Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My desktop changes it's THEME (HijackThis log included)


  • This topic is locked This topic is locked
7 replies to this topic

#1 unioil

unioil

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 21 February 2010 - 09:18 PM

My computer occasionally changes the theme like im using Vista Xp then after several hours it would change to the old theme like what the past versions of Windows had. Btw, Threatfire detected suspicious files mainly in system32 (ie: 37.exe
64.exe) and i chose to quarantine and delete it.

Here's what i use: ThreatFire, Spybot S&D, Malwarebytes, CCleaner, Trojan Remover, Noobkiller, & HijackThis and oh, the Windows thingy for Conflickter removal.

So here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00, on 2010-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.smartbro.net:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1266761224546
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/up...er_4.0.27.0.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E256486-1B97-4C83-B23B-5033A97E0EF8}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O21 - SSODL: lkWPCaJvBRvCHS - {60FE0B12-CA54-A1B8-2B07-38C47A15085B} - C:\WINDOWS\system32\yksx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 8546 bytes


Please help me smile.gif

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 21 February 2010 - 10:14 PM

Hello Victim,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

Then close all windows except HijackThis and click Fix Checked.

Restart

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Gmer log
DDS.txt
Attach.txt
No need for HiJackThis log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 unioil

unioil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 22 February 2010 - 12:48 AM

Thanks for your response. Here are the logs you've requested.. smile.gif

GMER:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-22 13:40:34
Windows 5.1.2600 Service Pack 2
Running: sl9r6zpl.exe; Driver: C:\DOCUME~1\Ferdie\LOCALS~1\Temp\pxxorkoc.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF752ADFA]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF752AFEA]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF752B08C]
SSDT sptd.sys ZwEnumerateKey [0xF72E1FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF72E2340]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF752ACEE]
SSDT sptd.sys ZwQueryKey [0xF72E2418]
SSDT sptd.sys ZwQueryValueKey [0xF72E2298]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF752B224]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF752C798]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2430 80501450 4 Bytes JMP 5AF752AF
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F705A610 5 Bytes JMP 8511C770

---- User code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[292] C:\WINDOWS\system32\winlogon.exe section is executable [0x01076000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[292] C:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x01080000]
.rsrc C:\WINDOWS\system32\services.exe[340] C:\WINDOWS\system32\services.exe section is executable [0x0101B000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\services.exe[340] C:\WINDOWS\system32\services.exe entry point in ".rsrc" section [0x0101C000]
.rsrc C:\WINDOWS\system32\svchost.exe[512] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[512] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\system32\svchost.exe[580] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[580] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\system32\svchost.exe[708] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[708] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.reloc C:\WINDOWS\Explorer.EXE[904] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x5000, 0x62000060]
.reloc C:\WINDOWS\Explorer.EXE[904] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FF000]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1156] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72DCAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72DCC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72DCB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72DD748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72DD61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72F229A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 851691E8

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\usbuhci \Device\USBPDO-0 8500F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 851DB1E8
Device \Driver\dmio \Device\DmControl\DmConfig 851DB1E8
Device \Driver\dmio \Device\DmControl\DmPnP 851DB1E8
Device \Driver\dmio \Device\DmControl\DmInfo 851DB1E8
Device \Driver\usbuhci \Device\USBPDO-1 8500F1E8
Device \Driver\usbuhci \Device\USBPDO-2 8500F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8500F1E8
Device \Driver\usbehci \Device\USBPDO-4 8500E1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8516C1E8
Device \Driver\Cdrom \Device\CdRom0 8516A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8516C1E8
Device \Driver\Cdrom \Device\CdRom1 8516A1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 8516B1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8516B1E8
Device \Driver\atapi \Device\Ide\IdePort0 8516B1E8
Device \Driver\atapi \Device\Ide\IdePort1 8516B1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 8516B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8516C1E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8516C1E8
Device \Driver\usbuhci \Device\USBFDO-0 8500F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8500F1E8
Device \Driver\usbuhci \Device\USBFDO-2 8500F1E8
Device \Driver\usbuhci \Device\USBFDO-3 8500F1E8
Device \Driver\usbehci \Device\USBFDO-4 8500E1E8
Device \Driver\Ftdisk \Device\FtControl 8516C1E8
Device \Driver\viamraid \Device\Scsi\viamraid1 851DA1E8
Device \FileSystem\Cdfs \Cdfs 84F071E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0x5E 0xF0 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0x5E 0xF0 0xCC ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----



DDS:

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Ferdie at 13:40:50.00 on 2010-02-22
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.221 [GMT 8:00]

AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ferdie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ferdie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://google.com
uDefault_Search_URL = hxxp://google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = proxy.smartbro.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [WebCamRT.exe]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ferdie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [VTTimer] VTTimer.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoActiveDesktop = 00000000
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266761224546
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {4E256486-1B97-4C83-B23B-5033A97E0EF8} = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: lkWPCaJvBRvCHS - {60FE0B12-CA54-A1B8-2B07-38C47A15085B} - c:\windows\system32\yksx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-4-30 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-4-30 39200]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2006-1-13 77312]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-25 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-25 26824]
S1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-4-30 159128]
S1 pctmp;PC Tools Firewall Memory Protection Driver;c:\windows\system32\drivers\pctmp.sys [2008-4-30 40856]
S1 pctssipc;PC Tools Security Suite IPC Driver;c:\windows\system32\drivers\pctssipc.sys [2008-4-30 18328]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-25 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-25 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-25 76040]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-5 47640]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-21 236368]
S2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2008-4-30 92056]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [2006-11-22 1121536]
S3 maehebanu;maehebanu;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-21 19160]
S3 sqdtq;sqdtq;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-4-30 33056]
S3 xlmmko;xlmmko;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-02-22 03:32:27 84 ----a-w- c:\windows\system32\i
2010-02-22 03:30:36 228871 ----a-w- c:\windows\system32\01.exe
2010-02-22 03:30:27 237063 ----a-w- c:\windows\system32\40.exe
2010-02-22 03:19:26 48128 ----a-w- c:\windows\system32\53.scr
2010-02-22 03:08:19 237063 ----a-w- c:\windows\system32\58.exe
2010-02-22 02:53:12 228871 ----a-w- c:\windows\system32\28.exe
2010-02-22 02:49:40 237063 ----a-w- c:\windows\system32\10.exe
2010-02-22 02:47:08 23552 ----a-w- c:\windows\system32\x.exe
2010-02-22 01:59:53 0 d-----w- c:\program files\Trend Micro
2010-02-22 01:43:22 237063 ----a-w- c:\windows\system32\37.exe
2010-02-22 01:36:35 112128 ----a-w- c:\windows\system32\64.scr
2010-02-21 14:09:31 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-02-21 13:37:39 0 d-----w- c:\docume~1\ferdie\applic~1\Malwarebytes
2010-02-21 13:37:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 13:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-21 13:37:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 13:37:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 13:22:27 47104 --sh--r- c:\windows\updated7.exe
2010-02-21 09:22:43 0 d-----w- c:\program files\Your Uninstaller 2008
2010-02-21 08:15:21 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-02-21 08:01:10 0 d-----w- c:\docume~1\ferdie\applic~1\Simply Super Software
2010-02-21 07:48:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-21 07:48:38 0 d-----w- c:\program files\LittleFighter2
2010-02-21 07:48:38 0 d-----w- c:\program files\EA Games
2010-02-21 04:55:50 7212629 ----a-w- c:\windows\system32\ARFQR
2010-02-20 05:00:15 0 d-----w- c:\docume~1\ferdie\applic~1\EMCO
2010-02-20 03:33:44 4096 ----a-w- c:\documents and settings\ferdie\.recently-used.xbel
2010-02-20 00:45:33 1235111 ----a-w- c:\documents and settings\ferdie\RSBot-590.jar
2010-02-20 00:05:57 0 d-----w- c:\program files\Your Uninstaller 2010
2010-02-13 11:51:20 1024 ----a-w- c:\docume~1\alluse~1\applic~1\imgdoc2.dll
2010-02-13 11:48:32 116224 ----a-w- c:\windows\system32\pdfmonnt.dll
2010-02-09 23:52:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-09 02:23:38 976 ----a-w- c:\windows\system32\history.aaw
2010-02-09 02:23:38 2656 ----a-w- c:\windows\system32\settings.aaw
2010-02-09 02:09:14 3255 ----a-w- c:\windows\system32\wbem\Outlook_01caa92ce035ae30.mof
2010-02-06 10:02:14 0 d-----w- c:\program files\CCleaner
2010-02-06 00:33:41 69 ----a-w- c:\documents and settings\ferdie\jagex_runescape_preferences2.dat
2010-02-06 00:30:33 41 ----a-w- c:\documents and settings\ferdie\jagex_runescape_preferences.dat
2010-02-06 00:30:32 0 d-----w- c:\windows\.jagex_cache_32
2010-02-03 10:17:50 0 d-----w- c:\windows\system32\Adobe
2010-02-02 11:47:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-02 09:05:40 0 d-----w- c:\documents and settings\ferdie\.thumbnails
2010-02-02 08:54:36 0 d-----w- c:\documents and settings\ferdie\.gimp-2.6
2010-02-02 08:52:50 0 d-----w- c:\program files\GIMP-2.0
2010-01-31 10:19:44 0 d-----w- c:\program files\Mirage
2010-01-31 10:19:37 249856 ------w- c:\windows\Setup1.exe
2010-01-31 10:19:33 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-31 05:23:58 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-27 02:20:48 0 d-----w- c:\docume~1\ferdie\applic~1\GlarySoft

