Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon.H Virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 Shkaler

Shkaler

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 21 September 2010 - 11:19 AM

Hello and thanks for the help!

I use Windows Security Essentials as an Anti Virus program. There was a couple other bugs that came up in a report but this program seemed to of dealt with them easy enough. This Alureon virus refused to die though. (W.S.E. is good right?)

I've noticed that when browsing the internet there are periods where every link I clicks takes me to a website named "Find.com" Or something similar. My capability to browse usually returns shortly, then the cycle continues. This is followed by my internet cutting out and me being forced to restart my wireless adapter in order to restore internet.

Aside from that I...haven't noticed any other damaging effects.

I read and followed the guide on how to get ready for help. I have also enabled Email Notification.

Attached are my DDS report and GMER log the guide requested I post.

*********************************************************************************************************************************


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 20:12:28.74 on 19/09/2010
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.3326.2323 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andrew\Desktop\Virus Stuff\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Steam] "c:\steam\Steam.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [UnlockerAssistant] "c:\users\andrew\desktop\anti virus and maintenance\unlocker\UnlockerAssistant.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
dRun: [Ajoqeyamol] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\KBDANO.dll",Startup
dRun: [ASH24SXZ9S] c:\windows\temp\Ybp.exe
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 93.188.162.81,93.188.161.221

================= FIREFOX ===================

FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\3h1b3cha.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\3h1b3cha.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 MpKsl68505e3c;MpKsl68505e3c;c:\programdata\microsoft\microsoft antimalware\definition updates\{cea82f36-28fb-4ca1-a12d-b2ca59bfda32}\MpKsl68505e3c.sys [2010-9-19 28752]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-4 176128]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-4 6096384]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-4 214016]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-9-16 16472]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]

=============== Created Last 30 ================

2010-09-19 17:40:43 0 d-----w- c:\windows\pss
2010-09-19 05:00:11 664576 ----a-w- C:\hotfix.exe
2010-09-19 04:19:19 0 d-----w- c:\users\andrew\appdata\roaming\Mount&Blade Warband
2010-09-17 15:49:11 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-09-17 15:49:08 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-16 23:18:09 0 d-----w- c:\programdata\Stardock
2010-09-16 23:17:05 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-09-16 23:17:05 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-09-16 23:17:04 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-09-16 23:17:04 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-09-16 23:17:04 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-09-16 23:17:03 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-09-16 23:17:03 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-09-16 23:17:01 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-09-16 23:17:01 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-09-16 23:16:58 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-09-16 22:55:04 0 d-----w- c:\program files\Stardock Entertainment
2010-09-16 16:28:42 0 d-----w- c:\users\andrew\appdata\roaming\The Creative Assembly
2010-09-16 16:24:22 0 d-----w- c:\program files\PeerBlock
2010-09-16 07:05:59 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-09-16 07:04:56 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-15 03:31:45 0 d-----w- c:\program files\SS2
2010-09-15 03:31:26 327168 ----a-w- c:\windows\IsUninst.exe
2010-09-15 03:19:25 0 d-----w- c:\program files\DAEMON Tools Toolbar
2010-09-15 03:19:22 0 d-----w- c:\program files\DAEMON Tools Lite
2010-09-12 05:15:08 0 d-----w- c:\users\andrew\Tracing
2010-09-12 05:09:08 0 d-----w- c:\program files\Microsoft
2010-09-12 05:08:51 0 d-----w- c:\program files\Windows Live SkyDrive
2010-09-12 05:08:12 0 d-----w- c:\windows\PCHEALTH
2010-09-09 02:41:13 229888 ----a-w- c:\windows\system32\msshsq.dll
2010-09-07 03:30:26 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-09-07 03:30:20 944184 ----a-w- c:\windows\system32\winload.exe
2010-09-07 03:30:20 620088 ----a-w- c:\windows\system32\ci.dll
2010-09-07 03:30:20 371712 ----a-w- c:\windows\system32\srcore.dll
2010-09-07 03:30:20 313856 ----a-w- c:\windows\system32\rstrui.exe
2010-09-07 03:30:20 19000 ----a-w- c:\windows\system32\kd1394.dll
2010-09-07 03:30:19 40960 ----a-w- c:\windows\system32\srclient.dll
2010-09-07 03:30:19 16384 ----a-w- c:\windows\system32\srdelayed.exe
2010-09-07 03:29:53 268800 ----a-w- c:\windows\system32\es.dll
2010-09-06 08:01:57 4152184 ----a-w- c:\windows\system32\wgaer_m.exe
2010-09-06 08:01:57 1303 ----a-w- c:\windows\system32\WGAScanner.xml
2010-09-06 06:02:52 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-09-06 06:02:51 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-09-06 06:02:50 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-09-06 06:02:50 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-06 06:02:50 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2010-09-06 06:02:50 11264 ----a-w- c:\windows\system32\icardres.dll
2010-09-06 06:02:49 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-09-06 06:02:46 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-06 06:01:48 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-09-06 06:01:48 36044800 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-09-06 06:01:48 196608 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-09-06 05:57:32 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-09-06 05:57:30 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-09-06 05:57:29 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-06 05:57:22 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-09-06 05:57:19 83968 ----a-w- c:\windows\system32\mscories.dll
2010-09-06 05:55:52 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-09-06 05:55:49 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-09-06 05:55:49 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-09-06 05:53:26 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-09-06 05:53:26 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-09-06 05:53:26 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-09-06 05:53:26 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-09-06 05:53:26 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-09-06 05:53:26 1657350 ----a-w- c:\windows\system32\wlan.tmf
2010-09-06 05:53:26 12876 ----a-w- c:\windows\system32\wbem\wlan.mof
2010-09-06 05:53:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-09-06 05:52:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-06 05:52:32 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-09-06 05:52:30 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-09-06 05:52:30 1686528 ----a-w- c:\windows\system32\gameux.dll
2010-09-06 05:51:39 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-09-06 05:51:39 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-09-06 05:51:39 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-09-06 05:51:39 272896 ----a-w- c:\windows\system32\polstore.dll
2010-09-06 05:51:33 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-09-06 05:51:33 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-09-06 05:51:32 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-09-06 05:51:32 549888 ----a-w- c:\windows\system32\rpcss.dll
2010-09-06 05:51:32 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-09-06 05:51:32 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-09-06 05:51:31 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-09-06 05:51:08 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-06 05:49:51 337408 ----a-w- c:\windows\system32\intl.cpl
2010-09-06 05:48:36 98816 ----a-w- c:\windows\system32\mfps.dll
2010-09-06 05:47:53 8704 ----a-w- c:\windows\system32\hcrstco.dll
2010-09-06 05:46:50 1645568 ----a-w- c:\windows\system32\connect.dll
2010-09-06 05:45:27 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-09-06 05:43:20 25600 ----a-w- c:\windows\system32\amxread.dll
2010-09-06 05:43:20 14848 ----a-w- c:\windows\system32\apilogen.dll
2010-09-06 05:42:48 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-09-06 05:42:02 351232 ----a-w- c:\windows\system32\SLUI.exe
2010-09-06 05:42:02 2605568 ----a-w- c:\windows\system32\SLsvc.exe
2010-09-06 05:42:02 223232 ----a-w- c:\windows\system32\SLC.dll
2010-09-06 05:42:01 57856 ----a-w- c:\windows\system32\SLUINotify.dll
2010-09-06 05:42:01 566784 ----a-w- c:\windows\system32\SLCommDlg.dll
2010-09-06 05:42:01 39936 ----a-w- c:\windows\system32\slcinst.dll
2010-09-06 05:42:01 33280 ----a-w- c:\windows\system32\slwmi.dll
2010-09-06 05:42:01 268288 ----a-w- c:\windows\system32\mcbuilder.exe
2010-09-06 05:42:01 186368 ----a-w- c:\windows\system32\SLLUA.exe
2010-09-06 05:41:09 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 05:34:21 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-09-06 05:34:19 94720 ----a-w- c:\windows\system32\logagent.exe
2010-09-06 05:33:28 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-09-06 05:33:28 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-09-06 05:33:27 72704 ----a-w- c:\windows\system32\secur32.dll
2010-09-06 05:33:27 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-09-06 05:33:27 272384 ----a-w- c:\windows\system32\schannel.dll
2010-09-06 05:33:27 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2010-09-06 05:33:26 7680 ----a-w- c:\windows\system32\lsass.exe
2010-09-06 05:31:25 45112 ----a-w- c:\windows\system32\drivers\pciidex.sys
2010-09-06 05:31:25 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-09-06 05:31:25 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-09-06 05:31:25 15928 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-09-06 05:31:25 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-09-06 05:31:25 109624 ----a-w- c:\windows\system32\drivers\ataport.sys
2010-09-06 05:31:23 414208 ----a-w- c:\windows\system32\msscp.dll
2010-09-06 05:30:58 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-09-06 05:30:56 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-09-06 05:30:56 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-09-06 05:30:12 696832 ----a-w- c:\windows\system32\localspl.dll
2010-09-06 05:29:50 11776 ----a-w- c:\windows\system32\sbunattend.exe
2010-09-06 05:29:40 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2010-09-06 05:29:40 30208 ----a-w- c:\windows\system32\xolehlp.dll
2010-09-06 05:28:36 441856 ----a-w- c:\windows\system32\win32spl.dll
2010-09-06 05:28:36 37376 ----a-w- c:\windows\system32\printcom.dll
2010-09-06 05:28:15 428032 ----a-w- c:\windows\system32\EncDec.dll
2010-09-06 05:28:15 292352 ----a-w- c:\windows\system32\psisdecd.dll
2010-09-06 05:28:15 217088 ----a-w- c:\windows\system32\psisrndr.ax
2010-09-06 05:28:14 80896 ----a-w- c:\windows\system32\MSNP.ax
2010-09-06 05:28:14 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-09-06 05:28:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2010-09-06 05:28:14 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2010-09-06 05:27:01 24064 ----a-w- c:\windows\system32\netcfg.exe
2010-09-06 05:26:39 974336 ----a-w- c:\windows\system32\crypt32.dll
2010-09-06 05:26:00 712192 ----a-w- c:\windows\system32\WindowsCodecs.dll
2010-09-06 05:26:00 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2010-09-06 05:26:00 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2010-09-06 05:25:59 0 d-----w- c:\users\andrew\appdata\roaming\Canneverbe Limited
2010-09-06 05:25:57 0 d-----w- c:\programdata\Canneverbe Limited
2010-09-06 05:22:18 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2010-09-06 05:21:09 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-06 05:19:59 0 d-----w- c:\users\andrew\appdata\roaming\DAEMON Tools Lite
2010-09-06 05:19:56 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-09-06 05:19:31 232960 ----a-w- c:\windows\system32\rastls.dll
2010-09-06 05:19:30 274432 ----a-w- c:\windows\system32\raschap.dll
2010-09-06 05:19:16 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-09-06 05:19:15 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-09-06 05:19:15 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-09-06 05:19:15 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-09-06 05:19:15 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-09-06 05:19:15 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-09-06 05:19:15 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-09-06 05:19:15 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-09-06 05:19:15 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-09-06 05:19:15 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-09-06 05:18:40 750080 ----a-w- c:\windows\system32\qmgr.dll
2010-09-06 05:18:33 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-09-06 05:17:50 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-09-06 05:05:30 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-06 05:03:58 0 d-----w- c:\program files\common files\Windows Live
2010-09-06 05:02:25 0 d-----w- c:\program files\uTorrent
2010-09-06 05:02:09 0 d-----w- c:\users\andrew\appdata\roaming\uTorrent
2010-09-06 05:01:25 0 d-----w- c:\program files\common files\Steam
2010-09-06 05:01:24 0 d-----w- C:\Steam
2010-09-06 04:58:58 0 d-----w- c:\program files\PDF- XChange Viewer
2010-09-06 04:58:02 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-06 04:57:51 0 d-----w- c:\program files\Revo Uninstaller
2010-09-06 04:55:44 0 d-----w- c:\programdata\Sun
2010-09-06 04:55:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-06 04:51:09 311296 ----a-w- c:\windows\system32\unregmp2.exe
2010-09-06 04:51:08 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-06 04:51:08 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-09-06 04:51:08 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-09-06 04:51:08 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-09-06 04:48:56 171136 --sha-r- C:\grldr
2010-09-06 04:39:26 0 d-----w- c:\users\andrew\appdata\roaming\Auslogics
2010-09-06 04:37:24 0 ----a-w- c:\windows\ativpsrm.bin
2010-09-06 04:35:54 0 d-----w- c:\program files\Auslogics Disk Defrag
2010-09-06 04:35:13 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-09-06 04:32:59 0 d-----w- c:\program files\CCleaner
2010-09-06 04:25:52 97792 ----a-w- c:\windows\system32\cabview.dll
2010-09-06 04:25:42 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-09-06 04:22:08 458752 ----a-w- c:\windows\SPInstall.etl
2010-09-06 04:21:53 0 d-sh--w- c:\windows\Installer
2010-09-06 04:18:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-09-06 04:18:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-09-06 04:18:05 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-09-06 01:54:53 0 d-----w- c:\windows\Panther
2010-09-06 01:54:44 8192 --s-a-r- C:\BOOTSECT.BAK
2010-09-06 01:54:43 443912 --sha-r- C:\bootmgr
2010-09-06 01:54:43 0 d-sh--w- C:\Boot

