Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown Downloads keep Appearing


  • This topic is locked This topic is locked
43 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 26 June 2010 - 02:18 PM

Recently i have kept finding four folders appearing in my Temporary Internet Files in the Newwork Service Directory of my Doccuments and Settings, ie some program keeps downloaidng some adware stuff and i cant delte the, ...when at intervals or when i reboot and delete these four folders, they reappear. The active file appears to be called....

'preloadHandler.ashx' from hxxp://ch.fed.adecn.com

Today Avira found two infected suspect files in them and quarentened them as it could not delte them either.

So some kind of infections is active..Mawareantimalwwere Bytes cant get rid of it nor can Spybot, and Avira just
catches the occasional bad file.

Can you help? logs posted and attached as usual. I have a new system, and will post the details once i get this posted, as i hav used you guys with great success on my last system but it died. So this is the new one and is clean or was until now.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 12:47:04.45 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2512 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: gametap.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-30 11608]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-12-3 15872]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-30 60936]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-4-30 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-06-26 18:33:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-26 01:40:26 0 d-----w- c:\program files\The Adventure Company
2010-06-24 05:53:08 0 d-----w- C:\Ubisoft
2010-06-21 21:13:55 0 d-----w- c:\docume~1\chris\applic~1\NVIDIA
2010-06-21 20:47:23 0 d-----w- c:\program files\Venetica
2010-06-21 02:08:17 69 ----a-w- c:\windows\wininit.ini
2010-06-21 02:08:12 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-06-21 02:08:12 140800 ----a-w- c:\windows\system32\tm20dec.ax
2010-06-21 02:08:10 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-06-21 02:08:09 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-21 02:08:08 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-06-21 02:08:06 5672 ----a-w- c:\windows\system32\quartz.vxd
2010-06-21 02:08:06 194320 ----a-w- c:\windows\system32\qcut.dll
2010-06-21 02:08:06 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-06-21 02:08:06 10240 ----a-w- c:\windows\system32\vidx16.dll
2010-06-21 02:08:02 4608 ----a-r- c:\windows\system32\w95inf32.dll
2010-06-21 02:08:02 2272 ----a-r- c:\windows\system32\w95inf16.dll
2010-06-21 02:05:55 278581 ----a-w- c:\windows\system32\MSVCRT.1
2010-06-21 02:05:24 0 d-----w- c:\program files\Montparnasse Multimedia
2010-06-19 06:09:33 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-19 06:03:57 0 d-----w- c:\program files\Deus Ex - Invisible War
2010-06-19 03:56:47 0 d-----w- c:\program files\directx
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT46.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT45.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT44.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT43.tmp
2010-06-19 03:49:17 0 d-----w- C:\DeusEx
2010-06-19 03:19:14 0 d-----w- c:\docume~1\chris\applic~1\ScummVM
2010-06-19 03:17:44 0 d-----w- C:\KQ5
2010-06-19 03:16:07 0 d-----w- C:\SIERRA
2010-06-19 03:15:42 0 d-----w- C:\SamMaxCD
2010-06-19 03:15:31 0 d-----w- C:\loomcd
2010-06-19 03:15:10 0 d-----w- C:\Indiana Jones and the Fate of Atlantis
2010-06-19 03:14:41 0 d-----w- C:\K2
2010-06-19 03:14:33 0 d-----w- C:\K1
2010-06-17 22:10:36 0 d-----w- c:\program files\uTorrent
2010-06-17 22:10:28 0 d-----w- c:\docume~1\chris\applic~1\uTorrent
2010-06-17 20:35:50 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-17 20:35:50 1409 ----a-w- c:\windows\QTFont.for
2010-06-15 21:56:24 165376 ----a-w- c:\windows\system32\unrar.dll
2010-06-15 21:56:21 0 d-----w- c:\program files\K-Lite Codec Pack
2010-06-15 00:47:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-15 00:47:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-13 22:18:11 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-06-13 22:16:24 0 d-----w- c:\program files\Kosmos
2010-06-13 01:39:50 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-12 20:17:56 388 ----a-w- c:\windows\system32\QuickTime.qtp
2010-06-12 20:17:53 0 d-----w- c:\windows\system32\QuickTime
2010-06-12 20:17:51 0 d-----w- c:\program files\QuickTime(2)
2010-06-09 18:05:20 0 d-----w- c:\program files\Deep Silver
2010-06-08 23:13:40 0 d-----w- c:\docume~1\chris\applic~1\nHancer
2010-06-08 23:13:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Caphyon
2010-06-08 23:13:22 0 d-----w- c:\program files\nHancer
2010-06-08 23:13:22 0 d-----w- c:\docume~1\alluse~1\applic~1\nHancer
2010-06-08 22:44:58 0 d-----w- C:\Anachronox
2010-06-08 22:11:56 0 d-----w- c:\program files\Vampire The Masquerade - Redemption
2010-06-08 20:53:59 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-06-08 20:53:59 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-06-08 20:49:24 0 d-----w- c:\program files\Aspyr
2010-06-06 20:56:21 0 d--h--w- c:\windows\PIF
2010-06-04 23:56:17 0 d-----w- c:\windows\system32\appmgmt
2010-06-04 01:02:15 0 d-----w- c:\program files\TatukGIS
2010-06-04 00:07:00 0 d-----w- c:\program files\MSECache
2010-06-02 04:26:01 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-06-02 04:26:01 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2010-06-02 04:26:01 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-06-02 04:26:01 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2010-06-02 04:26:00 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-06-02 04:26:00 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2010-06-02 04:26:00 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2010-06-02 04:26:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2010-06-02 04:26:00 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2010-06-02 04:26:00 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2010-06-02 04:25:59 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-06-02 04:25:59 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-06-02 04:25:59 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-06-02 04:25:59 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-06-02 04:25:59 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-06-02 04:25:59 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-06-02 04:25:58 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-06-02 04:25:58 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-05-31 23:43:23 754 ----a-w- c:\windows\WORDPAD.INI
2010-05-31 05:18:51 292 ----a-w- c:\windows\vtmb.ini
2010-05-31 05:07:54 0 d-----w- c:\program files\Activision
2010-05-30 17:24:20 0 d-----w- C:\games
2010-05-29 05:41:54 0 d-----w- c:\docume~1\chris\applic~1\ORTS
2010-05-27 22:46:42 0 d-----w- C:\cdtest

