThread
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9647be

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964520

#: 165 Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f966604

#: 174 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9650d4

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9658cc

#: 194 Function Name: NtOpenProcess
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964250

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965364

#: 201 Function Name: NtOpenThread
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9643c8

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964d06

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9663bc

#: 317 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9667b2

#: 326 Function Name: NtShutdownSystem
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f96506e

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f965258

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964ab2

#: 335 Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f964980

#: 382 Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f966018

#: 383 Function Name: NtCreateUserProcess
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f966c12

Stealth Objects
-------------------
Object: Hidden Handle [Index: 640, Type: UnknownType]
Process: Xpadder.exe (PID: 1520) Address: 0x85e49090 Size: -

Shadow SSDT
-------------------
#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9679d8

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9677de

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9678d8

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f967526

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9671d8

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f967384

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f967ad8

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f9676e8

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f967bce

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8f967e02

==EOF==

ComboFix 10-02-05.01 - J B 02/07/2010 9:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3067.2098 [GMT -5:00]
Running from: c:\users\J B\Desktop\cfscan.exe
Command switches used :: c:\users\J B\Desktop\CFScript.txt
SP: COMODO Defense+ *disabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZXQEDUV
-------\Service_AQFBXHFSR
-------\Service_ZXQEDUV


((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-07 14:55 . 2010-02-07 15:48 -------- d-----w- c:\users\J B\AppData\Local\temp
2010-02-07 14:55 . 2010-02-07 14:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-07 14:55 . 2010-02-07 14:55 -------- d-----w- c:\users\JB\AppData\Local\temp
2010-02-07 14:55 . 2010-02-07 14:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-07 14:46 . 2010-02-07 14:46 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-02-07 10:46 . 2010-02-07 10:46 -------- d-----w- c:\users\J B\AppData\Roaming\AVG9
2010-02-01 07:21 . 2010-02-01 07:21 15 ----a-w- c:\users\J B\settings.dat
2010-01-29 05:35 . 2010-01-29 05:35 -------- d-----w- c:\program files\Belarc
2010-01-28 21:19 . 2010-01-28 21:19 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-28 21:19 . 2010-01-28 21:19 -------- d-----w- c:\users\J B\AppData\Roaming\Malwarebytes
2010-01-28 21:19 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 21:19 . 2010-01-28 21:19 -------- d-----w- c:\programdata\Malwarebytes
2010-01-28 21:19 . 2010-01-28 23:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 21:19 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-28 02:31 . 2010-01-28 02:37 -------- d-----w- c:\programdata\NOS
2010-01-27 15:58 . 2010-01-27 15:58 77312 ----a-w- C:\mbr.exe
2010-01-27 14:48 . 2010-01-18 15:46 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-01-27 14:48 . 2010-01-18 15:46 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-25 01:03 . 2010-01-25 01:03 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2010-01-24 23:55 . 2010-01-24 23:57 -------- d-----w- c:\program files\SpywareBlaster
2010-01-20 20:28 . 2010-01-27 05:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-20 20:28 . 2010-01-24 14:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-20 16:52 . 2010-02-02 22:25 -------- d-----w- c:\program files\SpeedFan
2010-01-19 07:33 . 2009-05-26 16:43 1710392 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-01-19 07:33 . 2009-02-27 11:07 462848 ------w- c:\programdata\HP\Installer\Temp\hpzswp01.exe
2010-01-16 19:58 . 2010-01-16 19:58 -------- d-----w- c:\users\J B\AppData\Local\Yahoo!
2010-01-15 23:54 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-15 23:54 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 12:01 . 2008-08-19 20:20 103781 ----a-w- c:\programdata\nvModes.dat
2010-02-05 20:40 . 2009-11-22 03:41 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-02-04 19:58 . 2009-11-11 00:39 -------- d-----w- c:\program files\OFFICE One Games
2010-01-27 05:07 . 2009-12-02 19:50 -------- d-----w- c:\program files\VstPlugins
2010-01-25 19:30 . 2009-11-11 01:07 -------- d-----w- c:\users\J B\AppData\Roaming\OFFICEOne7
2010-01-19 07:34 . 2009-12-02 19:47 -------- d-----w- c:\program files\Image-Line
2010-01-19 07:28 . 2008-12-25 02:54 -------- d-----w- c:\program files\Common Files\AOL
2010-01-16 08:03 . 2008-08-19 19:23 -------- d-----w- c:\programdata\Microsoft Help
2010-01-16 08:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-05 08:25 . 2010-01-05 08:25 -------- d-----w- c:\program files\Trend Micro
2010-01-05 07:58 . 2010-01-05 07:58 -------- d-----w- c:\programdata\McAfee
2010-01-03 04:26 . 2010-01-03 04:26 -------- d-----w- c:\programdata\McAfee Security Scan
2010-01-02 06:38 . 2010-02-06 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-02-06 09:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-02-06 09:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-02-06 09:42 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 04:09 . 2009-09-15 09:28 -------- d-----w- c:\users\J B\AppData\Roaming\LimeWire