==================== Find3M ====================

2010-09-18 04:47:48 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-09-18 04:47:48 51200 ----a-w- c:\windows\inf\infpub.dat
2010-09-15 03:57:40 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-09-15 03:57:40 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-09-07 03:57:17 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-09-07 03:57:16 86016 ----a-w- c:\windows\inf\infstor.dat
2010-09-06 08:04:41 174 --sha-w- c:\program files\desktop.ini
2010-09-06 04:19:29 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-08-04 09:21:44 6096384 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-08-04 08:55:02 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 08:54:52 519680 ----a-w- c:\windows\system32\aticfx32.dll
2010-08-04 08:52:06 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 08:51:38 380928 ----a-w- c:\windows\system32\atieclxx.exe
2010-08-04 08:51:12 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-08-04 08:50:08 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-08-04 08:49:52 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 08:49:50 15845888 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 08:49:42 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 08:49:36 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-08-04 08:49:28 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 08:46:34 3899392 ----a-w- c:\windows\system32\atidxx32.dll
2010-08-04 08:28:28 4021760 ----a-w- c:\windows\system32\atiumdag.dll
2010-08-04 08:26:02 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 08:25:52 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 08:24:36 4341248 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 08:23:44 65536 ----a-w- c:\windows\system32\coinst.dll
2010-08-04 08:21:40 3324416 ----a-w- c:\windows\system32\atiumdva.dll
2010-08-04 08:16:08 241664 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 08:15:56 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-08-04 08:15:50 16896 ----a-w- c:\windows\system32\atigktxx.dll
2010-08-04 08:15:30 214016 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-08-04 08:15:04 30208 ----a-w- c:\windows\system32\atiuxpag.dll
2010-08-04 08:14:50 27648 ----a-w- c:\windows\system32\atiu9pag.dll
2010-08-04 08:14:28 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-08-04 08:14:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-08-04 08:09:24 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 08:09:24 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-07-22 04:34:26 61518 --sh--w- c:\windows\DpiSca.exe
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:13:16.18 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-19 20:42:24
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uwliqpob.sys