==================== Find3M ====================

2010-06-06 21:08:33 286720 ------w- c:\windows\Setup1.exe
2010-05-25 20:20:26 73216 ------w- c:\windows\ST6UNST.EXE
2010-05-19 05:21:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-19 05:14:11 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-19 05:14:11 22328 ----a-w- c:\docume~1\chris\applic~1\PnkBstrK.sys
2010-05-19 05:13:58 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-19 05:13:54 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-19 05:13:54 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-06 00:07:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 23:45:45 286720 ----a-w- c:\windows\iun507.exe
2010-05-02 07:12:17 379256 ----a-w- c:\program files\UnGEXUSACAN.exe
2010-05-02 07:12:17 14 ----a-w- c:\program files\settings.cfg
2010-05-01 00:16:06 32 ----a-w- c:\docume~1\alluse~1\applic~1\ezsid.dat
2010-04-30 22:43:56 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-30 22:43:56 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-30 00:00:30 40960 ------w- c:\windows\system32\ChCfg.exe
2010-04-30 00:00:30 208896 ------w- c:\windows\alcupd.exe
2010-04-30 00:00:29 9319936 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-04-30 00:00:29 77824 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-30 00:00:29 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-04-30 00:00:29 139264 ------w- c:\windows\alcrmv.exe
2010-04-30 00:00:28 2297664 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-04-29 21:55:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 04:55:32 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-04 04:55:32 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 04:55:32 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-04 04:55:32 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 04:55:32 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 04:55:32 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 04:55:32 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 04:55:32 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 04:55:32 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 04:55:32 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 01:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 01:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 01:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 01:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 01:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-31 06:00:46 86016 ----a-w- c:\windows\system32\frapsvid.dll

============= FINISH: 12:48:01.95 ===============

had to do a seperate post as the ark.txt file was too big for the attachments. here it is...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-26 13:10:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\uxtdrpod.sys


---- System - GMER 1.0.15 ----

SSDT B86CE2C6 ZwCreateKey
SSDT B86CE2BC ZwCreateThread
SSDT B86CE2CB ZwDeleteKey
SSDT B86CE2D5 ZwDeleteValueKey
SSDT B86CE2DA ZwLoadKey
SSDT B86CE2A8 ZwOpenProcess
SSDT B86CE2AD ZwOpenThread
SSDT B86CE2E4 ZwReplaceKey
SSDT B86CE2DF ZwRestoreKey
SSDT B86CE2D0 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB723A380, 0x566445, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB4072300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8340300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1204] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1204] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F5000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3808] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3888] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\MaxToSand\New Folder\sdk1.dds 2796344 bytes
File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\MaxToSand\New Folder\sdk2.dds 5592560 bytes
File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\Textures\glm\SHIPWRECK\basBasicHole_s.dds 87536 bytes

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 26 June 2010 - 02:57 PM.
Deactivate link. ~ OB

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:58 PM

Posted 01 July 2010 - 05:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 01 July 2010 - 11:58 PM

know how busy you all get and I have waited patiently for i trust you and the staff here very much and wanted to get help when you all had time.

My system is still infected. I have scanned and tried every way i could to stop the incursion. But it continues. What happens is a SvcHost appears on the program list that gets bigger and bigger, until it usually gets to be about 150,000 on the list of activity. It opens up four folders in the Temporary Internet Files in either of two locations:

C/Documents and SEttings/NetworkServices/Local Settings/Temporary Internet Files/Content.IE5 or

C/Documents and SEttings/LOcalServices/Local Settings/Temporary Internet Files/Content.IE5

in each location there are four folders that appear and a DAT file that has a whole bunch of code that gets really huge if i let it keep running for a while.....dont understand any of that, but i can never delete that DAT file.. the first line of the DAT file is.... index.dat..... Client UrlCache MMF Ver 5.2

the four folders that are created are mentioned in the header of the DAT file..they are:

4AK031sT
9U027sOQ
AFE6NWDU
U8HDVB9R

in each folder are a lot of ad stuff, pictures and code and my browser light on my router is flashing away busily even tho i am not active. I suspect it may be a bot net that has taken over my computer ...i found several bad files coming in as i reported, as Avira caught them but could not delete them and had to move them to quarentine. That was when i went looking for anything bad, and found this going on thru the internet. I cannot delete the folders when that svchost client is active but if i turn it off i can delte them but i have to then go into services and turn Audio back on manually.

I have scanned many times but can never find the source of this bad activity. I would like to know what sort of file to look for because none of my anti virus can find it and i would like to know how to stop this if it happens again.

I probably picked it up in my work on the net for I visit a lot of sites in research on game design and go to a number of international sites regualarly. I am careful about e mail and any such stuff. But this infestation is something i cannot deal with with the resources i have. Any help much appreciated.

Logs attached and posted as requested. I have no secure information on this computer and it is a new system that was just built for me a month ago so it is a new install, and was totally clean before this happened. I run Avira, and use Malware Antimalwarebytes the free version to check for bad things and Spybot to check for adware. None of them seem to work on this problem. Any help much apreciated.

the GMER scan takes a long time on my system as i have a lot of files and programs installed, so i am gong to post the inital DDS logs and the first part of the GMER scan and will update it when it finsihes so we can possibly take a look at my system assap, as i am very uncomfortable allowing a intruding SvcHost to run ..and so i have to keep turning off the internet connection to delete the four folders and then do it again once i start up the internet...thanks

