Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antispyware soft gone but need help with whats left over


  • This topic is locked This topic is locked
26 replies to this topic

#1 xTopDogx

xTopDogx

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 18 May 2010 - 09:54 AM

Hello all! Though this is my first post here, I have used your forums several times in the past with great success. I'm posting now because I'm really stumped on this one. I was on youtube the other day and got called away from my cpu, leaving the page open several hours. When I got back, I hit a button to kill the screensaver and got a bsod, reboot, and found antispyware soft running like crazy. I jumped on my other computer and started resaerching, got control back, and thought I got AntiSpy Soft off but I'm still having problems. I can access the web and secure sites, but cant update any antivirus software or mbam or access steam. I keep getting "Error 12029, 0, WinHttpSendRequest", and sometimes error 12007 as well.

So far I have:

Run atf cleaner in safe mode
Run superantispyware in safe mode after manually updating definitions
Run rkill
Run hijackthis
Verified I'm not running through a proxy server
Run mbam (not updated but v1.46)
Removed nvidia NAM
Turned off windows firewall
Run mbam-clean following directions and reinstalled- still no update
Tried eset online scanner and kaspersky online - neither will run
Tried Avast and couldnt update or manually update so I uninstalled it
Turned off nvidia IAM service
Tried renaming mbam - no luck
Tried winsock repair
Run Yahoo CA antispy from toolbar and guess what IT UPDATES!
It finds: WinSpywareprotect -- Rogue Security
WinAntivirus Pro 2006 -- Rogue Security
Bifrost -- Backdoor
Cleaned files, but it seems they pop back after a reboot so I figured there was a root kit- did a long rootkit scan on reboot found nothing
Cant find any infected files with any other program, but I know their in there.

Here are my logs so far:

rkill:This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Top on 05/18/2010 at 9:38:01.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Top\Desktop\rkill.com


Rkill completed on 05/18/2010 at 9:38:02.


SUPER:SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/17/2010 at 10:41 PM

Application Version : 4.37.1000

Core Rules Database Version : 4947
Trace Rules Database Version: 2759

Scan type : Complete Scan
Total Scan Time : 00:20:30

Memory items scanned : 229
Memory threats detected : 0
Registry items scanned : 6663
Registry threats detected : 0
File items scanned : 27215
File threats detected : 0
==========================================================



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:05:10 PM, on 5/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe"
O4 - HKLM\..\Run: [Winwall] C:\Program Files\Winwall\Loader.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15112/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 7080 bytes


This cpu is for gaming mostly and is running XP Pro 32, sp3. You will see some Norton stuff in there but I have disabled all its services also. Plan to uninstall that too.

Thank you in advance!

EDIT: Moved to Virus,Trojan and Malware Removal Logs~~boopme


Sorry!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Top at 13:47:34.26 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2078 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Top\Desktop\Defogger.exe
C:\Documents and Settings\Top\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.24\AsRunHelp.exe
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [Winwall] c:\program files\winwall\Loader.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: DPWLN - c:\windows\system32\DPWLEvHd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli DPPWDFLT
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [2004-8-4 32640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [2004-8-4 34560]
R3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [2008-11-9 90568]
S1 c2scsi;c2scsi; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-2 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusdefs\20090915.004\NAVENG.SYS [2009-9-15 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusdefs\20090915.004\NAVEX15.SYS [2009-9-15 1323568]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S4 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-30 1245064]

