Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a keylogger?


  • This topic is locked This topic is locked
19 replies to this topic

#1 TopHatSquid

TopHatSquid

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 05 June 2010 - 10:17 PM

Hi,

I was recently had a game account compromised and was told it is likely the result of a keylogger or similar virus. I tried running Avast antivirus, malewarebytes, and spybot normally, in safe mode, and while the game's launcher was running and found not a hint of any virus, malware, adware or anything. I was also told to try running ComboFix was annoyed to find that in other places (namely here) that I should not have run it. I did nothing with it however, anything it did it did by itself.

In anycase, I was unable to find anything but I am afraid of my bank account/credit card/ and so forth becoming hijacked. I did change all my passwords on a different computer and haven't had any problems other than with the game.

A note for the gmer scan however, I think I may have been wrong in running it in safemode, but I had someone insist that I should. I can run it again in normal mode.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gamer at 20:12:24.10 on 05/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3326.2643 [GMT -2.5:30]

AV: avast! antivirus 4.8.1368 [VPS 100605-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Gamer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-CA
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\gamer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\gamer\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gamer\applic~1\mozilla\firefox\profiles\076hqbus.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-3 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-3 138680]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-8-17 68136]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-17 39424]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-17 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-3 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-3 352920]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-3 25832]

=============== Created Last 30 ================

2010-06-05 22:36:24 188 ----a-w- c:\documents and settings\gamer\defogger_reenable
2010-06-05 20:54:14 0 d-s---w- c:\windows\Cookies
2010-06-05 20:50:24 0 d-sha-r- C:\cmdcons
2010-06-05 20:45:59 77312 ----a-w- c:\windows\MBR.exe
2010-06-05 20:45:59 256512 ----a-w- c:\windows\PEV.exe
2010-06-05 20:45:58 98816 ----a-w- c:\windows\sed.exe
2010-06-05 20:45:58 161792 ----a-w- c:\windows\SWREG.exe
2010-06-05 18:19:58 0 d-----w- c:\program files\Uniblue
2010-06-02 01:24:38 0 d-----w- c:\docume~1\gamer\applic~1\Malwarebytes
2010-06-02 01:24:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 01:24:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 01:24:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 01:24:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-13 23:08:45 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-05-13 23:08:40 0 d-----w- c:\program files\Total Video Converter
2010-05-13 22:55:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-13 22:55:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-13 22:55:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-13 22:55:13 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-13 22:54:57 0 d-----w- c:\docume~1\alluse~1\applic~1\PSPVC
2010-05-13 21:47:18 0 d-----w- c:\program files\AviSynth 2.5
2010-05-10 18:36:03 0 d-----w- c:\program files\common files\Software Update Utility

==================== Find3M ====================

2010-06-05 22:38:08 17488 ----a-w- c:\windows\gdrv.sys
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

============= FINISH: 20:12:35.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 09 June 2010 - 07:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 09 June 2010 - 02:55 PM

I wasn't sure if I was supposed to bump the topic or not, I will keep you updated better this time.

I play World of Warcraft and Starcraft 2 beta, both using there new battlenet login. My account became compromised, that is someone other than myself got in to them and tried to steal the account by changing the password. I got the account back and made a new password for everything quickly afterwards. However, the hacker likely got my password in the first place by using a keylogger or similar virus so I am worried about passwords/accounts being compromised in the future. I ran avast antivirus, malwarebytes, and spybot and could find no viruses at all. I also ran combo fix as they suggested on the World of Warcraft technical support forums but wasn't aware of how dangerous that can be.

I am trying to figure out if I have any viruses or malware that I don't know about that is compromising my security.

The requested logs are attached to the post.