---- System - GMER 1.0.15 ----

INT 0x72 ? 84550BF8
INT 0x82 ? 84550BF8
INT 0x83 ? 85DF4BF8
INT 0x92 ? 84550BF8
INT 0x92 ? 84550BF8
INT 0x92 ? 84550BF8
INT 0x93 ? 85DF4BF8
INT 0xA3 ? 85DF4BF8
INT 0xB3 ? 85DF4BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe 81C8CC59 1 Byte [06]
.text ntkrnlpa.exe 81C9138E 18 Bytes [E0, 25, 7F, FF, FF, FF, 0F, ...]
.text ntkrnlpa.exe 81C913A6 1 Byte [00]
.text ntkrnlpa.exe 81C91BB8 1 Byte [90]
PAGELK ntkrnlpa.exe 81EBF201 22 Bytes [8B, 02, 8D, 3C, 06, B9, 80, ...]
PAGELK ...
? System32\Drivers\spxc.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\drivers\ndis.sys entry point in ".rsrc" section [0x81BF9014]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F1E1000, 0x331A84, 0xE8000020]
.text USBPORT.SYS!DllUnload 8E87DFEB 5 Bytes JMP 85DF41D8
.text a4hj1lfg.SYS 8ED95000 22 Bytes [1A, 72, FA, 81, 04, 71, FA, ...]
.text a4hj1lfg.SYS 8ED95017 181 Bytes [00, 99, 07, 24, 80, A4, 05, ...]
.text a4hj1lfg.SYS 8ED950CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text a4hj1lfg.SYS 8ED950DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text a4hj1lfg.SYS 8ED950E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 77AAFD74 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[1264] ntdll.dll!NtWriteVirtualMemory 77AB06F4 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[1264] ntdll.dll!KiUserExceptionDispatcher 77AB0E88 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[1264] ole32.dll!CoCreateInstance 7795DD8F 5 Bytes JMP 0053000A
.text C:\Windows\system32\svchost.exe[1264] USER32.dll!GetCursorPos 7669C664 5 Bytes JMP 0148000A
.text C:\Windows\Explorer.EXE[1676] ntdll.dll!NtProtectVirtualMemory 77AAFD74 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1676] ntdll.dll!NtWriteVirtualMemory 77AB06F4 5 Bytes JMP 007F000A
.text C:\Windows\Explorer.EXE[1676] ntdll.dll!KiUserExceptionDispatcher 77AB0E88 5 Bytes JMP 007C000A
.text C:\Windows\Explorer.EXE[1676] SHELL32.dll!SHFileOperationW 76B58B3D 5 Bytes JMP 10001102 C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerHook.dll
.text C:\Windows\explorer.exe[1828] ntdll.dll!NtProtectVirtualMemory 77AAFD74 5 Bytes JMP 008F000A
.text C:\Windows\explorer.exe[1828] ntdll.dll!NtWriteVirtualMemory 77AB06F4 5 Bytes JMP 0090000A
.text C:\Windows\explorer.exe[1828] ntdll.dll!KiUserExceptionDispatcher 77AB0E88 5 Bytes JMP 008E000A
.text C:\Windows\explorer.exe[1828] SHELL32.dll!SHFileOperationW 76B58B3D 5 Bytes JMP 10001102 C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerHook.dll
.text C:\Program Files\PeerBlock\peerblock.exe[2624] kernel32.dll!SetUnhandledExceptionFilter 7763D177 5 Bytes JMP 0043F0C0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!LdrLoadDll 77A7EB00 5 Bytes JMP 013913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!NtProtectVirtualMemory 77AAFD74 5 Bytes JMP 0080000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!NtWriteVirtualMemory 77AB06F4 5 Bytes JMP 0081000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!KiUserExceptionDispatcher 77AB0E88 5 Bytes JMP 002F000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84EEA1F8
Device \FileSystem\fastfat \FatCdrom 870471F8
Device \Driver\netbt \Device\NetBT_Tcpip_{E03CE7EB-1007-4CE9-8BF6-295308E39B9F} 8699A500
Device \Driver\volmgr \Device\VolMgrControl 84EE71F8
Device \Driver\PCI_PNP4135 \Device\00000043 spxc.sys
Device \Driver\usbohci \Device\USBPDO-0 85DFA1F8
Device \Driver\usbohci \Device\USBPDO-1 85DFA1F8
Device \Driver\usbohci \Device\USBPDO-2 85DFA1F8
Device \Driver\usbohci \Device\USBPDO-3 85DFA1F8
Device \Driver\usbohci \Device\USBPDO-4 85DFA1F8
Device \Driver\usbehci \Device\USBPDO-5 85E743D0
Device \Driver\sptd \Device\3259670141 spxc.sys
Device \Driver\volmgr \Device\HarddiskVolume1 84EE71F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85CAE500
Device \Driver\cdrom \Device\CdRom1 85CAE500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84EE91F8
Device \Driver\atapi \Device\Ide\IdePort0 84EE91F8
Device \Driver\atapi \Device\Ide\IdePort1 84EE91F8
Device \Driver\atapi \Device\Ide\IdePort2 84EE91F8
Device \Driver\atapi \Device\Ide\IdePort3 84EE91F8
Device \Driver\netbt \Device\NetBT_Tcpip_{5FC68593-FE15-4D56-97DC-063685F56039} 8699A500
Device \Driver\netbt \Device\NetBt_Wins_Export 8699A500
Device \Driver\Smb \Device\NetbiosSmb 869B4500
Device \Driver\iScsiPrt \Device\RaidPort0 85DFE1F8
Device \Driver\usbohci \Device\USBFDO-0 85DFA1F8
Device \Driver\usbohci \Device\USBFDO-1 85DFA1F8
Device \Driver\usbohci \Device\USBFDO-2 85DFA1F8
Device \Driver\usbohci \Device\USBFDO-3 85DFA1F8
Device \Driver\usbohci \Device\USBFDO-4 85DFA1F8
Device \Driver\usbehci \Device\USBFDO-5 85E743D0
Device \Driver\a4hj1lfg \Device\Scsi\a4hj1lfg1Port5Path0Target0Lun0 85E7A1F8
Device \Driver\a4hj1lfg \Device\Scsi\a4hj1lfg1 85E7A1F8
Device \FileSystem\fastfat \Fat 870471F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 8708E1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 84FD1EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8C 0x76 0x88 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9D 0x74 0x04 0x8D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xED 0x90 0x84 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8C 0x76 0x88 0xF9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9D 0x74 0x04 0x8D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xED 0x90 0x84 0x42 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\ndis.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by SifuMike, 26 September 2010 - 02:07 PM.
added GMER log


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 26 September 2010 - 01:57 PM

Hello Shkaler,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

************

Download CKScanner from here

Save it to your desktop. <=== IMPORTANT

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


************


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply .

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

************

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.


A new version of HijackThis has been released, Trend Micro HijackThis v2.0.4

Please download and install the new version of Hijackthis
Make sure you downloaded the EXECUTIBLE version rather then the INSTALLER version.

Please post a fresh Hijackthis log.

Edited by SifuMike, 26 September 2010 - 02:04 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 28 September 2010 - 11:15 AM

Hello SifuMike!

Thanks so much for helping me out. I really appreciate it!

*****************************************************
This is the Security Check Log

Results of screen317's Security Check version 0.99.5
Windows Vista (UAC is disabled!)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Adobe Flash Player 10.1.82.76
Mozilla Firefox (3.6.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Andrew Desktop Anti Virus and Maintenance Unlocker\UnlockerAssistant.exe
Andrew Desktop Virus Stuff SecurityCheck.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
***********************************************

This is the CKScanner Log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\steam\steamapps\common\empire total war\data\ui\campaign ui\pips\military-crackdown-repression.tga
c:\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\shadow_wall_2_cracked.dds
c:\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked.nif
c:\steam\steamapps\common\sid meier's civilization iv beyond the sword\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked_diff.dds
scanner sequence 3.CA.11
----- EOF -----
************************************************

This is Malwarebytes' Anti-Malware

trying to run Malwarebytes' Anti-Malware causes my computer to go to a blue screen. I tried this a couple times but it was too fast for me to write down what it said. There was two different screen errors, the first one said something about IRAQ_Less_then_greater or something similar.