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 22:28:09.48 on Thu 07/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2534 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: gametap.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-30 11608]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-12-3 15872]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-30 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-30 60936]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-4-30 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-07-01 04:06:09 0 d-----w- C:\lib
2010-06-30 11:58:38 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-30 11:54:46 0 d--h--w- c:\windows\system32\wins
2010-06-27 23:14:06 56832 ----a-w- c:\windows\system32\IYVU9_32.DLL
2010-06-27 23:14:06 143872 ----a-w- c:\windows\system32\IACENC.DLL
2010-06-27 22:01:12 0 d-----w- c:\program files\Womble Multimedia
2010-06-26 18:33:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-26 01:40:26 0 d-----w- c:\program files\The Adventure Company
2010-06-24 05:53:08 0 d-----w- C:\Ubisoft
2010-06-21 21:13:55 0 d-----w- c:\docume~1\chris\applic~1\NVIDIA
2010-06-21 20:47:23 0 d-----w- c:\program files\Venetica
2010-06-21 02:08:17 69 ----a-w- c:\windows\wininit.ini
2010-06-21 02:08:12 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-06-21 02:08:12 140800 ----a-w- c:\windows\system32\tm20dec.ax
2010-06-21 02:08:10 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-06-21 02:08:09 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-21 02:08:08 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-06-21 02:08:06 5672 ----a-w- c:\windows\system32\quartz.vxd
2010-06-21 02:08:06 194320 ----a-w- c:\windows\system32\qcut.dll
2010-06-21 02:08:06 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-06-21 02:08:06 10240 ----a-w- c:\windows\system32\vidx16.dll
2010-06-21 02:08:02 4608 ----a-r- c:\windows\system32\w95inf32.dll
2010-06-21 02:08:02 2272 ----a-r- c:\windows\system32\w95inf16.dll
2010-06-21 02:05:55 278581 ----a-w- c:\windows\system32\MSVCRT.1
2010-06-21 02:05:24 0 d-----w- c:\program files\Montparnasse Multimedia
2010-06-19 06:09:33 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-19 06:03:57 0 d-----w- c:\program files\Deus Ex - Invisible War
2010-06-19 03:56:47 0 d-----w- c:\program files\directx
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT46.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT45.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT44.tmp
2010-06-19 03:56:47 0 ----a-w- c:\windows\DXT43.tmp
2010-06-19 03:49:17 0 d-----w- C:\DeusEx
2010-06-19 03:19:14 0 d-----w- c:\docume~1\chris\applic~1\ScummVM
2010-06-19 03:17:44 0 d-----w- C:\KQ5
2010-06-19 03:16:07 0 d-----w- C:\SIERRA
2010-06-19 03:15:42 0 d-----w- C:\SamMaxCD
2010-06-19 03:15:31 0 d-----w- C:\loomcd
2010-06-19 03:15:10 0 d-----w- C:\Indiana Jones and the Fate of Atlantis
2010-06-19 03:14:41 0 d-----w- C:\K2
2010-06-19 03:14:33 0 d-----w- C:\K1
2010-06-17 20:35:50 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-17 20:35:50 1409 ----a-w- c:\windows\QTFont.for
2010-06-15 21:56:24 165376 ----a-w- c:\windows\system32\unrar.dll
2010-06-15 21:56:21 0 d-----w- c:\program files\K-Lite Codec Pack
2010-06-15 00:47:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-15 00:47:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-13 22:18:11 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-06-13 22:16:24 0 d-----w- c:\program files\Kosmos
2010-06-12 20:17:56 388 ----a-w- c:\windows\system32\QuickTime.qtp
2010-06-12 20:17:53 0 d-----w- c:\windows\system32\QuickTime
2010-06-12 20:17:51 0 d-----w- c:\program files\QuickTime(2)
2010-06-09 18:05:20 0 d-----w- c:\program files\Deep Silver
2010-06-08 23:13:40 0 d-----w- c:\docume~1\chris\applic~1\nHancer
2010-06-08 23:13:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Caphyon
2010-06-08 23:13:22 0 d-----w- c:\program files\nHancer
2010-06-08 23:13:22 0 d-----w- c:\docume~1\alluse~1\applic~1\nHancer
2010-06-08 22:44:58 0 d-----w- C:\Anachronox
2010-06-08 22:11:56 0 d-----w- c:\program files\Vampire The Masquerade - Redemption
2010-06-08 20:53:59 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-06-08 20:53:59 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-06-08 20:49:24 0 d-----w- c:\program files\Aspyr
2010-06-06 20:56:21 0 d--h--w- c:\windows\PIF
2010-06-04 23:56:17 0 d-----w- c:\windows\system32\appmgmt
2010-06-04 01:02:15 0 d-----w- c:\program files\TatukGIS
2010-06-04 00:07:00 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2010-06-06 21:08:33 286720 ------w- c:\windows\Setup1.exe
2010-05-25 20:20:26 73216 ------w- c:\windows\ST6UNST.EXE
2010-05-19 05:21:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-19 05:14:11 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-19 05:14:11 22328 ----a-w- c:\docume~1\chris\applic~1\PnkBstrK.sys
2010-05-19 05:13:58 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-19 05:13:54 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-19 05:13:54 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-06 00:07:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 23:45:45 286720 ----a-w- c:\windows\iun507.exe
2010-05-02 07:12:17 379256 ----a-w- c:\program files\UnGEXUSACAN.exe
2010-05-02 07:12:17 14 ----a-w- c:\program files\settings.cfg
2010-05-01 00:16:06 32 ----a-w- c:\docume~1\alluse~1\applic~1\ezsid.dat
2010-04-30 22:43:56 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-30 22:43:56 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-30 00:00:30 40960 ------w- c:\windows\system32\ChCfg.exe
2010-04-30 00:00:30 208896 ------w- c:\windows\alcupd.exe
2010-04-30 00:00:29 9319936 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-04-30 00:00:29 77824 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-30 00:00:29 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-04-30 00:00:29 139264 ------w- c:\windows\alcrmv.exe
2010-04-29 21:55:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-04 04:55:32 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-04 04:55:32 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 04:55:32 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-04 04:55:32 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 04:55:32 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 04:55:32 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 04:55:32 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 04:55:32 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 04:55:32 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 04:55:32 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 01:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 01:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 01:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 01:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 01:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll

============= FINISH: 22:29:07.06 ===============


GMER log...initial part....