Thanks for the help =)


DDS (Ver_10-03-17.01) - NTFSx86
Run by Gamer at 16:15:02.40 on 09/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3326.2693 [GMT -2.5:30]

AV: avast! antivirus 4.8.1368 [VPS 100609-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Gamer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-CA
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\gamer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\gamer\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gamer\applic~1\mozilla\firefox\profiles\076hqbus.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-3 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-3 138680]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-8-17 68136]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-17 39424]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-17 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-3 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-3 352920]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-3 25832]

=============== Created Last 30 ================

2010-06-05 22:36:24 188 ----a-w- c:\documents and settings\gamer\defogger_reenable
2010-06-05 20:54:14 0 d-s---w- c:\windows\Cookies
2010-06-05 20:50:24 0 d-sha-r- C:\cmdcons
2010-06-05 20:45:59 77312 ----a-w- c:\windows\MBR.exe
2010-06-05 20:45:59 256512 ----a-w- c:\windows\PEV.exe
2010-06-05 20:45:58 98816 ----a-w- c:\windows\sed.exe
2010-06-05 20:45:58 161792 ----a-w- c:\windows\SWREG.exe
2010-06-05 18:19:58 0 d-----w- c:\program files\Uniblue
2010-06-02 01:24:38 0 d-----w- c:\docume~1\gamer\applic~1\Malwarebytes
2010-06-02 01:24:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 01:24:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 01:24:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 01:24:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-13 23:08:45 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-05-13 23:08:40 0 d-----w- c:\program files\Total Video Converter
2010-05-13 22:55:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-13 22:55:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-13 22:55:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-13 22:55:13 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-13 22:54:57 0 d-----w- c:\docume~1\alluse~1\applic~1\PSPVC
2010-05-13 21:47:18 0 d-----w- c:\program files\AviSynth 2.5

==================== Find3M ====================

2010-06-09 16:39:46 17488 ----a-w- c:\windows\gdrv.sys
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe

============= FINISH: 16:15:20.89 ===============

Attached Files



#4 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 10 June 2010 - 09:42 PM

Just letting you know that I have not yet had any luck finding any malware on my own.

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 13 June 2010 - 08:14 PM

Hi, TopHatSquid -

Welcome to Bleeping Computer.

I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

When asked to copy logs or reports into your reply, please copy them directly into your reply. Do not include them in quotes. Do not attach them unless asked to do so. In Notepad, please turn off Word Wrap under the Format menu.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.

Shannon

#6 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 14 June 2010 - 12:37 AM

No worries, I understand you must be very busy! Thank you for your time!

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 14 June 2010 - 02:21 PM

Hi-

I don't see any infections in the DDS scans you ran, but maybe ComboFix already cleared the infection(s). I would like to get a copy of the output report from your ComboFix run. Please open file C:\ComboFix.txt with Notepad and copy the contents into your next reply.

Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    c:|emcor.dll /fp
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the ComboFix log and the two OTL output reports.
Shannon

#8 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 14 June 2010 - 06:46 PM

Here is the combo fix log, and the results of the OTL scan are attached.