2009-11-30 23:02 . 2009-11-30 23:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 23:02 . 2009-11-30 23:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 22:01 . 2008-12-17 22:34 254848 ----a-w- c:\users\J B\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-30 22:01 . 2009-11-30 21:51 162825 ----a-w- c:\windows\hpoins44.dat
2009-11-22 03:41 . 2009-11-22 03:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-22 03:41 . 2009-11-22 03:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-22 03:41 . 2009-11-22 03:41 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-22 03:41 . 2009-11-22 03:41 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-12 02:38 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-11 00:41 . 2009-11-11 00:41 69632 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{74588E42-C78A-42A8-9A3A-9ED6BF747CFE}\NewShortcut1_74588E42C78A42A89A3A9ED6BF747CFE.exe
2009-11-11 00:41 . 2009-11-11 00:41 69632 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{74588E42-C78A-42A8-9A3A-9ED6BF747CFE}\ARPPRODUCTICON.exe
2009-11-11 00:41 . 2009-11-11 00:41 1518600 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\oomenuv7.exe_EA542F1CBED04C70A916461950772FE1.exe
2009-11-11 00:41 . 2009-11-11 00:41 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\NewShortcut1_EA542F1CBED04C70A916461950772FE1.exe
2009-11-11 00:41 . 2009-11-11 00:41 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{EA542F1C-BED0-4C70-A916-461950772FE1}\ARPPRODUCTICON.exe
2009-11-11 00:40 . 2009-11-11 00:40 45056 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{1F12D560-D35A-4145-B408-8EF79A47C1A7}\NewShortcut1_1F12D560D35A4145B4088EF79A47C1A7.exe
2009-11-11 00:40 . 2009-11-11 00:40 45056 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{1F12D560-D35A-4145-B408-8EF79A47C1A7}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 135168 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{17A1D828-4138-49EF-9376-1B37AA2BD3BF}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 221184 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{3183D9AD-AD6D-4C31-8403-D6F28A62EE10}\NewShortcut1_3183D9ADAD6D4C318403D6F28A62EE10.exe
2009-11-11 00:39 . 2009-11-11 00:39 221184 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{3183D9AD-AD6D-4C31-8403-D6F28A62EE10}\ARPPRODUCTICON.exe
2009-11-11 00:39 . 2009-11-11 00:39 10134 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{7DD97E1B-49EB-4C54-B7E1-7277994185D1}\ARPPRODUCTICON.exe
2009-11-11 00:38 . 2009-11-11 00:38 10134 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{194D323A-752E-4CF4-82A7-02FD35B80C35}\ARPPRODUCTICON.exe
2009-11-11 00:36 . 2009-11-11 00:36 331776 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{820A9A2C-1824-4FCF-9AA5-CCC84724583A}\NewShortcut1_820A9A2C18244FCF9AA5CCC84724583A.exe
2009-11-11 00:36 . 2009-11-11 00:36 331776 ----a-r- c:\users\J B\AppData\Roaming\Microsoft\Installer\{820A9A2C-1824-4FCF-9AA5-CCC84724583A}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Xpadder"="d:\program files\xpadder5-3\Xpadder.exe" [2008-08-29 932864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-22 1797880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-05 13560352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-05 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2007-09-28 23:03 75136 ----a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2008-08-12 18:40 704512 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-05-16 20:18 2483760 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2008-06-25 05:49 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-10-26 08:49 671744 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d6,1b,03,c6,86,3d,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/21/2009 10:41 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/21/2009 10:41 PM 360584]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [12/17/2008 9:18 PM 99344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [12/17/2008 9:18 PM 25104]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/21/2009 10:40 PM 285392]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [8/20/2008 3:56 PM 159744]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/20/2010 3:28 PM 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [8/19/2008 12:37 PM 52736]
R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [8/19/2008 12:23 PM 93968]
R3 MAC607;MAC607 Filter;c:\windows\System32\drivers\MAC607.sys [12/18/2008 9:34 PM 23808]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr28.sys [8/3/2009 1:54 PM 569856]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [8/21/2009 8:24 PM 66592]
R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\System32\drivers\RLVrtAuCbl.sys [12/17/2008 5:28 PM 31616]
R3 XBox;XBox Filter;c:\windows\System32\drivers\Xbox.sys [12/18/2008 9:34 PM 23936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 9:23 PM 21504]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PKWCap;PKWCap service;c:\windows\System32\drivers\PKWCap.sys [8/19/2008 12:38 PM 995328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\User_Feed_Synchronization-{7DAE07EF-0307-46E2-A3DF-6242BD0353B9}.job
- c:\windows\system32\msfeedssync.exe [2010-02-06 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 10:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85B261F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b1a6d24
\Driver\ACPI -> acpi.sys @ 0x8a942d68
\Driver\atapi -> 0x85b251f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1364691680-1121060033-3344519950-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,85,0b,a4,59,80,01,8d,4f,5b,50,49,9c,60,4f,24,53,6f,35,43,bd,e9,c8,
74,cd,0d,e2,4f,50,82,65,1b,e1,bf,4b,8d,4e,ac,6e,1c,f1,64,00,01,0f,6a,3f,9b,\
"??"=hex:bd,fa,f3,9f,7a,4a,a7,71,7c,5a,c7,18,14,27,42,b6