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-01 22:33:57
Windows 5.1.2600 Service Pack 3
Running: xon2924f.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\uxtdrpod.sys


---- System - GMER 1.0.15 ----

SSDT B86CD876 ZwCreateKey
SSDT B86CD86C ZwCreateThread
SSDT B86CD87B ZwDeleteKey
SSDT B86CD885 ZwDeleteValueKey
SSDT B86CD88A ZwLoadKey
SSDT B86CD858 ZwOpenProcess
SSDT B86CD85D ZwOpenThread
SSDT B86CD894 ZwReplaceKey
SSDT B86CD88F ZwRestoreKey
SSDT B86CD880 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB723A380, 0x566445, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB4235300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8430300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[644] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1208] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3340] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3448] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\MaxToSand\New Folder\sdk1.dds 2796344 bytes
File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\MaxToSand\New Folder\sdk2.dds 5592560 bytes
File C:\backup\Documents and Settings\Owner\My Documents\Game Design Resources\Dimitris Krokids Final Year Project\Max File\Project Max Final\Dimitris Krokids Final Year Project\Max File\Project Max Final\Program Files\Ubisoft\Crytek\Far Cry\Textures\glm\SHIPWRECK\basBasicHole_s.dds 87536 bytes
will update when it is done....

the attach log attachment process failed, i will put it on my archive and post a link here...
Attach Log
http://www.filefront.com/16934593/Attach.zip/

Edited by CrisGer, 02 July 2010 - 12:01 AM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:58 PM

Posted 03 July 2010 - 06:47 AM

Hello, CrisGer
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 03 July 2010 - 05:05 PM

Hi Tom

thank you for your help, it is much appreciated. I already had hidden files set to show.

I ran Combofix and will post the log... just want to note several things:

it took about 3 hours, i checked back and it was hung up on the blue window at the 50 file, so i checked Program Manager and the system was at 100 percent, Acrobat Acro32 was running and taking up ressources and that svchost was up to a big number ...so i shut them both down and then Combo fix finsihed up and did the log. I tried to go online to post it but got a internet connection missing notice, and also a notice that IE was not my default browser. So i ran the Windows diagnositic and it repaired my Winsock.

so some part of the scan process killed my connection to IE.... and started up Acro32 or it is a phoney program....maybe. i disabled my anti virus but am turning it back on now.

UPDATE: AcroRd32 just started up again on its own and was up to over 200,00 k in the program manager....i will delte Adobe Acrobat to see if that helps but it may be a pirate program ..

UPDATE UPDATE...i remembered too late you said NOT to delte or change anything..so i decided to return to the last restore point and do it all over so i did. restored, and reinstalled combofix, this time it ran fast, and here below is the log