ComboFix 10-06-03.01 - Gamer 05/06/2010 18:20:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3326.2756 [GMT -2.5:30]
Running from: c:\documents and settings\Gamer\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100605-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-05 18:37 . 2010-06-05 18:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-05 18:19 . 2010-06-05 18:19 -------- d-----w- c:\program files\Uniblue
2010-06-02 01:24 . 2010-06-02 01:24 -------- d-----w- c:\documents and settings\Gamer\Application Data\Malwarebytes
2010-06-02 01:24 . 2010-04-29 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 01:24 . 2010-06-02 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 01:24 . 2010-06-02 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 01:24 . 2010-04-29 18:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 21:32 . 2010-06-01 21:32 45828 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-19 21:18 . 2010-05-19 21:18 -------- d-----w- c:\documents and settings\Gamer\Local Settings\Application Data\DarkRoom
2010-05-13 23:08 . 2010-05-13 23:08 -------- d-----w- c:\program files\Total Video Converter
2010-05-13 22:55 . 2010-02-04 12:31 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-13 22:55 . 2010-02-04 12:31 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-13 22:55 . 2010-02-04 12:31 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-13 22:55 . 2010-02-04 12:31 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-13 22:54 . 2010-05-13 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PSPVC
2010-05-13 21:47 . 2010-05-13 21:47 -------- d-----w- c:\documents and settings\Gamer\Local Settings\Application Data\Geckofx
2010-05-13 21:47 . 2010-05-13 22:55 -------- d-----w- c:\program files\AviSynth 2.5
2010-05-10 18:36 . 2010-05-10 18:36 -------- d-----w- c:\program files\Common Files\Software Update Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 20:45 . 2009-08-16 17:27 17488 ----a-w- c:\windows\gdrv.sys
2010-06-05 19:40 . 2009-09-04 00:51 -------- d-----w- c:\program files\Steam
2010-06-05 18:22 . 2009-08-16 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 03:48 . 2010-04-08 20:32 -------- d-----w- c:\program files\StarCraft II Beta
2010-06-04 23:53 . 2009-09-16 21:47 1 ----a-w- c:\documents and settings\Gamer\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-03 19:17 . 2009-09-04 02:59 -------- d-----w- c:\documents and settings\Gamer\Application Data\uTorrent
2010-06-02 02:14 . 2009-09-04 02:23 -------- d-----w- c:\program files\World of Warcraft
2010-05-22 02:53 . 2009-09-04 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-05-14 04:39 . 2009-08-16 18:04 20168 ----a-w- c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 23:14 . 2009-09-05 17:59 -------- d-----w- c:\program files\Trine
2010-05-13 23:14 . 2010-01-23 22:25 -------- d-----w- c:\program files\ZC2.10
2010-05-13 23:14 . 2009-11-01 21:23 -------- d-----w- c:\documents and settings\Gamer\Application Data\runic games
2010-05-13 23:14 . 2009-11-01 21:22 -------- d-----w- c:\program files\Runic Games
2010-05-13 23:12 . 2010-03-09 01:09 -------- d-----w- c:\program files\championBuilder
2010-05-10 18:36 . 2010-02-21 09:21 -------- d-----w- c:\program files\AIM
2010-05-05 21:16 . 2010-05-02 02:25 -------- d-----w- c:\documents and settings\Gamer\Application Data\DivX
2010-05-05 05:35 . 2010-05-05 05:35 -------- d-----w- c:\documents and settings\Gamer\Application Data\PlayFirst
2010-05-05 05:35 . 2010-05-05 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-05-02 02:25 . 2010-05-02 02:20 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-02 02:25 . 2010-05-02 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-02 02:25 . 2010-05-02 02:25 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-02 02:25 . 2010-05-02 02:25 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-02 02:25 . 2010-05-02 02:19 -------- d-----w- c:\program files\DivX
2010-05-02 02:25 . 2010-05-02 02:25 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-02 02:25 . 2010-05-02 02:25 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-02 02:25 . 2010-05-02 02:25 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-02 02:25 . 2010-05-02 02:25 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-02 02:24 . 2010-05-02 02:24 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:19 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-02 02:23 . 2010-05-02 02:20 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-02 02:23 . 2010-05-02 02:23 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:23 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:23 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:23 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:23 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-02 02:23 . 2010-05-02 02:23 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-02 02:20 . 2010-05-02 02:20 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-02 02:20 . 2010-05-02 02:20 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-02 02:20 . 2010-05-02 02:20 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-02 02:20 . 2010-05-02 02:20 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-02 02:20 . 2010-05-02 02:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-02 02:20 . 2010-05-02 02:20 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-27 18:21 . 2010-05-02 02:20 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-10 16:00 . 2010-04-10 16:00 -------- d-----w- c:\program files\Ask.com
2010-04-08 20:34 . 2009-09-04 02:23 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-31 01:58 . 2010-05-02 02:25 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2010-03-11 01:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-31 01:58 . 2010-03-11 01:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-31 01:58 . 2010-03-11 01:10 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-31 01:58 . 2010-03-11 01:10 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2010-03-11 01:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-09 11:09 . 2008-04-14 08:12 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
.