[HKEY_USERS\S-1-5-21-1364691680-1121060033-3344519950-1000\Software\SecuROM\License information*]
"datasecu"=hex:3a,f8,ce,22,e2,d9,d8,ae,57,74,58,85,66,f9,17,d4,b9,55,ea,e0,2a,
3b,64,39,31,3a,c8,97,01,d5,47,d6,69,5a,c0,9d,9f,d0,b2,87,25,64,59,df,01,4e,\
"rkeysecu"=hex:74,5b,31,ba,ef,11,d9,a6,bf,26,4e,72,20,f5,4a,7a

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-02-07 10:52:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 15:52
ComboFix2.txt 2010-02-05 18:43

Pre-Run: 12,004,196,352 bytes free
Post-Run: 11,742,179,328 bytes free

- - End Of File - - 0A59536BF3392509DEC05E76EA2933CF


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:49 PM

Posted 10 February 2010 - 05:33 PM

Hi,

Sorry for such delay, instructions are carefully discuss and will post them ASAP.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 4NICK8

4NICK8
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, US
  • Local time:08:49 AM

Posted 10 February 2010 - 05:59 PM

Alright Semp, no hard feelings on the delay... i know you're busy, but I do have something to add to the discussion. I've gotten two explorer.exe - application errors since we've started, this time i was the wiser to write it down before i pressed ok and everything but my desktop picture dissapperaed

explorer.exe - application error
The instruction at 0x75d919a1 reffered memory at 0x75191a1. The required data was not placed into memory because of an I\O error status of 0xc000000e

I hope this can help some of the diagnosis

Nick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users