ComboFix 10-07-03.01 - Chris 07/03/2010 17:41:45.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2591 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\Schraumber.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-01 04:06 . 2010-07-01 04:06 -------- d-----w- C:\lib
2010-06-30 11:54 . 2010-06-30 11:54 -------- d--h--w- c:\windows\system32\wins
2010-06-30 09:43 . 2010-06-30 09:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-28 18:06 . 2010-06-28 18:06 0 ----a-w- c:\windows\nsreg.dat
2010-06-27 23:14 . 1998-05-08 11:57 143872 ----a-w- c:\windows\system32\IACENC.DLL
2010-06-27 23:14 . 1997-06-14 09:56 56832 ----a-w- c:\windows\system32\IYVU9_32.DLL
2010-06-27 22:01 . 2010-06-27 22:01 -------- d-----w- c:\program files\Womble Multimedia
2010-06-26 18:33 . 2010-06-26 18:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-26 18:33 . 2010-07-03 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-26 01:40 . 2010-06-26 01:40 -------- d-----w- c:\program files\The Adventure Company
2010-06-24 05:53 . 2010-06-24 05:53 -------- d-----w- C:\Ubisoft
2010-06-21 21:13 . 2010-06-21 21:13 -------- d-----w- c:\documents and settings\Chris\Application Data\NVIDIA
2010-06-21 20:47 . 2010-06-22 06:28 -------- d-----w- c:\program files\Venetica
2010-06-21 20:26 . 2010-06-21 20:26 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Ahead
2010-06-21 02:08 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-06-21 02:08 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-06-21 02:08 . 2008-04-14 11:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-21 02:08 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-06-21 02:08 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2010-06-21 02:08 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll
2010-06-21 02:08 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-06-21 02:08 . 1999-04-15 19:10 4608 ----a-r- c:\windows\system32\w95inf32.dll
2010-06-21 02:08 . 1999-04-15 19:10 2272 ----a-r- c:\windows\system32\w95inf16.dll
2010-06-21 02:05 . 2010-06-21 02:05 -------- d-----w- c:\program files\Montparnasse Multimedia
2010-06-19 06:09 . 2010-06-19 06:09 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-19 06:03 . 2010-06-21 21:17 -------- d-----w- c:\program files\Deus Ex - Invisible War
2010-06-19 03:56 . 2010-06-19 03:56 -------- d-----w- c:\program files\directx
2010-06-19 03:49 . 2010-06-21 20:36 -------- d-----w- C:\DeusEx
2010-06-19 03:19 . 2010-06-19 03:19 -------- d-----w- c:\documents and settings\Chris\Application Data\ScummVM
2010-06-19 03:17 . 2010-06-19 03:17 -------- d-----w- C:\KQ5
2010-06-19 03:16 . 2010-06-19 03:16 -------- d-----w- C:\SIERRA
2010-06-19 03:15 . 2010-06-19 03:15 -------- d-----w- C:\SamMaxCD
2010-06-19 03:15 . 2010-06-19 03:15 -------- d-----w- C:\loomcd
2010-06-19 03:15 . 2010-06-19 03:15 -------- d-----w- C:\Indiana Jones and the Fate of Atlantis
2010-06-19 03:14 . 2010-06-19 03:14 -------- d-----w- C:\K2
2010-06-19 03:14 . 2010-06-19 03:14 -------- d-----w- C:\K1
2010-06-15 21:56 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-06-15 21:56 . 2010-06-15 21:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-15 21:47 . 2010-06-15 21:47 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2010-06-15 00:47 . 2010-06-15 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-15 00:47 . 2010-06-15 01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-13 22:18 . 2010-06-13 22:17 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-06-13 22:16 . 2010-06-13 22:18 -------- d-----w- c:\program files\Kosmos
2010-06-12 20:17 . 2010-06-12 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-06-12 20:17 . 2010-06-13 01:38 -------- d-----w- c:\windows\system32\QuickTime
2010-06-12 20:17 . 2010-06-13 01:38 -------- d-----w- c:\program files\QuickTime(2)
2010-06-09 18:05 . 2010-06-15 14:01 -------- d-----w- c:\program files\Deep Silver
2010-06-08 23:13 . 2010-06-08 23:13 -------- d-----w- c:\documents and settings\Chris\Application Data\nHancer
2010-06-08 23:13 . 2010-06-08 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-06-08 23:13 . 2010-06-08 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Caphyon
2010-06-08 23:13 . 2010-06-08 23:12 1040198 ----a-w- c:\documents and settings\All Users\Application Data\Caphyon\Advanced Installer\{7D66915F-05FF-4F59-B2D3-AA2E58506F72}\nHancer32Setup.exe
2010-06-08 23:13 . 2010-06-08 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
2010-06-08 23:13 . 2010-06-08 23:13 -------- d-----w- c:\program files\nHancer
2010-06-08 22:44 . 2010-06-08 23:58 -------- d-----w- C:\Anachronox
2010-06-08 22:11 . 2010-06-10 00:19 -------- d-----w- c:\program files\Vampire The Masquerade - Redemption
2010-06-08 20:53 . 2010-06-08 20:53 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-06-08 20:53 . 2010-06-08 20:53 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-06-08 20:49 . 2010-06-08 20:49 -------- d-----w- c:\program files\Aspyr
2010-06-06 20:56 . 2010-06-06 20:56 -------- d--h--w- c:\windows\PIF
2010-06-04 01:02 . 2010-06-04 01:02 -------- d-----w- c:\program files\TatukGIS
2010-06-04 00:07 . 2010-06-04 00:12 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 23:35 . 2010-05-01 00:11 -------- d-----w- c:\documents and settings\Chris\Application Data\Skype
2010-07-03 23:15 . 2010-05-01 01:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-03 23:13 . 2010-05-01 00:16 -------- d-----w- c:\documents and settings\Chris\Application Data\skypePM
2010-07-01 07:44 . 2010-04-30 00:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 03:58 . 2010-05-01 03:20 -------- d-----w- c:\program files\Uru Live
2010-06-29 16:47 . 2010-06-29 22:27 170756 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-26 19:15 . 2010-05-01 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-25 05:47 . 2010-05-01 06:23 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-25 05:47 . 2010-05-01 06:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-24 07:25 . 2010-05-01 01:34 -------- d-----w- c:\program files\Bethesda Softworks
2010-06-24 06:11 . 2010-05-19 04:51 -------- d-----w- c:\program files\Ubisoft
2010-06-23 20:39 . 2010-05-01 01:12 -------- d-----w- c:\program files\Microsoft Games
2010-06-19 03:56 . 2010-06-19 03:56 0 ----a-w- c:\windows\DXT46.tmp
2010-06-19 03:56 . 2010-06-19 03:56 0 ----a-w- c:\windows\DXT45.tmp
2010-06-19 03:56 . 2010-06-19 03:56 0 ----a-w- c:\windows\DXT44.tmp
2010-06-19 03:56 . 2010-06-19 03:56 0 ----a-w- c:\windows\DXT43.tmp
2010-06-19 03:20 . 2010-05-01 03:20 -------- d-----w- c:\program files\ScummVM
2010-06-15 21:45 . 2010-05-24 11:19 -------- d-----w- c:\program files\VideoLAN
2010-06-15 14:01 . 2010-05-19 04:59 -------- d-----w- c:\program files\Electronic Arts
2010-06-06 21:08 . 2010-05-01 02:34 286720 ------w- c:\windows\Setup1.exe
2010-06-04 23:40 . 2010-05-31 05:07 -------- d-----w- c:\program files\Activision
2010-05-31 21:32 . 2010-04-30 22:55 -------- d-----w- c:\documents and settings\Chris\Application Data\GetRightToGo
2010-05-30 19:09 . 2010-05-27 17:43 -------- d-----w- c:\program files\openrails
2010-05-29 05:41 . 2010-05-29 05:41 -------- d-----w- c:\documents and settings\Chris\Application Data\ORTS
2010-05-29 05:19 . 2010-05-01 02:34 -------- d-----w- c:\program files\ConBuilder
2010-05-28 18:39 . 2010-05-01 02:34 -------- d-----w- c:\program files\Route_Riter
2010-05-27 17:44 . 2010-05-27 17:44 -------- d-----w- c:\documents and settings\Chris\Application Data\Open Rails
2010-05-27 17:43 . 2010-05-27 17:43 -------- d-----w- c:\program files\Microsoft XNA
2010-05-25 20:20 . 2010-05-25 20:20 -------- d-----w- c:\program files\SwitchlistGenerator
2010-05-25 20:20 . 2010-05-01 02:34 73216 ------w- c:\windows\ST6UNST.EXE
2010-05-24 10:36 . 2010-05-01 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-24 10:19 . 2010-04-30 23:27 70792 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 04:33 . 2010-05-24 04:16 4 ----a-w- C:\timeStmp.tmp
2010-05-24 04:18 . 2010-05-24 04:18 -------- d-----w- c:\program files\Interactive Strip
2010-05-23 22:35 . 2010-05-23 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
2010-05-23 22:33 . 2010-05-23 22:33 -------- d-----w- c:\program files\GameTap Web Player
2010-05-22 01:49 . 2010-05-01 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 07:17 . 2010-05-20 07:17 128 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
2010-05-19 05:21 . 2010-05-19 05:21 -------- d--h--r- c:\documents and settings\Chris\Application Data\SecuROM
2010-05-19 05:21 . 2010-05-01 22:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-19 05:14 . 2010-05-19 05:14 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-19 05:14 . 2010-05-19 05:14 22328 ----a-w- c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2010-05-19 05:14 . 2010-05-19 05:14 22328 ----a-w- c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2010-05-19 05:13 . 2010-05-19 05:13 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-19 05:13 . 2010-05-19 05:13 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-19 05:13 . 2010-05-19 05:13 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-18 02:55 . 2010-05-18 00:59 -------- d-----w- c:\program files\EGOSOFT
2010-05-15 23:07 . 2010-05-15 23:07 -------- d-----w- c:\program files\VMLaunch
2010-05-10 23:21 . 2010-05-10 23:21 -------- d-----w- c:\program files\Common Files\DAZ
2010-05-07 06:35 . 2010-05-07 06:35 -------- d-----w- c:\documents and settings\Chris\Application Data\AdobeUM
2010-05-06 00:09 . 2010-05-06 00:09 -------- d-----w- c:\program files\Common Files\Java
2010-05-06 00:07 . 2010-05-03 06:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 00:07 . 2010-05-06 00:07 -------- d-----w- c:\program files\Java
2010-05-05 23:46 . 2010-05-05 23:46 -------- d-----w- c:\program files\JavaSoft
2010-05-05 23:46 . 2010-05-05 23:45 -------- d-----w- c:\program files\Sky!_Conductor_2
2010-05-05 23:46 . 2010-05-05 23:46 -------- d-----w- c:\program files\Common Files\Sky!_Conductor_Files
2010-05-05 23:45 . 2010-05-01 02:30 286720 ----a-w- c:\windows\iun507.exe
2010-05-05 07:43 . 2010-05-05 07:43 -------- d-----w- c:\program files\UnH Solutions
2010-05-05 07:20 . 2010-05-05 07:20 -------- d-----w- c:\documents and settings\Chris\Application Data\Ahead
2010-05-03 06:28 . 2010-05-03 06:28 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72016277-n\msvcp71.dll
2010-05-03 06:28 . 2010-05-03 06:28 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72016277-n\jmc.dll
2010-05-03 06:28 . 2010-05-03 06:28 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72016277-n\msvcr71.dll
2010-05-03 06:28 . 2010-05-03 06:28 61440 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b2f7c14-n\decora-sse.dll
2010-05-03 06:28 . 2010-05-03 06:28 12800 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b2f7c14-n\decora-d3d.dll
2010-05-02 19:45 . 2010-05-02 19:45 161888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-02 07:12 . 2010-05-02 07:12 14 ----a-w- c:\program files\settings.cfg
2010-05-02 07:12 . 2010-05-02 06:55 379256 ----a-w- c:\program files\UnGEXUSACAN.exe
2010-05-01 00:16 . 2010-05-01 00:16 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2010-04-30 22:43 . 2010-04-30 22:43 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-30 22:43 . 2010-04-30 22:43 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-30 14:41 . 2010-04-29 21:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-30 00:00 . 2010-04-30 00:12 40960 ------w- c:\windows\system32\ChCfg.exe
2010-04-30 00:00 . 2010-04-30 00:12 208896 ------w- c:\windows\alcupd.exe
2010-04-30 00:00 . 2010-04-30 00:12 77824 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-30 00:00 . 2010-04-30 00:12 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-04-30 00:00 . 2010-04-30 00:12 9319936 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-04-30 00:00 . 2010-04-30 00:12 139264 ------w- c:\windows\alcrmv.exe
2010-04-30 00:00 . 2010-04-30 00:12 2297664 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-04-29 21:55 . 2010-04-29 21:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-29 21:39 . 2010-05-01 02:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-05-01 02:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2010-04-30 77824]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-4-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"d:\\backup\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [12/3/2004 8:12 PM 15872]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/30/2010 6:43 PM 135336]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/30/2010 4:44 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: gametap.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Darkness Within: In Pursuit of Loath Nolder Demo_is1 - c:\program files\Darkness Within Demo\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-03 17:52:36
ComboFix-quarantined-files.txt 2010-07-03 23:52
ComboFix2.txt 2010-07-03 21:48