=============== Created Last 30 ================

2010-05-18 17:09:16 0 ----a-w- c:\documents and settings\top\defogger_reenable
2010-05-18 02:05:21 0 d-----w- c:\docume~1\top\applic~1\SUPERAntiSpyware.com
2010-05-18 01:42:25 0 d-s---w- C:\ComboFix
2010-05-17 17:57:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 17:57:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 17:57:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 04:48:22 0 d-----w- c:\program files\ESET
2010-05-17 04:08:38 0 d-----w- c:\program files\Steam
2010-05-17 03:58:53 6789 ----a-w- c:\windows\system32\nvnrm.nvu
2010-05-17 03:58:53 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-05-17 03:58:36 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-17 03:22:28 0 d-----w- c:\program files\Windows Installer Clean Up
2010-05-17 03:22:15 0 d-----w- c:\program files\MSECACHE
2010-05-16 01:18:02 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-14 03:31:26 0 d-----w- C:\ComFix24484C
2010-05-13 06:26:48 0 d-----w- C:\ComFix
2010-05-13 04:36:20 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 19:04:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-12 08:00:46 0 dc-h--w- c:\windows\ie8
2010-05-12 07:02:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-05-12 05:56:05 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 05:47:40 0 d-----w- c:\docume~1\top\applic~1\WinPatrol
2010-05-12 05:47:35 0 d-----w- c:\program files\BillP Studios
2010-05-12 01:59:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-12 01:59:49 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-11 21:27:03 0 d-----w- c:\docume~1\top\applic~1\Malwarebytes
2010-05-11 21:26:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-06 20:41:29 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-05-06 18:32:57 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-05-06 18:32:57 10232128 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-05-06 18:32:57 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-05-06 18:32:55 6432128 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-05-06 18:32:55 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-05-06 18:32:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-05-06 18:32:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-05-06 18:32:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-05-06 18:32:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-05-06 18:03:23 0 d-----w- c:\program files\Phyxion.net
2010-05-06 17:21:49 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-05-06 17:21:49 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-05-06 17:21:49 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-05-06 17:21:47 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-05-06 17:21:47 11647592 ----a-w- c:\windows\system32\nvcompiler.dll

==================== Find3M ====================

2010-05-17 06:44:37 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-04-03 23:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:23:00 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-04-03 23:23:00 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2008-05-30 18:37:58 148847 ----a-w- c:\program files\DEC2006_XACT_x86.cab
2008-05-30 18:36:04 13267416 ----a-w- c:\program files\dxnt.cab
2008-05-30 18:36:02 4165878 ----a-w- c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36:02 1805306 ----a-w- c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36:00 1803408 ----a-w- c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34:50 528392 ----a-w- c:\program files\DXSETUP.exe
2008-07-16 06:06:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008063020080707\index.dat
2008-07-16 06:06:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat

============= FINISH: 13:47:48.67 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 14:39:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Top\LOCALS~1\Temp\agqyyuob.sys


---- System - GMER 1.0.15 ----

SSDT 88B6A9C8 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6D9F380, 0x566445, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1044] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2132] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2412] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by xTopDogx, 18 May 2010 - 02:08 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 19 May 2010 - 06:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 19 May 2010 - 07:15 PM

Hey mole, thanks for the reply.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 20 May 2010 - 12:42 PM

Please try and run Combofix after you have rerun Rkill.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 20 May 2010 - 07:02 PM

I ran rkill then ran the renamed combofix. Recovery could not be installed but the scan completed. Hope this is what you need.