------- Sigcheck -------

[-] 2008-08-19 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 19:20 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-07 1238352]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2009-04-24 203416]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-19 131072]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-14 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Gamer\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2010-3-10 376832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Gigabyte\\EasySaver\\UpdExe.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base14803\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15097\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15133\\SC2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15250\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15392\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15449\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15580\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15623\\SC2.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/09/2009 11:36 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/09/2009 11:36 PM 20560]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [17/08/2009 1:14 AM 68136]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [17/08/2009 1:19 AM 39424]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/09/2009 7:06 PM 721904]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [17/08/2009 1:17 AM 1684736]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [03/11/2009 4:06 PM 25832]
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:04]

2010-06-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\076hqbus.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-05 18:24:11
ComboFix-quarantined-files.txt 2010-06-05 20:54

Pre-Run: 433,922,572,288 bytes free
Post-Run: 434,002,518,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D1B552BF91A5351908E64DAC44A29949

Attached Files



#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 16 June 2010 - 06:49 AM

Hi-

Thank you for the logs. The ComboFix log did show a problem (not an infection) that needs to be fixed - replace a system file. The OTL scan outputs did not show any signs of an infection, but did point out somethings that should be changed.

First, we will replace the system file.
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2 or Del, but it can be a different one. It should state on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the arrow keys. Then, move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit, and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
  • A command prompt will open
  • Type the green bolded one line at a time and press Enter after entering each line.

    Please note: 'D' signifies the drive letter of your CD-ROM drive!! Please adjust accordingly. <--- Important!!

    ren c:\windows\System32\sfcfiles.dll sfcfiles.old
    copy D:\i386\sfcfiles.dl_ c:\windows\system32\sfcfiles.dll

  • Type "Exit" and restart the computer.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 20 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

I noticed you have the ASK Toolbar installed. Ask has a shady past and is not recommened. See http://www.benedelman.org/spyware/ask-toolbars/. To remove it click "start" on the taskbar and then click on the "Control Panel" icon. Double click on the "Add or Remove Programs" icon. A list of installed programs will be "populated" (this may take a bit of time). In the list find Ask Toolbar, click on the entry, and select "remove":

The current version of FOXIT PDF reader add-on for Firefox also uses Ask.com and should be removed as well. In Firefox, click on Tools on the menu bar, click on Add-ons, click on Foxit, and select Uninstall. Restart Firefox.

Your logs show that you are using peer-to-peer (P2P) or file-sharing programs like uTorrent.
    These programs allow to share files between users as the name(s) suggest. In today's world, the cyber crime has grown to an enormous business and any means is used to infect personal computers and to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject - Risks of File-Sharing Technology

    It is pretty much certain that if you continue to use P2P programs, you will get infected again.

    I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Start > Control Panel > Add/Remove Programs.

Finally, let's get a new OTL listing.
  • Double click on the icon on your desktop.
  • In the Extra Registry Box, check Use SafeList.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
    [list]
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, copy in the OTL reports and let me know if you had any problems with the above steps.

Thanks


Shannon

#10 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 16 June 2010 - 01:44 PM

I don't have a boot disk at this time and I am not 100% sure how to make one. When I got the computer it came installed with windows xp and they have me a license key I can use to DL a copy from Microsoft if I need it, but I have never had to do it before. Do you know of a tutorial on how to do it?

I will meanwhile fix the Java program and get rid of that Ask toolbar; I could have sworn I removed that ages ago.

Do you want me to post the OTL log after fixing Java and removing the Toolbar? Or should I wait until I can get this boot disk bit figured out?

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 16 June 2010 - 08:15 PM

Hi-

Go ahead and run the OTL scan without replacing the file. You should have received documentation with your system on how to download the XP files or order the CD. You also might check the support help files on the computer manufacturer's web site.
Shannon

#12 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 June 2010 - 09:04 AM

Sorry for the delayed response. Here are the OTL logs.

OTL logfile created on: 17/06/2010 11:29:02 AM - Run 2
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Gamer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 596.16 Gb Total Space | 349.96 Gb Free Space | 58.70% Space Free | Partition Type: NTFS
Drive D: | 339.84 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GAMEON
Current User Name: Gamer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/14 21:05:25 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gamer\Desktop\OTL.exe
PRC - [2010/05/07 11:37:18 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2010/04/12 20:16:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/03/31 18:38:16 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/08 18:34:49 | 003,972,440 | ---- | M] (AOL Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2009/11/24 21:21:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 21:21:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 21:21:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 21:18:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 21:13:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/03/02 14:06:16 | 000,068,136 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
PRC - [2008/09/30 16:45:00 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 16:43:38 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/19 18:18:04 | 000,376,832 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
PRC - [2007/05/28 14:27:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe


========== Modules (SafeList) ==========

MOD - [2010/06/14 21:05:25 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gamer\Desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 21:21:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 21:21:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 21:18:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 21:13:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/07/26 07:43:14 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/03/02 14:06:16 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE -- (ES lite Service)
SRV - [2007/05/28 14:27:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)


========== Driver Services (SafeList) ==========

DRV - [2010/06/17 11:26:47 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/11/24 21:20:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 21:20:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 21:20:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 21:19:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 21:18:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 21:17:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/10 20:18:27 | 000,279,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009/09/10 20:18:27 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009/09/10 19:06:47 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/31 18:18:16 | 005,891,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/07/15 01:50:10 | 004,407,808 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/04/01 08:58:32 | 000,093,184 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/03/31 01:41:44 | 000,039,424 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2008/08/19 14:17:54 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/08/19 14:08:58 | 003,526,464 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2008/08/05 20:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/01/04 15:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2004/02/09 14:06:22 | 000,015,360 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetMotCM.sys -- (ndiscm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query="


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/06 15:31:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/16 16:27:01 | 000,000,000 | ---D | M]

[2009/08/17 12:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gamer\Application Data\Mozilla\Extensions
[2010/06/16 16:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gamer\Application Data\Mozilla\Firefox\Profiles\076hqbus.default\extensions
[2009/09/03 10:47:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Gamer\Application Data\Mozilla\Firefox\Profiles\076hqbus.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/05 17:19:36 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Gamer\Application Data\Mozilla\Firefox\Profiles\076hqbus.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/06/16 16:27:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/16 16:27:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/16 16:26:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/05 18:22:51 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\Gamer\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Gamer\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Gamer\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gamer\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/17 00:15:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/09/26 08:25:34 | 000,000,042 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/16 16:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/16 16:27:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/16 16:27:01 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/16 16:27:01 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/16 16:27:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/16 16:27:01 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/16 16:27:01 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/16 16:20:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/06/16 16:18:23 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Gamer\My Documents\jre-6u20-windows-i586.exe
[2010/06/15 21:32:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\My Documents\Electronic Arts
[2010/06/15 20:36:28 | 000,000,000 | ---D | C] -- C:\ProgramData
[2010/06/15 20:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2010/06/15 20:15:07 | 000,447,752 | R--- | C] (On2.com) -- C:\WINDOWS\System32\vp6vfw.dll
[2010/06/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft WSE
[2010/06/15 20:10:57 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2010/06/15 20:06:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\Application Data\Ahead
[2010/06/14 21:05:24 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gamer\Desktop\OTL.exe
[2010/06/09 16:11:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/05 18:24:14 | 000,000,000 | --SD | C] -- C:\WINDOWS\Cookies
[2010/06/05 18:20:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/05 18:15:59 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/05 18:15:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/05 18:15:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/05 18:15:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/05 18:15:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/05 18:12:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/05 15:49:58 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2010/06/05 15:47:38 | 000,923,280 | ---- | C] (Uniblue ) -- C:\Documents and Settings\Gamer\My Documents\processscanner.exe
[2010/06/01 22:54:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\Application Data\Malwarebytes
[2010/06/01 22:54:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/01 22:54:30 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/01 22:54:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/01 22:54:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/26 15:26:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\My Documents\Transcript
[2010/05/19 18:48:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\Local Settings\Application Data\DarkRoom
[2010/05/19 18:47:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gamer\My Documents\Dark Room 0.8b
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/17 11:26:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/17 11:26:47 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2010/06/17 11:26:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/17 11:26:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/17 11:25:24 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\Gamer\NTUSER.DAT
[2010/06/17 11:25:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Gamer\ntuser.ini
[2010/06/17 11:25:10 | 000,000,188 | ---- | M] () -- C:\Documents and Settings\Gamer\defogger_reenable