Pre-Run: 39,519,793,152 bytes free
Post-Run: 39,493,877,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2A6E2CF9F133F06C7F285964D580F388

Edited by CrisGer, 03 July 2010 - 07:05 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:58 PM

Posted 05 July 2010 - 04:40 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.






I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt






  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 05 July 2010 - 05:17 PM

Hi there
I sent you a PM yesterday. Bad news. I shut down my computer after that last combofix run yesterday evening and when i tried to start it up again, it went into the reboot cycle without starting. I could not get Safe Mode to start or the restore to last good config setting.

I do have recovery console installed as per your instructions but i dont know what codes to enter to restore.

I have of course my Windows DVD disk, and i am ready to do any instructions using the Recovery Console but i dont know what to do. I saw the list of commands you get when you enter Help but i have no idea how to proceed.

I would like to continue with the cleaning if possible. But if i cant, i can ask my tech who made this computer to try to save the system for me.

Can i restore using the console we installed as part of Comfofix install?

one thing i noted when i was using the computer yesterday after the combofix runs, that pirate shard kept throwing dropper trojans at me, maybe about 30 times Avira caught and quarenteened them. And then at one point i got what looked like an official Windows system box pop up and tell me that it had disabled some parts of Explore to protect my system.

help smile.gif if you can please. .....currently i can't get into the computer and i can't do the antimalwarebytes step. I am on an older back up computer and standing by ...

If you can give me a list of instructions i can print out i can take it to the other computer and try to restore. I wish i had done a system restore when i got that notice about explorer but i did not realize it meant my boot up files might have been zapped.

Edited by CrisGer, 05 July 2010 - 05:32 PM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#8 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 08 July 2010 - 11:13 AM

I am going to see if my tech can get my system accessible again so i can return here to finish the cleaning if needed. I realize you guys are very busy and I will do what i can to fix what i can at my end.


Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:58 PM

Posted 10 July 2010 - 07:39 AM

Hi,

Sorry for the delay.

Please give me a short update about the situation.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 10 July 2010 - 12:33 PM

No problem about the delay. I got my tech to fix the boot up files, he was able to restore them so i have access to the computer but i have to wait for him to bring me the cable for the monitor smile.gif he and I are both engrossed in the Tour de France and the World cup...so i will perform those last two scans and post and report as soon as possible . thanks again for the help. I so much appreciate it.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#11 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 10 July 2010 - 05:20 PM

OK< i am back on and something is now blockng me from doing any downloads or even running the online scan, i get this fake message:

QUOTE
the requested lookup key was not found in any active ac5tivation context


I cant acess the help function to go to a restore point, it just wont open.

I ran Malware again and found 11 trojans and it deleted them all.

There is a browser redirect active now. I cant update my IE to versoin 8, it reverted to 6. I cant download anything from any link. And I can't go to any site unless i use the cached version. I found old version so Hijack this and Combofix and was able to run scans with them both if that will help. But i dont know what to do at this point. I still cant get the Help fuction of the Start menu to let me into the restore point set up so i can go to an older restore point that allows me to use the browser normally.

LATEST UPDATE: SAT EVENING

I was able to run OTL, here are the logs, and btw, i have found copies of ComboFix, Hijackthis, SmithFraudFix and OTL on this system we can use if any of them will help in the cleaning. Otherwise i will have to get copies downloaded on disk to transfer to here for any work.