ComboFix 10-05-20.07 - Top 05/20/2010 18:45:41.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2129 [GMT -4:00]
Running from: c:\documents and settings\Top\Desktop\comfix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-18 00:56 . 2010-05-18 00:56 -------- d-----w- c:\documents and settings\Top\Local Settings\Application Data\Threat Expert
2010-05-18 00:45 . 2010-05-18 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-17 17:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 17:57 . 2010-05-18 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 17:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 04:48 . 2010-05-17 04:48 -------- d-----w- c:\program files\ESET
2010-05-17 04:08 . 2010-05-20 00:12 -------- d-----w- c:\program files\Steam
2010-05-17 03:58 . 2009-07-01 04:42 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-05-17 03:58 . 2009-07-21 04:48 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-17 03:22 . 2010-05-17 03:22 3584 ----a-r- c:\documents and settings\Top\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-05-17 03:22 . 2010-05-17 03:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-05-17 03:22 . 2010-05-17 03:22 -------- d-----w- c:\program files\MSECACHE
2010-05-16 01:18 . 2010-05-16 01:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-14 03:31 . 2010-05-14 03:31 -------- d-----w- C:\ComFix24484C
2010-05-13 06:26 . 2010-05-13 06:56 -------- d-----w- C:\ComFix
2010-05-13 04:36 . 2010-05-06 14:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 19:04 . 2010-05-14 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-12 19:04 . 2010-05-12 19:04 -------- d-----w- c:\program files\Alwil Software
2010-05-12 08:00 . 2010-05-12 08:00 -------- dc-h--w- c:\windows\ie8
2010-05-12 07:02 . 2010-05-12 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-12 05:56 . 2010-05-12 05:56 503808 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\msvcp71.dll
2010-05-12 05:56 . 2010-05-12 05:56 499712 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\jmc.dll
2010-05-12 05:56 . 2010-05-12 05:56 348160 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\msvcr71.dll
2010-05-12 05:56 . 2010-05-12 05:56 61440 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19cedf2a-n\decora-sse.dll
2010-05-12 05:56 . 2010-05-12 05:56 12800 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19cedf2a-n\decora-d3d.dll
2010-05-12 05:56 . 2010-05-17 18:27 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 05:47 . 2010-05-12 05:47 -------- d-----w- c:\documents and settings\Top\Application Data\WinPatrol
2010-05-12 05:47 . 2008-07-04 22:44 0 ----a-w- c:\documents and settings\Top\Application Data\WinPatrol\Config.sys
2010-05-12 05:47 . 2008-07-04 22:44 0 ----a-w- c:\documents and settings\Top\Application Data\WinPatrol\Autoexec.bat
2010-05-12 05:47 . 2010-05-12 05:47 -------- d-----w- c:\program files\BillP Studios
2010-05-12 01:59 . 2010-05-12 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 01:59 . 2010-05-18 02:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-11 21:27 . 2010-05-17 17:57 -------- d-----w- c:\documents and settings\Top\Application Data\Malwarebytes
2010-05-11 21:26 . 2010-05-17 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 18:53 . 2010-05-12 02:50 -------- d-----w- c:\documents and settings\Top\Local Settings\Application Data\aypdmvwtt
2010-05-06 20:41 . 2009-07-01 15:54 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-05-06 18:32 . 2010-04-03 22:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-05-06 18:32 . 2010-04-03 22:55 10232128 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-05-06 18:32 . 2010-04-03 22:55 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-05-06 18:32 . 2010-04-03 22:55 6432128 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-05-06 18:32 . 2010-04-03 22:55 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-05-06 18:32 . 2010-04-03 22:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-05-06 18:32 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-05-06 18:32 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-05-06 18:32 . 2010-04-03 22:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-05-06 18:03 . 2010-05-06 18:03 -------- d-----w- c:\program files\Phyxion.net
2010-05-06 17:21 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-05-06 17:21 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-05-06 17:21 . 2010-04-03 22:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-05-06 17:21 . 2010-04-03 22:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-05-06 17:21 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-26 17:43 . 2010-04-26 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 00:12 . 2008-07-05 23:14 -------- d-----w- c:\program files\Winwall
2010-05-18 19:03 . 2010-05-18 19:03 388096 ----a-r- c:\documents and settings\Top\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-18 02:13 . 2010-05-18 02:05 63488 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-18 02:13 . 2010-05-18 02:05 117760 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-18 02:05 . 2010-05-18 02:05 52224 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-18 02:05 . 2010-05-18 02:05 -------- d-----w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com