[2010/06/17 11:24:51 | 000,134,656 | ---- | M] () -- C:\Documents and Settings\Gamer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/16 20:16:50 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/06/16 19:44:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/16 16:29:18 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/16 16:29:18 | 000,433,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/16 16:29:18 | 000,067,768 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/16 16:26:47 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/16 16:26:47 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/16 16:26:47 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/16 16:26:47 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/16 16:26:47 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/16 16:18:54 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Gamer\My Documents\jre-6u20-windows-i586.exe
[2010/06/15 21:21:47 | 000,001,911 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 High-End Loft Stuff.lnk
[2010/06/15 21:11:10 | 000,001,839 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 Ambitions.lnk
[2010/06/15 21:00:51 | 000,001,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 World Adventures.lnk
[2010/06/15 20:54:05 | 000,001,920 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3.lnk
[2010/06/14 21:05:25 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gamer\Desktop\OTL.exe
[2010/06/14 16:27:38 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/10 14:47:11 | 000,122,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 03:03:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/09 16:16:31 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Gamer\Desktop\gmer.zip
[2010/06/09 16:10:55 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Gamer\Desktop\dds.scr
[2010/06/05 20:05:52 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Defogger.exe
[2010/06/05 18:22:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/05 18:22:51 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/05 18:20:28 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/05 15:54:14 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/05 15:49:58 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Gamer\Desktop\ProcessScanner.lnk
[2010/06/05 15:47:38 | 000,923,280 | ---- | M] (Uniblue ) -- C:\Documents and Settings\Gamer\My Documents\processscanner.exe
[2010/06/05 15:40:14 | 003,702,826 | R--- | M] () -- C:\Documents and Settings\Gamer\My Documents\ComboFix.exe
[2010/06/04 22:36:05 | 000,019,086 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Confession.odt
[2010/06/01 22:54:33 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/28 14:33:22 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Autobiography.doc
[2010/05/26 15:26:57 | 000,022,035 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Transcript.zip
[2010/05/21 22:17:56 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Awakening + First chamber escape.doc
[2010/05/20 16:40:20 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Lucas' Resume2009.doc
[2010/05/20 16:34:14 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\LetterofRecommendation.doc
[2010/05/20 16:34:04 | 000,013,892 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\LetterofRecommendation.odt
[2010/05/19 18:47:33 | 000,047,289 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\dark_room_0.8b.zip
[2010/05/19 16:06:39 | 000,021,831 | ---- | M] () -- C:\Documents and Settings\Gamer\My Documents\Autobiography.odt
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/17 11:25:02 | 000,000,188 | ---- | C] () -- C:\Documents and Settings\Gamer\defogger_reenable
[2010/06/15 21:21:47 | 000,001,911 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 High-End Loft Stuff.lnk
[2010/06/15 21:11:10 | 000,001,839 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 Ambitions.lnk
[2010/06/15 21:00:51 | 000,001,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 World Adventures.lnk
[2010/06/15 20:54:05 | 000,001,920 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3.lnk
[2010/06/09 16:16:46 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Gamer\Desktop\gmer.exe
[2010/06/09 16:16:30 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Gamer\Desktop\gmer.zip
[2010/06/05 20:10:27 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Gamer\Desktop\dds.scr
[2010/06/05 20:05:52 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\Defogger.exe
[2010/06/05 18:20:28 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/05 18:20:25 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/05 18:15:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/05 18:15:59 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/05 18:15:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/05 18:15:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/05 18:15:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/05 15:49:58 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Gamer\Desktop\ProcessScanner.lnk
[2010/06/05 15:40:10 | 003,702,826 | R--- | C] () -- C:\Documents and Settings\Gamer\My Documents\ComboFix.exe
[2010/06/04 22:36:05 | 000,019,086 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\Confession.odt
[2010/06/01 22:54:33 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/26 15:26:57 | 000,022,035 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\Transcript.zip
[2010/05/21 22:17:55 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\Awakening + First chamber escape.doc
[2010/05/20 16:34:14 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\LetterofRecommendation.doc
[2010/05/20 16:30:53 | 000,013,892 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\LetterofRecommendation.odt
[2010/05/19 18:47:33 | 000,047,289 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\dark_room_0.8b.zip
[2010/05/19 16:07:58 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Gamer\My Documents\Autobiography.doc
[2010/02/24 16:22:53 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010/02/24 16:22:53 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/09/10 20:18:27 | 000,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/09/10 20:18:27 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/09/05 13:13:30 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/04 20:07:43 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/09/03 23:40:34 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/09/03 23:40:34 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/09/03 23:40:33 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/09/03 23:40:33 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/09/03 23:40:33 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/09/03 23:40:32 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/03 23:40:32 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/16 15:37:50 | 000,000,139 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/08/16 15:37:25 | 002,115,816 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/08/16 15:19:55 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/08/19 14:17:45 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
< End of report >