OTL Logs

OTL logfile created on: 7/10/2010 8:53:38 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 65.21 Gb Free Space | 21.88% Space Free | Partition Type: NTFS
Drive D: | 279.47 Gb Total Space | 116.19 Gb Free Space | 41.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 465.65 Gb Total Space | 193.38 Gb Free Space | 41.53% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHLON
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
PRC - [2010/04/29 18:00:29 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/18 19:17:48 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2007/07/27 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/27 06:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe


========== Modules (SafeList) ==========

MOD - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
MOD - [2010/03/18 19:17:48 | 000,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2007/07/27 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/07/27 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/30 16:44:12 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/06/08 14:53:59 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/06/08 14:53:59 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/06/07 17:57:00 | 010,531,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/04/29 18:00:28 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2010/03/23 20:38:56 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap Web Player\bin\release\X4HSX32.sys -- (X4HSX32)
DRV - [2010/03/18 20:50:12 | 000,189,528 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2010/03/18 20:50:04 | 000,162,904 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2010/03/18 20:49:56 | 000,798,808 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2010/03/18 20:45:42 | 000,092,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2010/03/18 20:45:28 | 000,157,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2010/03/18 20:45:20 | 000,014,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2010/03/18 20:45:12 | 000,127,576 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2010/03/18 20:40:48 | 000,347,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2010/03/18 20:40:40 | 000,528,472 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2010/03/18 20:40:32 | 000,511,064 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/14 00:45:54 | 000,295,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\427416V.sys -- (427416V)
DRV - [2007/07/27 06:00:00 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/05/17 17:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 03:22:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 03:22:28 | 000,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/12/03 20:12:44 | 000,015,872 | ---- | M] (Interlex Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMLaunch\BuddyVM.sys -- ({09BB444F-B2E2-4009-BAF2-7B727681223E})
DRV - [2004/08/14 02:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/07/10 17:47:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/09 07:24:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: gametap.com ([]* in Trusted sites)
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab (Reg Error: Key error.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} http://archives.gametap.com/static/cab_headless/GameTa

Edited by CrisGer, 10 July 2010 - 10:14 PM.


#12 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 10 July 2010 - 10:17 PM

I was able to do the OTL logs finally..here they are, sorry for the double post but the redirect is trying to stop me from positng.i hope this goes thru.

OTL logfile created on: 7/10/2010 8:53:38 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 65.21 Gb Free Space | 21.88% Space Free | Partition Type: NTFS
Drive D: | 279.47 Gb Total Space | 116.19 Gb Free Space | 41.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 465.65 Gb Total Space | 193.38 Gb Free Space | 41.53% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHLON
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
PRC - [2010/04/29 18:00:29 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/18 19:17:48 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2007/07/27 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/27 06:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe


========== Modules (SafeList) ==========

MOD - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
MOD - [2010/03/18 19:17:48 | 000,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2007/07/27 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/07/27 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/30 16:44:12 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/06/08 14:53:59 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/06/08 14:53:59 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/06/07 17:57:00 | 010,531,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/04/29 18:00:28 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2010/03/23 20:38:56 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap Web Player\bin\release\X4HSX32.sys -- (X4HSX32)
DRV - [2010/03/18 20:50:12 | 000,189,528 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2010/03/18 20:50:04 | 000,162,904 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2010/03/18 20:49:56 | 000,798,808 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2010/03/18 20:45:42 | 000,092,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2010/03/18 20:45:28 | 000,157,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2010/03/18 20:45:20 | 000,014,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2010/03/18 20:45:12 | 000,127,576 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2010/03/18 20:40:48 | 000,347,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2010/03/18 20:40:40 | 000,528,472 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2010/03/18 20:40:32 | 000,511,064 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/14 00:45:54 | 000,295,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\427416V.sys -- (427416V)
DRV - [2007/07/27 06:00:00 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/05/17 17:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 03:22:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 03:22:28 | 000,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/12/03 20:12:44 | 000,015,872 | ---- | M] (Interlex Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMLaunch\BuddyVM.sys -- ({09BB444F-B2E2-4009-BAF2-7B727681223E})
DRV - [2004/08/14 02:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/07/10 17:47:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/09 07:24:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: gametap.com ([]* in Trusted sites)
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab (Reg Error: Key error.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} http://archives.gametap.com/static/cab_hea...apWebPlayer.cab (GameTap Player)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.3.1/jinstall-...indows-i586.cab (Java Plug-in 1.3.1)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [url=http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab]http://java.sun.co

Edited by CrisGer, 10 July 2010 - 11:12 PM.


#13 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 11 July 2010 - 12:00 AM

I am sorry to post again..i am struggling to get this data to you, the infected computer is fighting every effort i make to post here and to share the logs, i had to go back to the old computer and use Firefox to post this, i apologize for not following protocol ..i am not trying to bump..just get the info to you, i will have to post the log OTL log first and then go back for the Extras..

here is the complete log...it would not post in the previous reply.

UPDATE: 1:07 Sunday morning, I finally was able to download and install Firefox so i can use the net and get to this site and down load and upload again. My IE got reverted to 6 and then corrupted i think... so for now i can continue the cleaning. I am running ESET now.

OTL logfile created on: 7/10/2010 8:53:38 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 65.21 Gb Free Space | 21.88% Space Free | Partition Type: NTFS
Drive D: | 279.47 Gb Total Space | 116.19 Gb Free Space | 41.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 465.65 Gb Total Space | 193.38 Gb Free Space | 41.53% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ATHLON
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
PRC - [2010/04/29 18:00:29 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/18 19:17:48 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2007/07/27 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/27 06:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe


========== Modules (SafeList) ==========

MOD - [2010/07/10 20:45:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
MOD - [2010/03/18 19:17:48 | 000,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2007/07/27 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/07/27 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/30 16:44:12 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/02/12 10:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/06/08 14:53:59 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/06/08 14:53:59 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/06/07 17:57:00 | 010,531,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/04/29 18:00:28 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2010/03/23 20:38:56 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap Web Player\bin\release\X4HSX32.sys -- (X4HSX32)
DRV - [2010/03/18 20:50:12 | 000,189,528 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2010/03/18 20:50:04 | 000,162,904 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2010/03/18 20:49:56 | 000,798,808 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2010/03/18 20:45:42 | 000,092,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2010/03/18 20:45:28 | 000,157,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2010/03/18 20:45:20 | 000,014,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2010/03/18 20:45:12 | 000,127,576 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2010/03/18 20:40:48 | 000,347,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2010/03/18 20:40:40 | 000,528,472 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2010/03/18 20:40:32 | 000,511,064 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/14 00:45:54 | 000,295,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\427416V.sys -- (427416V)
DRV - [2007/07/27 06:00:00 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/05/17 17:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/04/06 03:22:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 03:22:28 | 000,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/12/03 20:12:44 | 000,015,872 | ---- | M] (Interlex Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMLaunch\BuddyVM.sys -- ({09BB444F-B2E2-4009-BAF2-7B727681223E})
DRV - [2004/08/14 02:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/07/10 17:47:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/09 07:24:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: gametap.com ([]* in Trusted sites)
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab (Reg Error: Key error.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} http://archives.gametap.com/static/cab_hea...apWebPlayer.cab (GameTap Player)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.3.1/jinstall-...indows-i586.cab (Java Plug-in 1.3.1)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/08 15:06:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/25 11:35:25 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/06/10 12:11:08 | 000,000,000 | ---D | M] - D:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2009/01/29 17:26:14 | 000,000,000 | ---D | M] - G:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/10 20:45:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/10 20:45:14 | 000,574,976 | ---- |

UPDATE SUNDAY MORNING:
Tom just to update and catch up: i was able to run OTL scan, but the online scanner keeps shutting down my system just about 10% of the way thru the scan, three times has done that I will try again. I ran Combofix again just in case and it deleted two files, one was an instance of Explore: i have a stable IE8 restored, and Firefox to back it up, so i can download and do things online again. I will wait to hear from you about the next step, one part of combofix shuts down wint an error, the part called Perv, it has done that twice, before the scan is done....i couldnot find a full log but here is what i could find i think from is the lateset Combofix log:

ComboFix 10-07-10.01 - Chris 07/11/2010 2:53.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2536 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer(2).exe
c:\windows\system32\linkinfo(2).dll

.
((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SoundMan"="SOUNDMAN.EXE" [2010-04-30 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2007-07-27 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-4-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"d:\\backup\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


R1 427416V;427416V;c:\windows\system32\drivers\427416V.sys [2008-04-14 295168]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-19 99416]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-04-30 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-19 555096]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-19 100952]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-19 100952]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-19 566360]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [2004-12-04 15872]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-19 99416]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-19 555096]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-19 566360]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: gametap.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\z4bp4e8o.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 03:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-11 03:14:56
ComboFix-quarantined-files.txt 2010-07-11 09:14
ComboFix2.txt 2010-07-11 00:49
ComboFix3.txt 2010-07-09 13:27
ComboFix4.txt 2010-07-03 23:52
ComboFix5.txt 2010-07-11 03:18

Pre-Run: 68,457,332,736 bytes free
Post-Run: 68,425,576,448 bytes free

- - End Of File - - 7B3EA2C3ED7370052780248C86B8DCE3

this is what i found in the ESET log file so far:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=69da846c8c01304a990447453a20eb63
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-10 10:05:24
# local_time=2010-07-10 04:05:24 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 36939177 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114437
# found=0
# cleaned=0
# scan_time=3041
esets_scanner_update returned -1 esets_gle=53251
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
ESETSmartInstaller@High as downloader log:
all ok

but every time i try to run ESET it gets to just about 10% and then CTD with a blue screen and reboots the system. It is scanning thru my documents when this happens.

Sunday Afternoon ....

As soon as I started up IE8 and left it on, even with Avira activated and the windows firewall, that same spam svchost

threw five more trojans into my system including a fake antivirus that tried to stop me from using restore point or any

program...

i cleaned with Malwarebytes and ran Combofix again but again, the sub program for Combofix stopped ..and there was a

notice at the end saying Not Enough Main memory to complete sort... logs attached....


Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/11/2010 1:07:11 PM
mbam-log-2010-07-11 (13-07-11).txt

Scan type: Quick scan
Objects scanned: 123893
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vxljoank (Trojan.Downloader) -> Quarantined and deleted

successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vxljoank (Trojan.Downloader) -> Quarantined and deleted

successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\emcfjacqy\jopufwotssd.exe (Trojan.Downloader) ->

Quarantined and deleted successfully.
C:\WINDOWS\temp\xNet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\KU6VJEUZ\n002106201r0409R1dde26cbXc34dc094Y8f746b2dZ0100f080316P000500070[1] (Trojan.Downloader) ->

Quarantined and deleted successfully.

ComboFix 10-07-10.01 - Chris 07/11/2010 13:14:33.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2639 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_09.11.27 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SoundMan"="SOUNDMAN.EXE" [2010-04-30 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2007-07-27 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-4-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"d:\\backup\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


R1 427416V;427416V;c:\windows\system32\drivers\427416V.sys [2008-04-14 295168]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-19 99416]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative

Labs Shared\Service\CTAELicensing.exe [2010-04-30 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-19 555096]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-19 100952]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-19 100952]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-19 566360]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [2004-12-04 15872]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-19 99416]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-19 555096]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-19 566360]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: gametap.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} -

hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\z4bp4e8o.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken",

false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2400)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-11 13:35:21
ComboFix-quarantined-files.txt 2010-07-11 19:35
ComboFix2.txt 2010-07-11 09:14
ComboFix3.txt 2010-07-11 00:49
ComboFix4.txt 2010-07-09 13:27
ComboFix5.txt 2010-07-11 13:09

Pre-Run: 68,445,712,384 bytes free
Post-Run: 68,500,688,896 bytes free

- - End Of File - - 5B164644847563193B77CD36109D7994


Edited by CrisGer, 11 July 2010 - 03:06 PM.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:58 PM

Posted 13 July 2010 - 05:13 PM

Hi,

Lets check something:



Download MBRCheck.exe to your desktop
XP users > double click on MBRCheck.exe to run it
Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:02:58 PM

Posted 16 July 2010 - 11:14 AM

OK< thanks Tom
I did manage to get things cleaned up a bit since my last post, i could not complete an ESET online scan, so i installed their free demo of their complete protection suite thinking it would have a functional scanner and it did and five hours later i was able to complete a scan. It found some stuff. I also was able to fully update a functional SP3 install with all the security patches and i think all of that helped get that pirate svchost. I had to switch to my older computer which i am posting from now, to do some work but will switch back and run that scanner you have given me to try and report the results asap. thanks for the continued help, this has been a tough one smile.gif
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users