************************************************

MSCONFIG

I put a check beside all my MSCONFIG startup programs.

************************************************

This is the HijackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:11:12 AM, on 28/09/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\shell.exe
C:\Users\Andrew\AppData\Roaming\Microsoft\svchost.exe
C:\Users\Andrew\AppData\Local\Temp\dwm.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Steam\Steam.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Windows\System32\rundll32.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Andrew\Desktop\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Andrew\AppData\Local\Temp\dwm.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [ssttrrsys] rundll32.exe "byyvut.dll",s
O4 - HKLM\..\Run: [svchost] C:\Users\Andrew\AppData\Roaming\Microsoft\svchost.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [wvtstrsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ASH24SXZ9S] C:\Windows\TEMP\Ybq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ljkjjhsys] rundll32.exe "byyvut.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SMH2B46TDP] C:\Windows\TEMP\Ybv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ASH24SXZ9S] C:\Windows\TEMP\Ybq.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe -update activex (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC68593-FE15-4D56-97DC-063685F56039}: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{E03CE7EB-1007-4CE9-8BF6-295308E39B9F}: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.87,93.188.161.227
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6065 bytes




#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 28 September 2010 - 05:37 PM

Hello Shkaler,

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

QUOTE
How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, select Hijackthis and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
F3 - REG:win.ini: load=C:\Users\Andrew\AppData\Local\Temp\dwm.exe
O4 - HKLM\..\Run: [ssttrrsys] rundll32.exe "byyvut.dll",s
O4 - HKCU\..\Run: [wvtstrsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-18\..\Run: [ASH24SXZ9S] C:\Windows\TEMP\Ybq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ljkjjhsys] rundll32.exe "byyvut.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SMH2B46TDP] C:\Windows\TEMP\Ybv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ASH24SXZ9S] C:\Windows\TEMP\Ybq.exe (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC68593-FE15-4D56-97DC-063685F56039}: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{E03CE7EB-1007-4CE9-8BF6-295308E39B9F}: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.87,93.188.161.227
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.87,93.188.161.227


Close all browsers and other windows except for HijackThis, and click "Fix checked"

*************

Make sure Firefox and Internet Exlplorer browsers are closed before running OTM.

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  2. Double click the OTM.exe icon on your desktop.
  3. Paste the following code under the (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    CODE
    :files
    C:\Users\Andrew\AppData\Local\Temp\dwm.exe
    C:\Windows\system32\byyvut.dll
    C:\Windows\TEMP\Ybq.exe
    C:\Windows\TEMP\Ybv.exe
    :commands
    [EmptyTemp]
    [Reboot]
  4. Click the large (MoveIT!) button.
  5. Copy/Paste the contents under the (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

*************

Reboot your computer,

Now see if you can update and run Malwarebytes.
If so, then post the Malwarebytes log. If not, then let me know


Post a new Hijackthis log, OTM log, Malwarebytes log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 29 September 2010 - 07:16 PM

Hi SifuMike!

I did what you asked me to do this morning but I didn't get around to posting it before I had to go to work. I'm going to give you a more recent log.

I ran OTM when it finally managed to work (explained below) and then ran HijackThis.

************************
Windows Defender and Malwarebytes

Windows Defender won't let me access it and crashes with a blue screen. I got an error I could write down quickly this time. "PAGE_FAULT_IN_UNPAGED_AREA"
Malwarebytes still won't load and, when clicked a couple times, gives me a blue screen with no error message.

************************
HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:51:03 PM, on 29/09/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Users\Andrew\Desktop\Virus Stuff\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [xxvwtrsys] rundll32.exe "byyvut.dll",s
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [OTM] "C:\Users\Andrew\Desktop\Virus Stuff\OTM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [hggdbxsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4582 bytes

************************
OTM
Running the code you gave me makes my desktop and all programs disapear and I'm unable to do anything besides Ctrl+Alt+Del and then restart. It did this to me several times but for some reason it worked and finally completed the process. It's posted below.


All processes killed
========== FILES ==========
File/Folder C:\Users\Andrew\AppData\Local\Temp\dwm.exe not found.
DllUnregisterServer procedure not found in C:\Windows\system32\byyvut.dll
C:\Windows\system32\byyvut.dll moved successfully.
File/Folder C:\Windows\TEMP\Ybq.exe not found.
File/Folder C:\Windows\TEMP\Ybv.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 8294317 bytes
->Temporary Internet Files folder emptied: 1522566 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 44872140 bytes
->Flash cache emptied: 30189 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2259194420 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21187523 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 13240211 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 20194 bytes
RecycleBin emptied: 215736242 bytes

Total Files Cleaned = 2,445.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09292010_164029



#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 29 September 2010 - 08:53 PM

Hi Shkaler,

You posted a Hijackthis log run from the Safe mode with network support, and it does not show all the processess when run that way.


Please post a Hijackthis log run from the Normal Mode.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 29 September 2010 - 09:14 PM

Sorry!




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:14:01 PM, on 29/09/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Steam\Steam.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Windows\System32\rundll32.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Explorer.exe
C:\Users\Andrew\Desktop\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [xxvwtrsys] rundll32.exe "byyvut.dll",s
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [hggdbxsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5038 bytes


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 29 September 2010 - 09:50 PM

Hello Shkaler,

Looks better, but still some items to remove.

Uninstall Windows Defender. We can reinstall it when were done with malware removal.

QUOTE
How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, select Hijackthis and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
O4 - HKLM\..\Run: [xxvwtrsys] rundll32.exe "byyvut.dll",s
O4 - HKCU\..\Run: [hggdbxsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-18\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ajoqeyamol] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll",Startup (User 'Default user')


Close all browsers and other windows except for HijackThis, and click "Fix checked"

Reboot your computer.

*************

Make sure Firefox and Internet Exlplorer browsers are closed before running OTM.
  1. Double click the OTM.exe icon on your desktop.
  2. Paste the following code under the (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    CODE
    :files
    C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll
    :commands
    [EmptyTemp]
    [Reboot]
  3. Click the large (MoveIT!) button.
  4. Copy/Paste the contents under the (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

*************

Reboot your computer,

Now see if you can update and run Malwarebytes.
If so, then post the Malwarebytes log.


Post a new Hijackthis log, OTM log, Malwarebytes log and tell me how your computer is running.

Edited by SifuMike, 29 September 2010 - 10:06 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 01 October 2010 - 11:42 AM

Gotta post this quick before work!

**************************
OTM

All processes killed
========== FILES ==========
DllUnregisterServer procedure not found in C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll
C:\Windows\system32\config\systemprofile\AppData\Local\KBDANO.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew
->Temp folder emptied: 504478 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 45251746 bytes
->Flash cache emptied: 1043 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 505574920 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 597414 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 5181 bytes

Total Files Cleaned = 526.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 10012010_092811

Files moved on Reboot...

Registry entries deleted on Reboot...

*************************************

HijackThis


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:42:39 AM, on 01/10/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Steam\Steam.exe
C:\Program Files\PeerBlock\peerblock.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Andrew\Desktop\Virus Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [efcbxusys] rundll32.exe "byyvut.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [iihiffsys] rundll32.exe "byyvut.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xxvtuusys] rundll32.exe "byyvut.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xxvtuusys] rundll32.exe "byyvut.dll",s (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4786 bytes
************************

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 01 October 2010 - 11:49 AM

Hi Shkaler,

Looks like the infection is reinstalling itself. sad.gif

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Microsoft Security Essentials,Windows Defender before running ComboFix, as it will prevent it from running.