OTL Extras logfile created on: 17/06/2010 11:29:02 AM - Run 2
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Gamer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 596.16 Gb Total Space | 349.96 Gb Free Space | 58.70% Space Free | Partition Type: NTFS
Drive D: | 339.84 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GAMEON
Current User Name: Gamer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Gigabyte\EasySaver\UpdExe.exe" = C:\Program Files\Gigabyte\EasySaver\UpdExe.exe:*:Disabled:Exe File -- (GIGABYTE)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe" = C:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe:*:Enabled:Dragon Age Origins Character Creator -- (BioWare)
"C:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe" = C:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Character Creator Launcher -- (BioWare)
"C:\Program Files\Dragon Age\bin_ship\daorigins.exe" = C:\Program Files\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Origins Game -- (BioWare)
"C:\Program Files\Dragon Age\DAOriginsLauncher.exe" = C:\Program Files\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Launcher -- (BioWare)
"C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe" = C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater -- (BioWare)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam 732897 -- (Valve Corporation)
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"C:\Program Files\SPSSInc\PASWStatistics18\paswstat.com" = C:\Program Files\SPSSInc\PASWStatistics18\paswstat.com:*:Disabled:Statistics18:com -- (SPSS Inc.)
"C:\Program Files\SPSSInc\PASWStatistics18\paswstat.exe" = C:\Program Files\SPSSInc\PASWStatistics18\paswstat.exe:*:Disabled:Statistics18:exe -- (SPSS Inc.)
"C:\Program Files\SPSSInc\PASWStatistics18\WinWrapIDE.exe" = C:\Program Files\SPSSInc\PASWStatistics18\WinWrapIDE.exe:*:Disabled:SPSS Basic Script Editor -- (SPSS Inc.)
"C:\Program Files\StarCraft II Beta\StarCraft II.exe" = C:\Program Files\StarCraft II Beta\StarCraft II.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base14803\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base14803\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15097\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15097\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15133\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15133\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()
"C:\Program Files\StarCraft II Beta\Versions\Base15250\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15250\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15392\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15392\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15449\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15449\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15580\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15580\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15623\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15623\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II Beta\Versions\Base15655\SC2.exe" = C:\Program Files\StarCraft II Beta\Versions\Base15655\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B9.0410.1
"{0AACB61D-9A82-6836-2840-28D0CF08781B}" = Catalyst Control Center Graphics Light
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{221BCE94-499E-21A9-4744-364294430D6A}" = Catalyst Control Center Graphics Full New
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2A59A62D-09BA-E4CF-C7C2-E30332CE50F1}" = ccc-core-static
"{2AEB1EAF-9E1C-4361-8562-5AC7AE6AC177}" = ATI AVIVO Codecs
"{2C04F12D-9AE2-B73C-17F7-A906A3D0C147}" = Catalyst Control Center HydraVision Full
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A85E968-9E24-0AE4-BC49-1614E86F0A50}" = Catalyst Control Center Graphics Previews Common
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{71828142-5A24-4BD0-97E7-976DA08CE6CF}" = The Sims™ 3 High-End Loft Stuff
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76D92E84-A78B-2F37-E165-95BC732750E0}" = ccc-core-preinstall
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{8046A32C-88A7-45DA-B6D7-B6191E261033}" = Nero 7 Essentials
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = The Sims™ 3 Ambitions
"{92B79901-C57D-409F-8D2F-4E5337383569}" = OpenOffice.org 3.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4CF385A-2015-5236-C2DB-EF09DA2AEA6C}" = CCC Help English
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C25215FC-5900-48B0-B93C-8D3379027312}" = PASW Statistics 18
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D52ED371-E583-2A3F-C17C-2FC42E2D0077}" = Catalyst Control Center Graphics Full Existing
"{D5A11B8A-2A7B-2BED-E05F-2318C83A771B}" = ccc-utility
"{D8B5B7C3-47B1-40FA-8251-59C74A543880}" = Dragon Age: Origins Character Creator
"{D9D93D74-107D-4BD3-87D0-AABCF7C98BD5}" = Catalyst Control Center - Branding
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F58DBB36-F623-048A-0780-4FFDEA2486CA}" = Catalyst Control Center Core Implementation
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Age of Conan_is1" = Age of Conan - Hyborian Adventures
"AIM_7" = AIM 7
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner (remove only)
"Champions Online" = Champions Online
"DivX Setup.divx.com" = DivX Setup
"HDMI" = Intel® Graphics Media Accelerator Driver
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.1.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"ProcessScanner_is1" = Uniblue ProcessScanner
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Star Trek Online" = Star Trek Online
"StarCraft II Beta" = StarCraft II Beta
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 440" = Team Fortress 2
"Total Video Converter 3.61_is1" = Total Video Converter 3.61 100319
"uTorrent" = µTorrent
"VLC media player" = VLC media player 0.9.9
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 16/11/2009 1:13:39 PM | Computer Name = GAMEON | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://imageserver.ebscohost.com.qe2a-prox...stController.js
failed, 0000A413.