2010-05-18 02:05 . 2008-07-25 17:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-17 18:28 . 2008-09-02 02:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-17 18:27 . 2008-09-02 02:27 -------- d-----w- c:\program files\Java
2010-05-16 01:15 . 2008-07-05 00:35 30088 ----a-w- c:\documents and settings\Top\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 04:47 . 2008-07-04 23:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-12 08:01 . 2008-07-05 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-12 07:58 . 2008-10-30 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-11 21:25 . 2008-08-22 21:27 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-05-06 21:39 . 2008-07-04 23:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 21:39 . 2008-10-18 00:14 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-06 17:19 . 2009-08-08 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-04-21 06:36 . 2009-08-14 04:48 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-04-08 01:54 . 2009-03-15 21:40 -------- d-----w- c:\program files\Teamspeak2_RC2
2010-04-07 20:46 . 2009-01-11 17:51 -------- d-----w- c:\documents and settings\Top\Application Data\IObit
2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:23 . 2010-04-03 23:23 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-04-03 23:23 . 2010-04-03 23:23 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-03-22 07:43 . 2008-07-25 17:46 -------- d-----w- c:\program files\IObit
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-05-30 18:37 . 2008-05-30 18:37 148847 ----a-w- c:\program files\DEC2006_XACT_x86.cab
2008-05-30 18:36 . 2008-05-30 18:36 13267416 ----a-w- c:\program files\dxnt.cab
2008-05-30 18:36 . 2008-05-30 18:36 4165878 ----a-w- c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 . 2008-05-30 18:36 1805306 ----a-w- c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 . 2008-05-30 18:36 1803408 ----a-w- c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 . 2008-05-30 18:34 528392 ----a-w- c:\program files\DXSETUP.exe
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\drivers\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0033\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-09-14 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 363008]
"Launch Ai Booster"="c:\program files\ASUS\AI Booster\OverClk.exe" [2006-12-08 3714048]
"Winwall"="c:\program files\Winwall\Loader.exe" [2004-07-15 20480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2004-10-13 22:29 102400 ----a-w- c:\windows\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-10-17 20:52 51048 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2008-02-21 00:58 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPAgnt]
2004-10-13 22:24 913408 ----a-w- c:\program files\DigitalPersona\Bin\DPAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2005-08-23 13:22 188416 ----a-w- c:\program files\Logitech\G-series Software\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2005-08-23 13:36 1110079 ----a-w- c:\program files\Logitech\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
2002-09-03 22:38 987187 ----a-w- c:\program files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-12-29 05:40 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"sp_rssrv"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"LightScribeService"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"RasAuto"=3 (0x3)
"RasMan"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
"DpHost"=2 (0x2)
"DPFUSMgr"=2 (0x2)
"comHost"=3 (0x3)
"LiveUpdate"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WinDefend"=2 (0x2)
"SharedAccess"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"SamSs"=2 (0x2)
"Symantec Core LC"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58991:TCP"= 58991:TCP:Pando Media Booster
"58991:UDP"= 58991:UDP:Pando Media Booster
"59165:TCP"= 59165:TCP:Pando Media Booster
"59165:UDP"= 59165:UDP:Pando Media Booster
"57129:TCP"= 57129:TCP:Pando Media Booster
"57129:UDP"= 57129:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [8/4/2004 4:58 PM 32640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 4:35 AM 102448]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [9/15/2009 1:59 PM 38248]
R3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [8/4/2004 4:59 PM 34560]
R3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/9/2008 12:34 AM 90568]
S1 c2scsi;c2scsi; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/2/2009 2:06 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1993962763-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-1993962763-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:72,ec,77,2f,68,71,b8,39,8e,7d,0c,29,56,e4,8d,a0,55,56,11,1a,b2,
ed,36,73,f5,da,a7,55,b7,38,6c,d9,1c,e9,ba,b9,36,cf,da,17,ee,01,a7,c9,69,c2,\
"rkeysecu"=hex:26,2d,47,1b,27,9a,ed,9f,7c,38,7a,02,76,26,61,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\DPWLEvHd.dll