==================== Find3M ====================

2010-01-30 02:47:43 138056 ----a-w- c:\docume~1\ferdie\applic~1\PnkBstrK.sys
2007-04-16 15:52:53 159590 --sha-r- c:\windows\system32\paflpuji.dll

============= FINISH: 13:41:11.04 ===============


Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-04-30 17:47:28
System Uptime: 2010-02-22 11:55:40 (2 hours ago)

Motherboard: KOBIAN | | P4VM800M7
Processor: Intel® Pentium® 4 CPU 2.66GHz | CPU 1 | 2660/532mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 44 GiB total, 35.317 GiB free.
D: is FIXED (NTFS) - 107 GiB total, 104.211 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Rhine II Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_78\3&267A616A&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Rhine II Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_78\3&267A616A&0&90
Service: FETND5BV

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 7.0.5
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Ahead InCD
BitTorrent
CCleaner
GIMP 2.6.8
Google Chrome
HijackThis 2.0.2
JCreator LE 3.50
Logitech QuickCam
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB936181)
Nero OEM
Nero Suite
OpenOffice.org Installer 1.0
PC Tools Firewall Plus 3.0
QuickTime Alternative 1.67
RealPlayer
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Software Update for Web Folders
Spybot - Search & Destroy
The Font Thing
ThreatFire 3.5
TZ Connection Booster 2.6
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
Visual C++ 8.0 Runtime Setup Package
VLC media player 0.9.4
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
Your Uninstaller! 2008 Version 6.2
Zuma's Revenge!

==== Event Viewer Messages From Past Week ========

2010-02-22 11:18:40, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2010-02-22 09:43:45, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the VMwareService service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2010-02-22 09:43:42, error: Service Control Manager [7031] - The VMwareService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
2010-02-22 08:52:02, error: Service Control Manager [7023] - The Time Security service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
2010-02-22 07:56:02, error: Srv [2006] - The server received an incorrectly formatted request from \\112.203.209.57.
2010-02-21 22:06:50, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2010-02-21 21:48:02, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2010-02-21 21:23:31, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2010-02-21 21:23:31, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.
2010-02-21 21:23:31, error: Service Control Manager [7000] - The AVG Free8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2010-02-21 14:52:08, error: Srv [2006] - The server received an incorrectly formatted request from \\112.203.233.186.
2010-02-21 13:32:33, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 Fips intelppm IPSec MRxSmb NetBIOS NetBT pctfw2 pctmp pctssipc RasAcd Rdbss Tcpip
2010-02-21 13:32:33, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2010-02-21 13:32:33, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2010-02-21 13:32:33, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2010-02-21 13:32:33, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2010-02-21 13:32:33, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2010-02-21 13:32:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2010-02-21 13:32:09, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2010-02-21 13:31:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2010-02-21 13:11:17, error: Srv [2006] - The server received an incorrectly formatted request from \\112.202.173.49.
2010-02-20 19:10:02, error: Srv [2006] - The server received an incorrectly formatted request from \\112.202.66.117.
2010-02-20 13:34:31, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
2010-02-20 09:14:48, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2010-02-16 20:57:13, error: Service Control Manager [7034] - The ThreatFire service terminated unexpectedly. It has done this 1 time(s).
2010-02-15 14:44:35, error: Service Control Manager [7024] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service terminated with service-specific error 4294967295 (0xFFFFFFFF).
2010-02-15 14:44:35, error: Service Control Manager [7023] - The cucyrffkc service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
2010-02-15 14:44:35, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the file specified.
2010-02-15 14:43:41, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

==== End Of File ===========================


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 22 February 2010 - 05:26 PM

Hello unioil,

1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or ThreatFire.

2.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Bittorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 25 February 2010 - 08:42 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 unioil

unioil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 26 February 2010 - 03:34 AM

After running combofix, my pc's good as new! Thanks fireman4it! smile.gif

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 26 February 2010 - 08:23 PM

Hello,

Just because your machine is running better does not mean you area all clean. Please post the logs i requested.

Combofix.txt can be found at C:\ComboFix.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:34 AM

Posted 02 March 2010 - 08:16 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users