Error - 16/11/2009 3:50:40 PM | Computer Name = GAMEON | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://imageserver.ebscohost.com.qe2a-prox...stController.js
failed, 0000A413.

Error - 13/05/2010 7:07:19 PM | Computer Name = GAMEON | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://70.38.38.52/total-video-converter/tvc.exe failed, 00000084.

[ Application Events ]
Error - 28/04/2010 5:18:01 PM | Computer Name = GAMEON | Source = Windows Live Messenger | ID = 1000
Description =

Error - 06/05/2010 4:16:56 PM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application SC2.exe, version 0.13.0.15250, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 07/05/2010 10:07:59 AM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application aim.exe, version 7.1.6.4, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 13/05/2010 6:50:26 PM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application mplayerc.exe, version 1.2.1008.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 30/05/2010 3:58:19 PM | Computer Name = GAMEON | Source = Windows Live Messenger | ID = 1000
Description =

Error - 31/05/2010 12:00:41 PM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 02/06/2010 1:26:12 PM | Computer Name = GAMEON | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3725, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x0004f2df.

Error - 05/06/2010 2:22:30 PM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application ProcessScanner.exe, version 1.1.0.4, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05/06/2010 2:30:49 PM | Computer Name = GAMEON | Source = Application Hang | ID = 1002
Description = Hanging application aim.exe, version 7.2.6.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 05/06/2010 4:50:51 PM | Computer Name = GAMEON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

[ System Events ]
Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 05/06/2010 9:58:18 PM | Computer Name = GAMEON | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 05/06/2010 10:55:13 PM | Computer Name = GAMEON | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 05/06/2010 10:55:27 PM | Computer Name = GAMEON | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/06/2010 7:16:02 PM | Computer Name = GAMEON | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.11 for the Network Card with network
address 00241D56503F has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >


#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 18 June 2010 - 04:43 AM

Hi-

The system scans are coming back clean on infections, but I would like to run one more.

Since you don't have a XP CD, let's check to see if the file that ComboFix flagged with a size error has an infection or not. To do that we will use Jotti -

Before we start
, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti
When the Jotti page has finished loading, click Jottie's Browse button and navigate to the following file and click the Submit file button within Jottie.

c:\windows\system32\sfcfiles.dll

Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

In your reply, copy in the Jotti info and the MBAM report.

Thanks


Shannon

#14 TopHatSquid

TopHatSquid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 19 June 2010 - 11:12 AM

Sorry for the delayed response.

0 out of 19 scanners found any malicous things in that file.

Here is the Malwarebytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

19/06/2010 5:47:10 AM
mbam-log-2010-06-19 (05-47-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 210962
Time elapsed: 35 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:05 AM

Posted 19 June 2010 - 01:28 PM

Hi-

You need to update MBAM and run it again. Update 4170 is from 4th of the month. You need update 4216 or later. Two weeks is a long time when you are checking for infections.

Thanks,


Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users