To disable Microsoft Security Essentials:
Open the application (click the icon in the task-bar, find it from the start menu or navigate to C:\Program Files\Microsoft Security Essentials\msseces.exe)
From the control panel, go to the ‘Settings’ tab
Un-tick the ‘Turn on real-time protection’ checkbox and Microsoft Security Essentials is now disabled

To disable Windows Defender Real-time Protection:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

Edited by SifuMike, 01 October 2010 - 11:51 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 02 October 2010 - 05:34 PM

Phew, that was quite a ride...
I was in the middle of a scan with Combofix when the power went out for a second sad.gif
I turned my computer back on only to find out some....very important file in explorer couldn't be found. The result was me having no desktop. I went through the Task Manager to get to my system restore point hopefully put everything back in in proper place.
Then I ran Combofix (I hope its ok running it a second time if I used a system restore point O_O)

I saved the Combofix log to the desktop and restarted the computer only to find out the log was empty. It was not empty when I saved it >_>

Is there some way to get another log or something? Can I run combofix again? (I know you said not to but I don't know what else to do sad.gif )

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 02 October 2010 - 05:39 PM

If there is no log then it did not complete.

Follow the directions and run ComboFix again.
Disable your Microsoft Security Essentials, Windows Defender before running ComboFix, as it will prevent it from running.

Edited by SifuMike, 02 October 2010 - 09:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 04 October 2010 - 11:45 AM

ok! got it!

I'm sorry this is taking so long. Working sucks >_>

********************************************

ComboFix 10-10-03.03 - Andrew 04/10/2010 9:22.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.3326.2402 [GMT -7:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))
.

2010-10-04 16:31 . 2010-10-04 16:31 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F143EE06-B46A-4051-A5C0-DA8B272DF629}\MpKsl50e0817e.sys
2010-10-04 16:29 . 2010-10-04 16:33 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-10-04 16:29 . 2010-10-04 16:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-10-04 16:29 . 2010-10-04 16:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-04 16:16 . 2010-10-04 16:17 -------- d-----w- C:\32788R22FWJFW
2010-10-02 16:29 . 2010-10-02 16:29 -------- d-----w- c:\users\Andrew\AppData\Local\VirtualStore
2010-10-02 05:38 . 2010-10-02 16:11 -------- d-----w- c:\users\Andrew\AppData\Local\Temp(65)
2010-10-01 23:12 . 2010-10-01 23:12 680 ----a-w- c:\users\Andrew\AppData\Local\d3d9caps.dat
2010-09-30 00:12 . 2010-09-30 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 16:01 . 2010-09-29 16:01 -------- d-----w- C:\_OTM
2010-09-29 15:17 . 2010-09-29 15:17 120 ----a-w- c:\users\Andrew\AppData\Local\Qqewameteqariwit.dat
2010-09-29 15:17 . 2010-09-29 15:17 0 ----a-w- c:\users\Andrew\AppData\Local\Lzijakezakoboxag.bin
2010-09-28 16:18 . 2010-09-28 16:18 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-09-28 15:47 . 2010-09-28 15:47 -------- d-----w- c:\programdata\Malwarebytes
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\users\Andrew\AppData\Roaming\ATI
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\users\Andrew\AppData\Local\ATI
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\programdata\ATI
2010-09-26 00:47 . 2010-09-26 00:49 -------- d-----w- c:\program files\ATI
2010-09-26 00:46 . 2010-09-26 00:49 -------- d-----w- c:\program files\ATI Technologies
2010-09-26 00:35 . 2010-09-26 00:35 -------- d-----w- c:\users\Andrew\AppData\Local\My Games
2010-09-25 06:14 . 2010-09-25 06:14 -------- d-----w- c:\users\Andrew\AppData\Local\Mozilla(64)
2010-09-25 01:24 . 2010-10-02 16:30 25592 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-24 22:22 . 2010-09-25 07:32 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-19 04:19 . 2010-09-24 02:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\Mount&Blade Warband
2010-09-17 15:49 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-09-17 15:49 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-17 15:48 . 2010-10-02 16:27 -------- d-----w- c:\program files\Mount&Blade Warband
2010-09-16 23:18 . 2010-09-16 23:18 -------- d-----w- c:\programdata\Stardock
2010-09-16 23:17 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-09-16 23:17 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-09-16 23:17 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-09-16 23:17 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-09-16 23:17 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-09-16 23:17 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-09-16 23:17 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-09-16 23:17 . 2008-10-15 13:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-09-16 23:17 . 2008-10-15 13:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-09-16 23:16 . 2008-10-15 13:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-09-16 22:55 . 2010-10-02 16:27 -------- d-----w- c:\program files\Stardock Entertainment
2010-09-16 22:12 . 2010-10-02 16:27 -------- d-----w- c:\program files\Mount.and.Blade.Warband-SKIDROW
2010-09-16 16:30 . 2010-10-02 16:27 -------- d-----w- C:\Elemental.War.of.Magic
2010-09-16 16:28 . 2010-09-16 16:28 -------- d-----w- c:\users\Andrew\AppData\Roaming\The Creative Assembly
2010-09-16 16:24 . 2010-10-02 05:18 -------- d-----w- c:\program files\PeerBlock
2010-09-16 07:05 . 2008-05-30 21:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2010-09-16 07:04 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-15 04:16 . 2010-09-15 04:16 -------- d-----w- c:\windows\Sun
2010-09-15 03:57 . 2010-09-15 05:20 285 ----a-w- c:\windows\EReg072.dat
2010-09-15 03:57 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-09-15 03:57 . 1998-09-02 08:28 155408 ----a-w- c:\windows\system32\LMRT.dll
2010-09-15 03:57 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-09-15 03:57 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-09-15 03:57 . 1998-08-20 10:38 217984 ----a-w- c:\windows\system32\strmdll.dll
2010-09-15 03:57 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll
2010-09-15 03:57 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-09-15 03:57 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2010-09-15 03:57 . 2010-09-15 03:57 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-09-15 03:57 . 2010-09-15 03:57 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-09-15 03:31 . 2010-09-15 05:21 -------- d-----w- c:\program files\SS2
2010-09-15 03:31 . 1998-10-03 02:00 327168 ----a-w- c:\windows\IsUninst.exe
2010-09-15 03:19 . 2010-09-15 03:19 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-09-15 03:19 . 2010-09-15 03:19 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-09-12 05:15 . 2010-09-29 00:49 -------- d-----w- c:\users\Andrew\Tracing
2010-09-12 05:09 . 2010-09-12 05:09 -------- d-----w- c:\program files\Microsoft
2010-09-12 05:08 . 2010-09-12 05:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-09-12 05:08 . 2010-09-12 05:10 -------- d-----w- c:\program files\Windows Live
2010-09-12 05:08 . 2010-09-12 05:08 -------- d-----w- c:\windows\PCHEALTH
2010-09-09 02:41 . 2006-12-20 06:03 229888 ----a-w- c:\windows\system32\msshsq.dll
2010-09-07 03:30 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-09-07 03:30 . 2008-02-29 06:51 19000 ----a-w- c:\windows\system32\kd1394.dll
2010-09-07 03:30 . 2008-02-29 06:39 371712 ----a-w- c:\windows\system32\srcore.dll
2010-09-07 03:30 . 2008-02-29 06:38 313856 ----a-w- c:\windows\system32\rstrui.exe
2010-09-07 03:30 . 2008-02-19 05:10 620088 ----a-w- c:\windows\system32\ci.dll
2010-09-07 03:30 . 2008-02-14 23:19 944184 ----a-w- c:\windows\system32\winload.exe
2010-09-07 03:30 . 2008-02-29 06:39 40960 ----a-w- c:\windows\system32\srclient.dll
2010-09-07 03:30 . 2008-02-29 06:38 16384 ----a-w- c:\windows\system32\srdelayed.exe
2010-09-07 03:29 . 2008-04-19 08:13 268800 ----a-w- c:\windows\system32\es.dll
2010-09-06 08:01 . 2010-09-06 06:14 4152184 ----a-w- c:\windows\system32\wgaer_m.exe
2010-09-06 06:02 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-09-06 06:02 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-09-06 06:02 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-06 06:02 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-09-06 06:02 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2010-09-06 06:02 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-09-06 06:02 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-06 05:57 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-09-06 05:57 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-09-06 05:57 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-06 05:57 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-09-06 05:57 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2010-09-06 05:55 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-09-06 05:55 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-09-06 05:55 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-09-06 05:53 . 2009-07-11 19:32 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-09-06 05:53 . 2009-07-11 19:32 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-09-06 05:53 . 2009-07-11 19:32 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-09-06 05:53 . 2009-07-11 19:32 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-09-06 05:53 . 2009-07-11 19:32 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-09-06 05:53 . 2009-07-11 19:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-09-06 05:52 . 2009-09-10 17:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-06 05:52 . 2009-08-28 23:31 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-09-06 05:52 . 2009-08-29 03:41 1686528 ----a-w- c:\windows\system32\gameux.dll
2010-09-06 05:52 . 2009-08-29 03:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-09-06 05:51 . 2008-06-19 03:25 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-09-06 05:51 . 2008-06-19 03:25 272896 ----a-w- c:\windows\system32\polstore.dll
2010-09-06 05:51 . 2008-06-19 03:25 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-09-06 05:51 . 2008-06-19 03:25 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-09-06 05:51 . 2009-03-03 04:20 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-09-06 05:51 . 2009-03-03 04:16 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-09-06 05:51 . 2009-03-03 04:20 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-09-06 05:51 . 2009-03-03 04:19 549888 ----a-w- c:\windows\system32\rpcss.dll
2010-09-06 05:51 . 2009-03-03 02:40 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-09-06 05:51 . 2009-03-03 01:59 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-09-06 05:51 . 2009-03-03 04:19 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-09-06 05:51 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-06 05:49 . 2007-06-29 02:22 10240 ----a-w- c:\windows\system32\MUILanguageCleanup.dll
2010-09-06 05:47 . 2007-08-31 02:16 8704 ----a-w- c:\windows\system32\hcrstco.dll
2010-09-06 05:46 . 2008-10-21 05:16 1645568 ----a-w- c:\windows\system32\connect.dll
2010-09-06 05:45 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-09-06 05:43 . 2009-03-17 03:16 14848 ----a-w- c:\windows\system32\apilogen.dll
2010-09-06 05:43 . 2009-03-17 03:16 25600 ----a-w- c:\windows\system32\amxread.dll
2010-09-06 05:42 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-09-06 05:42 . 2007-06-21 02:15 223232 ----a-w- c:\windows\system32\SLC.dll
2010-09-06 05:42 . 2007-06-21 02:12 351232 ----a-w- c:\windows\system32\SLUI.exe
2010-09-06 05:42 . 2007-06-21 02:12 2605568 ----a-w- c:\windows\system32\SLsvc.exe
2010-09-06 05:42 . 2007-06-21 02:15 57856 ----a-w- c:\windows\system32\SLUINotify.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 16:12 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstrng.dat
2010-10-04 16:12 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-10-02 16:27 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-09-07 03:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\Inf\drvindex.dat
2010-09-07 03:57 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2010-09-07 03:00 . 2010-09-06 05:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\DAEMON Tools Lite
2010-09-06 08:02 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-09-06 08:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-09-06 05:25 . 2010-09-06 05:25 -------- d-----w- c:\users\Andrew\AppData\Roaming\Canneverbe Limited
2010-09-06 05:25 . 2010-09-06 05:25 -------- d-----w- c:\programdata\Canneverbe Limited
2010-09-06 05:20 . 2010-09-06 05:19 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-09-06 04:19 . 2010-09-06 04:19 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-09-06 04:19 . 2010-09-06 04:19 44768 ----a-w- c:\windows\system32\wups2.dll
2010-09-06 04:19 . 2010-09-06 04:19 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-09-06 04:19 . 2010-09-06 04:19 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-08-04 09:21 . 2010-08-04 09:21 6096384 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-08-04 08:55 . 2010-08-04 08:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 08:54 . 2010-08-04 08:54 519680 ----a-w- c:\windows\system32\aticfx32.dll
2010-08-04 08:52 . 2010-08-04 08:52 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 08:51 . 2010-08-04 08:51 380928 ----a-w- c:\windows\system32\atieclxx.exe
2010-08-04 08:51 . 2010-08-04 08:51 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-08-04 08:50 . 2010-08-04 08:50 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 15845888 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 08:49 . 2010-08-04 08:49 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-08-04 08:49 . 2010-08-04 08:49 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 08:46 . 2010-08-04 08:46 3899392 ----a-w- c:\windows\system32\atidxx32.dll
2010-08-04 08:28 . 2010-08-04 08:28 4021760 ----a-w- c:\windows\system32\atiumdag.dll
2010-08-04 08:26 . 2010-08-04 08:26 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 08:25 . 2010-08-04 08:25 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 08:24 . 2010-08-04 08:24 4341248 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 08:23 . 2010-08-04 08:23 65536 ----a-w- c:\windows\system32\coinst.dll
2010-08-04 08:21 . 2010-08-04 08:21 3324416 ----a-w- c:\windows\system32\atiumdva.dll
2010-08-04 08:16 . 2010-08-04 08:16 241664 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 16896 ----a-w- c:\windows\system32\atigktxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 214016 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-08-04 08:15 . 2010-08-04 08:15 30208 ----a-w- c:\windows\system32\atiuxpag.dll
2010-08-04 08:14 . 2010-08-04 08:14 27648 ----a-w- c:\windows\system32\atiu9pag.dll
2010-08-04 08:14 . 2010-08-04 08:14 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-08-04 08:14 . 2010-08-04 08:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-08-04 08:09 . 2010-08-04 08:09 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 08:09 . 2010-08-04 08:09 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-07-22 04:34 . 2010-07-22 04:34 61518 --sh--w- c:\windows\DpiSca.exe
2010-07-22 01:21 . 2010-07-22 01:21 40490118 --sh--w- c:\windows\mb_warband_upgrade_1100_to_1113.exe
.