- - - - - - - > 'lsass.exe'(624)
c:\windows\DPPWDFLT.dll

- - - - - - - > 'explorer.exe'(1804)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-20 18:49:52
ComboFix-quarantined-files.txt 2010-05-20 22:49
ComboFix2.txt 2010-05-17 19:38

Pre-Run: 94,410,223,616 bytes free
Post-Run: 94,369,476,608 bytes free

- - End Of File - - E0A80CB51334E44BB3A697A4EC96A4C1


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 20 May 2010 - 07:22 PM

Nothing much there smile.gif . Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\documents and settings\Top\Local Settings\Application Data\aypdmvwtt

Folder::
c:\documents and settings\Top\Local Settings\Application Data\aypdmvwtt

RegLock::
[HKEY_USERS\S-1-5-21-1757981266-1993962763-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

Driver::
c2scsi


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 20 May 2010 - 08:35 PM

Still couldn't install the recovery, but got the scan run. Thanks so far!!

ComboFix 10-05-20.07 - Top 05/20/2010 20:26:27.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2078 [GMT -4:00]
Running from: c:\documents and settings\Top\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Top\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Top\Local Settings\Application Data\aypdmvwtt"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Top\Local Settings\Application Data\aypdmvwtt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c2scsi


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-18 00:56 . 2010-05-18 00:56 -------- d-----w- c:\documents and settings\Top\Local Settings\Application Data\Threat Expert
2010-05-18 00:45 . 2010-05-18 02:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-17 17:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 17:57 . 2010-05-18 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 17:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 04:48 . 2010-05-17 04:48 -------- d-----w- c:\program files\ESET
2010-05-17 04:08 . 2010-05-21 01:28 -------- d-----w- c:\program files\Steam
2010-05-17 03:58 . 2009-07-01 04:42 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-05-17 03:58 . 2009-07-21 04:48 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-17 03:22 . 2010-05-17 03:22 3584 ----a-r- c:\documents and settings\Top\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-05-17 03:22 . 2010-05-17 03:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-05-17 03:22 . 2010-05-17 03:22 -------- d-----w- c:\program files\MSECACHE
2010-05-16 01:18 . 2010-05-16 01:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-14 03:31 . 2010-05-14 03:31 -------- d-----w- C:\ComFix24484C
2010-05-13 06:26 . 2010-05-13 06:56 -------- d-----w- C:\ComFix
2010-05-13 04:36 . 2010-05-06 14:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 19:04 . 2010-05-14 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-12 19:04 . 2010-05-12 19:04 -------- d-----w- c:\program files\Alwil Software
2010-05-12 08:00 . 2010-05-12 08:00 -------- dc-h--w- c:\windows\ie8
2010-05-12 07:02 . 2010-05-12 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-12 05:56 . 2010-05-12 05:56 503808 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\msvcp71.dll
2010-05-12 05:56 . 2010-05-12 05:56 499712 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\jmc.dll
2010-05-12 05:56 . 2010-05-12 05:56 348160 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-63380344-n\msvcr71.dll
2010-05-12 05:56 . 2010-05-12 05:56 61440 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19cedf2a-n\decora-sse.dll
2010-05-12 05:56 . 2010-05-12 05:56 12800 ----a-w- c:\documents and settings\Top\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19cedf2a-n\decora-d3d.dll
2010-05-12 05:56 . 2010-05-17 18:27 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 05:47 . 2010-05-12 05:47 -------- d-----w- c:\documents and settings\Top\Application Data\WinPatrol
2010-05-12 05:47 . 2008-07-04 22:44 0 ----a-w- c:\documents and settings\Top\Application Data\WinPatrol\Config.sys
2010-05-12 05:47 . 2008-07-04 22:44 0 ----a-w- c:\documents and settings\Top\Application Data\WinPatrol\Autoexec.bat
2010-05-12 05:47 . 2010-05-12 05:47 -------- d-----w- c:\program files\BillP Studios
2010-05-12 01:59 . 2010-05-12 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 01:59 . 2010-05-18 02:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-11 21:27 . 2010-05-17 17:57 -------- d-----w- c:\documents and settings\Top\Application Data\Malwarebytes
2010-05-11 21:26 . 2010-05-17 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 20:41 . 2009-07-01 15:54 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-05-06 18:32 . 2010-04-03 22:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-05-06 18:32 . 2010-04-03 22:55 10232128 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-05-06 18:32 . 2010-04-03 22:55 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-05-06 18:32 . 2010-04-03 22:55 6432128 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-05-06 18:32 . 2010-04-03 22:55 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-05-06 18:32 . 2010-04-03 22:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-05-06 18:32 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-05-06 18:32 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-05-06 18:32 . 2010-04-03 22:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-05-06 18:03 . 2010-05-06 18:03 -------- d-----w- c:\program files\Phyxion.net
2010-05-06 17:21 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-05-06 17:21 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-05-06 17:21 . 2010-04-03 22:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-05-06 17:21 . 2010-04-03 22:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-05-06 17:21 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-26 17:43 . 2010-04-26 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 01:28 . 2008-07-05 23:14 -------- d-----w- c:\program files\Winwall
