Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious, stubborn malware


  • This topic is locked This topic is locked
18 replies to this topic

#1 Krahn

Krahn

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 17 October 2010 - 04:51 AM

Ive gone through the steps as requested. I activated my firewall and used defogger successfully. However, running dds opens a notepad file filled with strange characters and does nothing else. Also the gmer scan causes the computer to freeze or restart.

My symptoms are that I'm getting popups to run a virus scan by malware doctor a fake program. More importantly, I can only boot into safe mode because my keyboard is completely unresponsive in the normal mode so i cannot enter the windows xp password. Any help or advice would be great, thank you!

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 17 October 2010 - 07:23 AM

Hello and welcome to the forum. welcome.gif

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you continue to need our help, please follow my directions, as I have posted below.
  • Please include a clear description of the problems you're having.
  • Please also refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please be patient while I analyze your logs, as you post them.
  • Note also that all of my fixes are checked by higher level forum members before posting.
  • After 5 days if your topic is not replied to, I will assume it has been abandoned and will close it.
You say you are unable to boot into Normal Mode but can only boot into Safe Mode . Can you boot into Safe Mode with Networking?

If you are unable to
Boot into Safe Mode with Networking, you will have to download the following files to another computer and transfer to the sick computer using a Flash Drive or Burn them to a CD (my preferred method).

If you can Boot into Safe Mode with Networking, , please do so and then attempt to perform the following:


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK.
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next please download DDS from either of these links

DDS.com
DDS.scr
and save it to your Desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, two DDS text files will be produced.DDS.txt and Attach.txt
  • Save both text files to your Desktop.

Please Copy/Paste both files into your next post. Please do not attach the Attach.txt log.

Now please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, UNCHECK Devices on the right side before scanning.

Once I have these logs, I will be able to better determine what your problem is.

Thank you.

DR
thumbup2.gif



#3 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 17 October 2010 - 12:17 PM

I managed to get the DDS thing to work, and I already did the defogger thing. However, I tried the gmer thing multiple times and it always forced my PC to reset halfway through. I tried doing it in safe mode with/without devices checked and nothing. I feel sort of now like the virus itself my be gone, but the keyboard still doesn't work in normal mode so I can't log in, and safe mode goes verrrrrry slow comparatively.

Regardless, here are the logs requested. Thank you very much for taking the time to look at these and help me out!

DDS LOG:


DDS (Ver_10-10-10.03) - NTFSx86 NETWORK
Run by Administrator at 9:19:36.64 on Sun 10/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2695 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.KONDESKTOP\Desktop\dds.com

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uWinlogon: Shell=c:\documents and settings\administrator.kondesktop\application data\hotfix.exe
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: San Jose Sharks Toolbar: {1c35e912-ebf4-4b63-9bd2-dee65d1220a9} - c:\program files\san jose sharks toolbar\Toolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Nkehaxuve] rundll32.exe "c:\windows\kbdadine.dll",Startup
uRun: [uPc+MV0NddaGuo] rundll32.exe c:\windows\system32\vu0pp1c.dll, SystemServer
uRun: [HNUGRFOXRstc] c:\docume~1\admini~1.kon\locals~1\temp\yqbgz.exe
uRun: [MKfPc] c:\windows\win32.exe
uRun: [HNUGRFOXRouqc] c:\docume~1\admini~1.kon\locals~1\temp\iexplarer.exe
uRun: [MKayc] c:\windows\csrss.exe
uRun: [MKeuf] c:\windows\spoolsv.exe
uRun: [MKcZ] c:\windows\mdm.exe
uRun: [HNUGRFOXRrse] c:\docume~1\admini~1.kon\locals~1\temp\svchost.exe
uRun: [exe.exe] c:\docume~1\admini~1.kon\locals~1\temp\exe.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [aencxwrosm.tmp] "c:\docume~1\kostya\locals~1\temp\aencxwrosm.tmp"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [combofix] "c:\combofix\cf31340.cfxxe" /c "c:\combofix\C.bat"
mRunOnce: [combofix] "c:\combofix\cf31340.cfxxe" /c "c:\combofix\C.bat"
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543} - c:\poker\titan poker\casino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-29 64288]
R3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [2006-12-29 54784]
S0 kcomaxxw;kcomaxxw;c:\windows\system32\drivers\kcomaxxw.sys [2010-10-15 0]
S0 lcofoq;lcofoq;c:\windows\system32\drivers\hrdfepd.sys --> c:\windows\system32\drivers\hrdfepd.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-8 12672]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 HWiNFO32;HWiNFO32 Kernel Driver;e:\program files\hwinfo32\HWiNFO32.SYS [2007-1-1 7040]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-2-10 2560]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-10 1691480]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-3-8 42512]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-6-24 223128]
S4 mple7docserver;Maya 7 PLE Documentation Server;e:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe [2004-7-16 126976]
S4 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]