------- Sigcheck -------

[-] 2006-11-02 09:51 . 9C538DC585D1F9BF915A73E7583D08AA . 500840 . . [------] . . c:\windows\System32\drivers\ndis.sys
[-] 2006-11-02 09:51 . 9C538DC585D1F9BF915A73E7583D08AA . 500840 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6000.16386_none_a59069cb1f23fc44\ndis.sys


c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-16 1232896]
"Steam"="c:\steam\Steam.exe" [2010-09-06 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"UnlockerAssistant"="c:\users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-09-06 691696]
S1 MpKsl50e0817e;MpKsl50e0817e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F143EE06-B46A-4051-A5C0-DA8B272DF629}\MpKsl50e0817e.sys [2010-10-04 28752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-04 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-04 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-04 214016]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL50E0817E

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-18 c:\windows\Tasks\At1.job
- c:\windows\DpiSca.exe [2010-07-22 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3h1b3cha.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3h1b3cha.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8514CEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x825e4d1f
\Driver\ACPI -> acpi.sys @ 0x802329d6
\Driver\atapi -> ataport.SYS @ 0x807e69c6
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-10-04 09:37:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-04 16:37
ComboFix2.txt 2010-10-02 18:22

Pre-Run: 76,105,338,880 bytes free
Post-Run: 76,077,674,496 bytes free

- - End Of File - - B73E1722F10C39263FD1F36A751B0936

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:44 AM

Posted 04 October 2010 - 12:11 PM

Hi Shkaler

From the log I can see you ran ComboFix two times. Why did you do that?

I need to see the ComboFix.txt from the first run.

Please copy/paste the log the first run located at C:\Qoobox\combofixX.txt where X is a number.
Please post the log with the highest number.

In you case it will be called ComboFix2.txt

Edited by SifuMike, 04 October 2010 - 02:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Shkaler

Shkaler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 05 October 2010 - 01:07 AM

SifuMike. I ran Combofix 2 times because you told me to...

I said the first time I ran it the log didn't save where I told it to save. It was empty.

I ran it the second time when you told me to.