2010-05-18 19:03 . 2010-05-18 19:03 388096 ----a-r- c:\documents and settings\Top\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-18 02:13 . 2010-05-18 02:05 63488 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-18 02:13 . 2010-05-18 02:05 117760 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-18 02:05 . 2010-05-18 02:05 52224 ----a-w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-18 02:05 . 2010-05-18 02:05 -------- d-----w- c:\documents and settings\Top\Application Data\SUPERAntiSpyware.com
2010-05-18 02:05 . 2008-07-25 17:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-17 18:28 . 2008-09-02 02:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-17 18:27 . 2008-09-02 02:27 -------- d-----w- c:\program files\Java
2010-05-16 01:15 . 2008-07-05 00:35 30088 ----a-w- c:\documents and settings\Top\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 04:47 . 2008-07-04 23:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-12 08:01 . 2008-07-05 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-12 07:58 . 2008-10-30 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-11 21:25 . 2008-08-22 21:27 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-05-06 21:39 . 2008-07-04 23:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 21:39 . 2008-10-18 00:14 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-06 17:19 . 2009-08-08 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-04-21 06:36 . 2009-08-14 04:48 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-04-08 01:54 . 2009-03-15 21:40 -------- d-----w- c:\program files\Teamspeak2_RC2
2010-04-07 20:46 . 2009-01-11 17:51 -------- d-----w- c:\documents and settings\Top\Application Data\IObit
2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:23 . 2010-04-03 23:23 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-04-03 23:23 . 2010-04-03 23:23 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-03-22 07:43 . 2008-07-25 17:46 -------- d-----w- c:\program files\IObit
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-05-30 18:37 . 2008-05-30 18:37 148847 ----a-w- c:\program files\DEC2006_XACT_x86.cab
2008-05-30 18:36 . 2008-05-30 18:36 13267416 ----a-w- c:\program files\dxnt.cab
2008-05-30 18:36 . 2008-05-30 18:36 4165878 ----a-w- c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 . 2008-05-30 18:36 1805306 ----a-w- c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 . 2008-05-30 18:36 1803408 ----a-w- c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 . 2008-05-30 18:34 528392 ----a-w- c:\program files\DXSETUP.exe
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\drivers\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0033\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-05-20_22.48.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-21 00:29 . 2010-05-21 00:29 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-09-14 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 363008]
"Launch Ai Booster"="c:\program files\ASUS\AI Booster\OverClk.exe" [2006-12-08 3714048]
"Winwall"="c:\program files\Winwall\Loader.exe" [2004-07-15 20480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2004-10-13 22:29 102400 ----a-w- c:\windows\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-10-17 20:52 51048 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2008-02-21 00:58 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPAgnt]
2004-10-13 22:24 913408 ----a-w- c:\program files\DigitalPersona\Bin\DPAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2005-08-23 13:22 188416 ----a-w- c:\program files\Logitech\G-series Software\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2005-08-23 13:36 1110079 ----a-w- c:\program files\Logitech\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
2002-09-03 22:38 987187 ----a-w- c:\program files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-12-29 05:40 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"sp_rssrv"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"LightScribeService"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"RasAuto"=3 (0x3)
"RasMan"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
"DpHost"=2 (0x2)
"DPFUSMgr"=2 (0x2)
"comHost"=3 (0x3)
"LiveUpdate"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WinDefend"=2 (0x2)
"SharedAccess"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"SamSs"=2 (0x2)
"Symantec Core LC"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58991:TCP"= 58991:TCP:Pando Media Booster
"58991:UDP"= 58991:UDP:Pando Media Booster
"59165:TCP"= 59165:TCP:Pando Media Booster
"59165:UDP"= 59165:UDP:Pando Media Booster
"57129:TCP"= 57129:TCP:Pando Media Booster
"57129:UDP"= 57129:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [8/4/2004 4:58 PM 32640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 4:35 AM 102448]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [9/15/2009 1:59 PM 38248]
R3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [8/4/2004 4:59 PM 34560]
R3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/9/2008 12:34 AM 90568]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/2/2009 2:06 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1993962763-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-1993962763-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:72,ec,77,2f,68,71,b8,39,8e,7d,0c,29,56,e4,8d,a0,55,56,11,1a,b2,
ed,36,73,f5,da,a7,55,b7,38,6c,d9,1c,e9,ba,b9,36,cf,da,17,ee,01,a7,c9,69,c2,\
"rkeysecu"=hex:26,2d,47,1b,27,9a,ed,9f,7c,38,7a,02,76,26,61,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\DPWLEvHd.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\DPPWDFLT.dll

- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\DigitalPersona\Bin\DPWinLct.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Winwall\Winwall.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2010-05-20 21:30:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 01:30
ComboFix2.txt 2010-05-20 22:49
ComboFix3.txt 2010-05-17 19:38

Pre-Run: 94,382,858,240 bytes free
Post-Run: 94,272,569,344 bytes free

- - End Of File - - 45B6C220ECC47A911ABD12F6C96E1FEA


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 21 May 2010 - 04:22 PM

Okay, now please run ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 21 May 2010 - 05:45 PM

I can't seem to get it to update and run. It says "can not get updates is proxy configured?". I went to connections and verified that auto detect is checked and it is. I assume this is the same thing stopping me from updating mbam and playing on steam. I checked "services" and no anti virus or firewall is running. This is where I got stuck in the self help forums, lol. Also just wanted to note that after combofix ran the second time, my machine rebooted. When I opened IE after that, it said IE was not my default browser would I like to make it? Not sure if that is normal after running combofix or if its something bad.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 21 May 2010 - 06:56 PM

Combofix does default the IE browser after running.

I was going to suggest that maybe a running antivirus might be stopping you.

Please try a tool which doesn't need updating but downloads the latest version.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Posted Image
m0le is a proud member of UNITE

#11 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 22 May 2010 - 01:19 AM

Looks like it found something.

DrWeb Log:

Process.exe;C:\Documents and Settings\Top\Local Settings\Application Data;Tool.Killproc.3;Incurable.Moved.;




#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 22 May 2010 - 09:43 AM

That's a process killing file.

Have you now got access to the ESET scan?
Posted Image
m0le is a proud member of UNITE

#13 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 22 May 2010 - 07:47 PM

No, still getting the same error asking if my proxy is setup.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 AM

Posted 22 May 2010 - 08:07 PM

Yes, this isn't malware doing the blocking now.

It may be that we need to move this problem to another forum.


Just to make sure, can you try another online scanner, Kaspersky.

Perform an online scan with Kaspersky WebScanner. This can take a long time so please be patient.

If you have troubles getting it to run.... - STOP - and tell me about it!

(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the ...button, if you made any changes.
  • Now under the Scan section on the left:
      Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

Posted Image
m0le is a proud member of UNITE

#15 xTopDogx

xTopDogx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 22 May 2010 - 08:45 PM

Kaspersky is saying I must have Java 1.5 or newer to run and stopping there by not giving me the accept button. I have verified that I have Java 1.6.0_20 installed. Not sure what is going on here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users