When I saved the log to the desktop the first time, it was empty. I guess the log I'm about to post is the first combofix I ran. I guess it didn't save where I told it to tongue.gif
************************************************


ComboFix 10-10-01.07 - Andrew 02/10/2010 10:20:30.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.2.1033.18.3326.2441 [GMT -7:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Local\{ED3AD6A3-8CBA-4AA1-85F8-A8839159A7BD}
c:\users\Andrew\AppData\Local\{ED3AD6A3-8CBA-4AA1-85F8-A8839159A7BD}\chrome\content\overlay.xul
c:\users\Andrew\AppData\Local\{ED3AD6A3-8CBA-4AA1-85F8-A8839159A7BD}\install.rdf
c:\windows\System32\config\systemprofile\AppData\Local\{3F39F7D5-9E40-4377-B885-D6E756CCE505}
c:\windows\System32\config\systemprofile\AppData\Local\{3F39F7D5-9E40-4377-B885-D6E756CCE505}\chrome.manifest
c:\windows\System32\config\systemprofile\AppData\Local\{3F39F7D5-9E40-4377-B885-D6E756CCE505}\chrome\content\_cfg.js
c:\windows\System32\config\systemprofile\AppData\Local\{3F39F7D5-9E40-4377-B885-D6E756CCE505}\chrome\content\overlay.xul
c:\windows\System32\config\systemprofile\AppData\Local\{3F39F7D5-9E40-4377-B885-D6E756CCE505}\install.rdf
.
---- Previous Run -------
.
c:\users\Public\Documents\Server\admin.txt
c:\users\Public\Documents\Server\server.dat
c:\windows\system32\byyvut.dll
c:\windows\system32\config\systemprofile\AppData\Local\ewepubitukix.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-10-02 16:36 . 2010-10-02 16:37 -------- d-----w- C:\32788R22FWJFW
2010-10-02 16:29 . 2010-10-02 16:29 -------- d-----w- c:\users\Andrew\AppData\Local\VirtualStore
2010-10-02 05:38 . 2010-10-02 16:11 -------- d-----w- c:\users\Andrew\AppData\Local\Temp(65)
2010-10-01 23:12 . 2010-10-01 23:12 680 ----a-w- c:\users\Andrew\AppData\Local\d3d9caps.dat
2010-09-30 00:12 . 2010-09-30 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 16:01 . 2010-09-29 16:01 -------- d-----w- C:\_OTM
2010-09-29 15:17 . 2010-09-29 15:17 120 ----a-w- c:\users\Andrew\AppData\Local\Qqewameteqariwit.dat
2010-09-29 15:17 . 2010-09-29 15:17 0 ----a-w- c:\users\Andrew\AppData\Local\Lzijakezakoboxag.bin
2010-09-28 16:18 . 2010-09-28 16:18 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-09-28 15:47 . 2010-09-28 15:47 -------- d-----w- c:\programdata\Malwarebytes
2010-09-27 23:26 . 2010-09-27 23:26 168960 ----a-w- c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\shell.exe
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\users\Andrew\AppData\Roaming\ATI
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\users\Andrew\AppData\Local\ATI
2010-09-27 04:14 . 2010-09-27 04:14 -------- d-----w- c:\programdata\ATI
2010-09-26 05:04 . 2010-09-29 05:01 77312 ----a-w- c:\windows\system32\config\systemprofile\AppData\Roaming\espc32.exe
2010-09-26 00:47 . 2010-09-26 00:49 -------- d-----w- c:\program files\ATI
2010-09-26 00:46 . 2010-09-26 00:49 -------- d-----w- c:\program files\ATI Technologies
2010-09-26 00:35 . 2010-09-26 00:35 -------- d-----w- c:\users\Andrew\AppData\Local\My Games
2010-09-25 06:14 . 2010-09-25 06:14 -------- d-----w- c:\users\Andrew\AppData\Local\Mozilla(64)
2010-09-25 05:01 . 2010-09-25 05:01 77312 ----a-w- c:\windows\system32\config\systemprofile\AppData\Roaming\caer.exe
2010-09-25 01:24 . 2010-10-02 16:30 25592 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-24 22:22 . 2010-09-25 07:32 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-22 05:00 . 2010-09-29 05:03 120 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Qqewameteqariwit.dat
2010-09-22 05:00 . 2010-09-29 05:03 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Lzijakezakoboxag.bin
2010-09-19 04:19 . 2010-09-24 02:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\Mount&Blade Warband
2010-09-17 15:49 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-09-17 15:49 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-09-17 15:48 . 2010-10-02 16:27 -------- d-----w- c:\program files\Mount&Blade Warband
2010-09-16 23:18 . 2010-09-16 23:18 -------- d-----w- c:\programdata\Stardock
2010-09-16 23:17 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-09-16 23:17 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-09-16 23:17 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-09-16 23:17 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-09-16 23:17 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-09-16 23:17 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-09-16 23:17 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-09-16 23:17 . 2008-10-15 13:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-09-16 23:17 . 2008-10-15 13:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-09-16 23:16 . 2008-10-15 13:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-09-16 22:55 . 2010-10-02 16:27 -------- d-----w- c:\program files\Stardock Entertainment
2010-09-16 22:12 . 2010-10-02 16:27 -------- d-----w- c:\program files\Mount.and.Blade.Warband-SKIDROW
2010-09-16 16:30 . 2010-10-02 16:27 -------- d-----w- C:\Elemental.War.of.Magic
2010-09-16 16:28 . 2010-09-16 16:28 -------- d-----w- c:\users\Andrew\AppData\Roaming\The Creative Assembly
2010-09-16 16:24 . 2010-10-02 05:18 -------- d-----w- c:\program files\PeerBlock
2010-09-16 07:05 . 2008-05-30 21:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2010-09-16 07:04 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-09-15 04:16 . 2010-09-15 04:16 -------- d-----w- c:\windows\Sun
2010-09-15 03:57 . 2010-09-15 05:20 285 ----a-w- c:\windows\EReg072.dat
2010-09-15 03:57 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-09-15 03:57 . 1998-09-02 08:28 155408 ----a-w- c:\windows\system32\LMRT.dll
2010-09-15 03:57 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-09-15 03:57 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-09-15 03:57 . 1998-08-20 10:38 217984 ----a-w- c:\windows\system32\strmdll.dll
2010-09-15 03:57 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll
2010-09-15 03:57 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-09-15 03:57 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2010-09-15 03:57 . 2010-09-15 03:57 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-09-15 03:57 . 2010-09-15 03:57 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-09-15 03:31 . 2010-09-15 05:21 -------- d-----w- c:\program files\SS2
2010-09-15 03:31 . 1998-10-03 02:00 327168 ----a-w- c:\windows\IsUninst.exe
2010-09-15 03:19 . 2010-09-15 03:19 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-09-15 03:19 . 2010-09-15 03:19 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-09-12 05:15 . 2010-09-29 00:49 -------- d-----w- c:\users\Andrew\Tracing
2010-09-12 05:09 . 2010-09-12 05:09 -------- d-----w- c:\program files\Microsoft
2010-09-12 05:08 . 2010-09-12 05:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-09-12 05:08 . 2010-09-12 05:10 -------- d-----w- c:\program files\Windows Live
2010-09-12 05:08 . 2010-09-12 05:08 -------- d-----w- c:\windows\PCHEALTH
2010-09-09 02:41 . 2006-12-20 06:03 229888 ----a-w- c:\windows\system32\msshsq.dll
2010-09-07 03:30 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-09-07 03:30 . 2008-02-29 06:51 19000 ----a-w- c:\windows\system32\kd1394.dll
2010-09-07 03:30 . 2008-02-29 06:39 371712 ----a-w- c:\windows\system32\srcore.dll
2010-09-07 03:30 . 2008-02-29 06:38 313856 ----a-w- c:\windows\system32\rstrui.exe
2010-09-07 03:30 . 2008-02-19 05:10 620088 ----a-w- c:\windows\system32\ci.dll
2010-09-07 03:30 . 2008-02-14 23:19 944184 ----a-w- c:\windows\system32\winload.exe
2010-09-07 03:30 . 2008-02-29 06:39 40960 ----a-w- c:\windows\system32\srclient.dll
2010-09-07 03:30 . 2008-02-29 06:38 16384 ----a-w- c:\windows\system32\srdelayed.exe
2010-09-07 03:29 . 2008-04-19 08:13 268800 ----a-w- c:\windows\system32\es.dll
2010-09-06 08:01 . 2010-09-06 06:14 4152184 ----a-w- c:\windows\system32\wgaer_m.exe
2010-09-06 06:02 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-09-06 06:02 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-09-06 06:02 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-06 06:02 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-09-06 06:02 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2010-09-06 06:02 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-09-06 06:02 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-06 05:57 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-09-06 05:57 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-09-06 05:57 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-06 05:57 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-09-06 05:57 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2010-09-06 05:55 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-09-06 05:55 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-09-06 05:55 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-09-06 05:53 . 2009-07-11 19:32 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-09-06 05:53 . 2009-07-11 19:32 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-09-06 05:53 . 2009-07-11 19:32 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-09-06 05:53 . 2009-07-11 19:32 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-09-06 05:53 . 2009-07-11 19:32 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-09-06 05:53 . 2009-07-11 19:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-09-06 05:52 . 2009-09-10 17:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-06 05:52 . 2009-08-28 23:31 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-09-06 05:52 . 2009-08-29 03:41 1686528 ----a-w- c:\windows\system32\gameux.dll
2010-09-06 05:52 . 2009-08-29 03:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-09-06 05:51 . 2008-06-19 03:25 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-09-06 05:51 . 2008-06-19 03:25 272896 ----a-w- c:\windows\system32\polstore.dll
2010-09-06 05:51 . 2008-06-19 03:25 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-09-06 05:51 . 2008-06-19 03:25 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-09-06 05:51 . 2009-03-03 04:20 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-09-06 05:51 . 2009-03-03 04:16 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-09-06 05:51 . 2009-03-03 04:20 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-09-06 05:51 . 2009-03-03 04:19 549888 ----a-w- c:\windows\system32\rpcss.dll
2010-09-06 05:51 . 2009-03-03 02:40 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-09-06 05:51 . 2009-03-03 01:59 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-09-06 05:51 . 2009-03-03 04:19 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-09-06 05:51 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-06 05:49 . 2007-06-29 02:22 10240 ----a-w- c:\windows\system32\MUILanguageCleanup.dll
2010-09-06 05:47 . 2007-08-31 02:16 8704 ----a-w- c:\windows\system32\hcrstco.dll
2010-09-06 05:46 . 2008-10-21 05:16 1645568 ----a-w- c:\windows\system32\connect.dll
2010-09-06 05:45 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-09-06 05:43 . 2009-03-17 03:16 14848 ----a-w- c:\windows\system32\apilogen.dll
2010-09-06 05:43 . 2009-03-17 03:16 25600 ----a-w- c:\windows\system32\amxread.dll
2010-09-06 05:42 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-09-06 05:42 . 2007-06-21 02:15 223232 ----a-w- c:\windows\system32\SLC.dll
2010-09-06 05:42 . 2007-06-21 02:12 351232 ----a-w- c:\windows\system32\SLUI.exe
2010-09-06 05:42 . 2007-06-21 02:12 2605568 ----a-w- c:\windows\system32\SLsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 16:27 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-09-18 04:47 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstrng.dat
2010-09-18 04:47 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-09-07 03:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\Inf\drvindex.dat
2010-09-07 03:57 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2010-09-07 03:00 . 2010-09-06 05:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\DAEMON Tools Lite
2010-09-06 08:02 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-09-06 08:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-09-06 05:25 . 2010-09-06 05:25 -------- d-----w- c:\users\Andrew\AppData\Roaming\Canneverbe Limited
2010-09-06 05:25 . 2010-09-06 05:25 -------- d-----w- c:\programdata\Canneverbe Limited
2010-09-06 05:20 . 2010-09-06 05:19 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-09-06 04:19 . 2010-09-06 04:19 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-09-06 04:19 . 2010-09-06 04:19 44768 ----a-w- c:\windows\system32\wups2.dll
2010-09-06 04:19 . 2010-09-06 04:19 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-09-06 04:19 . 2010-09-06 04:19 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-09-06 04:17 . 2006-11-02 13:00 1356 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2010-08-04 09:21 . 2010-08-04 09:21 6096384 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-08-04 08:55 . 2010-08-04 08:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 08:54 . 2010-08-04 08:54 519680 ----a-w- c:\windows\system32\aticfx32.dll
2010-08-04 08:52 . 2010-08-04 08:52 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 08:51 . 2010-08-04 08:51 380928 ----a-w- c:\windows\system32\atieclxx.exe
2010-08-04 08:51 . 2010-08-04 08:51 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-08-04 08:50 . 2010-08-04 08:50 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 15845888 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 08:49 . 2010-08-04 08:49 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 08:49 . 2010-08-04 08:49 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-08-04 08:49 . 2010-08-04 08:49 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 08:46 . 2010-08-04 08:46 3899392 ----a-w- c:\windows\system32\atidxx32.dll
2010-08-04 08:28 . 2010-08-04 08:28 4021760 ----a-w- c:\windows\system32\atiumdag.dll
2010-08-04 08:26 . 2010-08-04 08:26 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 08:25 . 2010-08-04 08:25 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 08:24 . 2010-08-04 08:24 4341248 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 08:23 . 2010-08-04 08:23 65536 ----a-w- c:\windows\system32\coinst.dll
2010-08-04 08:21 . 2010-08-04 08:21 3324416 ----a-w- c:\windows\system32\atiumdva.dll
2010-08-04 08:16 . 2010-08-04 08:16 241664 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 16896 ----a-w- c:\windows\system32\atigktxx.dll
2010-08-04 08:15 . 2010-08-04 08:15 214016 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-08-04 08:15 . 2010-08-04 08:15 30208 ----a-w- c:\windows\system32\atiuxpag.dll
2010-08-04 08:14 . 2010-08-04 08:14 27648 ----a-w- c:\windows\system32\atiu9pag.dll
2010-08-04 08:14 . 2010-08-04 08:14 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-08-04 08:14 . 2010-08-04 08:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-08-04 08:09 . 2010-08-04 08:09 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 08:09 . 2010-08-04 08:09 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-07-22 04:34 . 2010-07-22 04:34 61518 --sh--w- c:\windows\DpiSca.exe
2010-07-22 01:21 . 2010-07-22 01:21 40490118 --sh--w- c:\windows\mb_warband_upgrade_1100_to_1113.exe
.

------- Sigcheck -------

[-] 2006-11-02 09:51 . 9C538DC585D1F9BF915A73E7583D08AA . 500840 . . [------] . . c:\windows\System32\drivers\ndis.sys
[-] 2006-11-02 09:51 . C683BC091A8A7F64B410B34F63B1928F . 500840 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6000.16386_none_a59069cb1f23fc44\ndis.sys


c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-16 1232896]
"Steam"="c:\steam\Steam.exe" [2010-09-06 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-01-17 1006264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"UnlockerAssistant"="c:\users\Andrew\Desktop\Anti Virus and Maintenance\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-09-06 691696]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-04 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-04 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-04 214016]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-18 c:\windows\Tasks\At1.job
- c:\windows\DpiSca.exe [2010-07-22 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3h1b3cha.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\3h1b3cha.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 11:21
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8514EEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x825e4d1f
\Driver\ACPI -> acpi.sys @ 0x802329d6
\Driver\atapi -> ataport.SYS @ 0x807e69c6
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
.
**************************************************************************
.
Completion time: 2010-10-02 11:22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-02 18:22

Pre-Run: 77,154,074,624 bytes free
Post-Run: 76,261,859,328 bytes free

- - End Of File - - C086DDC06D4535B8DDB5EC981DD6C467

Edited by Shkaler, 05 October 2010 - 11:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users