=============== Created Last 30 ================

2010-10-17 01:06:56 -------- dc----w- C:\ComboFix
2010-10-16 18:24:39 227 -c--a-w- c:\docume~1\admini~1.kon\applic~1\37330.bat
2010-10-16 18:24:36 -------- dc----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-16 18:15:08 -------- dc----w- c:\docume~1\admini~1.kon\applic~1\Malwarebytes
2010-10-16 18:14:18 -------- dcsh--w- c:\documents and settings\administrator.kondesktop\PrivacIE
2010-10-16 05:16:12 0 ----a-w- c:\windows\system32\drivers\kcomaxxw.sys
2010-10-10 17:38:46 359016 ----a-w- c:\windows\vncutil.exe
2010-10-10 17:38:45 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-10-10 17:38:45 129640 ----a-w- c:\windows\RtkAudioService.exe
2010-10-10 17:38:43 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-10-10 17:38:40 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-10-10 01:23:24 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-10-10 01:23:24 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-10-09 23:55:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-09 23:55:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 14:55:12 -------- d-----w- c:\program files\Steam
2010-09-23 21:42:24 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-20 18:27:57 -------- dc----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2010-09-20 18:27:57 -------- d-----w- c:\program files\AIM Toolbar
2010-09-20 18:22:58 -------- d-----w- c:\program files\common files\Software Update Utility
2010-09-20 18:22:50 -------- dc----w- c:\docume~1\alluse~1\applic~1\AIM
2010-09-20 18:22:32 -------- d-----w- c:\program files\AIM

==================== Find3M ====================

2010-10-17 10:09:10 825 --sha-w- c:\windows\system32\mmf.sys
2010-10-09 22:27:25 825 --sha-w- c:\windows\system32\mmf(2)(3).sys
2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-28 10:27:58 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-28 10:27:58 1833576 ----a-w- c:\windows\SkyTel.exe
2010-07-28 10:27:48 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-07-28 10:27:48 891496 ----a-w- c:\windows\system32\RTSndMgr.CPL
2010-07-28 10:27:48 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-07-28 10:27:24 19557480 ----a-w- c:\windows\RTHDCPL.EXE
2010-07-28 10:27:12 285288 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-28 10:27:12 2180712 ----a-w- c:\windows\MicCal.exe
2010-07-28 10:27:02 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-07-28 10:27:02 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-07-27 05:54:00 1251944 ----a-w- c:\windows\RtlExUpd.dll

============= FINISH: 9:21:07.92 ===============





ATTACH LOG


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/29/2006 9:58:55 AM
System Uptime: 10/17/2010 9:15:23 AM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-M55PLUS-S3G
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket M2 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 68.728 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 151 GiB total, 105.512 GiB free.
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_02641458&REV_A3\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_02641458&REV_A3\3&2411E6FE&0&51
Service:

Class GUID:
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_E0001458&REV_A3\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_E0001458&REV_A3\3&2411E6FE&0&A0
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Torrent
2Wire Wireless Client
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 8.0
Adobe Premiere Pro
Adobe Reader 8.2.5
Adobe Shockwave Player
Advanced SystemCare 3
Age of Empires III
AIM 7
AIM Toolbar
Alarm 2.0.1
Alias DirectConnect 2.0
Animation GIF Wizard 1.20
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AT&T Yahoo! High Speed Internet Home Networking Installer
Athlon 64 Processor Driver
ATI Catalyst Install Manager
ATI Catalyst Registration
AutoCAD 2009 - English
Autodesk DWF Viewer
AVS DVD Player version 2.4
Azureus Vuze
BearFlix
BearShare
Bonjour
Browser Mouse
Call of Duty Modern Warfare 2
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CDBurnerXP
CDisplay 1.8
Collab
Comical 0.8
ConvertXtoDVD 3.0.0.1
CopySafe Plugin
COWON Media Center - jetAudio Basic
CPUID CPU-Z 1.52.2
Crysis WARHEAD®
DAEMON Tools Toolbar
Deus Ex
DiskAid 4.1
DivX Converter
DivX Setup
Download Updater (AOL LLC)
DoylesRoom
Dual-Core Optimizer
EA Download Manager
Eastside Hockey Manager v1.16
EPSON Printer Software
Fallout
Fallout2
ffdshow (remove only)
Final Fantasy VII - Ultima Edition
FinalBurner Free v2.2.0.132
FL Studio 6
Full Tilt Poker
GBA Emu + PokeRoms (remove only)
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GraphCalc v4.0.1
Guitar Pro 5.0
High Definition Audio Driver Package - KB888111
Holdem Manager
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HWiNFO32 Version 1.71
InterActual Player
iPhone Tool Kits 2.3.5
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 17
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Left 4 Dead 2
Logitech Touch Mouse Server 1.0
LucasArts' Grim Fandango
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Magic ISO Maker v5.5 (build 0261)
MagicDisc 2.7.97
Malwarebytes' Anti-Malware
Maple 12
MathGV 4
MATLAB 6.5
Maya 7.0
Maya 7.0 Personal Learning Edition
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft GIF Animator
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
NVIDIA Drivers
NVIDIA PhysX
Oblivion mod manager 1.1.12
OLYMPUS Master 2
PartyPoker
Peggle Deluxe
Pharaoh
PhotoNow! 1.0
Plants vs. Zombies
PokerStars
PowerDirector
PowerISO
Project64 1.6
QuickTime
RAR Key Demo
RAR Password Cracker 4.12
RealPlayer
Realtek High Definition Audio Driver
San Jose Sharks Toolbar
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sentinel System Driver
Sid Meier's Civilization 4
Sid Meier's Pirates!
Skype Toolbars
Skype 4.2
SmartSound Quicktracks for Premiere Elements 8.0
SmartSound Quicktracks Plugin
SopCast 2.0.1
Star Wars® Knights of the Old Republic® II: The Sith Lords™
Steam
StreamTorrent 1.0
SUPERAntiSpyware
System Requirements Lab
Tansee iPhone Copy 3.0.0.0
Tansee iPhone Transfer SMS
The Lord of the Rings FREE Trial
Tipard iPhone Transfer
Titan Poker
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Uplink
VBA (2627.01)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.17
VeohTV BETA
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.2
Warcraft II BNE
WebFldrs XP
WinDjView 1.0.3
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
WinZip
Wipeer version 0.76
Wolfram Mathematica 7 (M-WIN-L 7.0.0 1148351)
Wolfram Notebook Indexer 2.0
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall

==== Event Viewer Messages From Past Week ========

10/17/2010 7:13:41 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {E367E1A1-E917-11D0-AF5F-00A02448799A}
10/17/2010 1:38:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
10/16/2010 6:50:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/16/2010 6:08:16 PM, error: SRService [104] - The System Restore initialization process failed.
10/16/2010 12:52:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/16/2010 1:02:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/10/2010 8:58:37 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
10/10/2010 8:58:13 AM, error: DCOM [10000] - Unable to start a DCOM Server: {554F6051-79D4-11D4-B067-009027BA5F81}. The error: "%2" Happened while starting this command: c:\matlab6p5\bin\win32\matlab.exe /Automation -Embedding

==== End Of File ===========================


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 18 October 2010 - 08:15 AM

I see you are using some P2P programs. Not exactly the best idea unless you are sure you can trust the downloads. sad.gif

The most current version of Limewire 5.5.6 is reported to include the Ask Toolbar. Otherwise the latest version may be clean (Older and newer versions may not be). Chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this:
http://pcpitstop.com/spycheck/badtorrent.asp

You didn't say whether you were able to do Safe Mode with Networking so the same would go for the following instructions.

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix to your Desktop

Or save it to another computer and transfer it to the sick one via a Flash Drive or CD.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

Double click on ComboFix.exe & follow the prompts, including the install of the Recovery Console.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.

Thanks.

DR


#5 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 October 2010 - 09:55 AM

Thanks again for all the support!

My current symptoms, after running ComboFix, seem to be all gone. I don't notice any popups yet and my keyboard functionality seems to be fully back in normal mode (BTW yes, I can always use Safe Mode w/ Networking). Combofix ran successfully and the log will be pasted below. Please note that it displayed a message before restarting that kbdhid.sys was infected at C:\WINDOWS\system32\DRIVERS\kbdhid.sys and that I should write that down.

Here is the ComboFix log:

ComboFix 10-10-17.04 - Kostya 10/18/2010 7:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2676 [GMT -7:00]
Running from: c:\documents and settings\Kostya\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kostya\.COMMgr
c:\documents and settings\Kostya\Application Data\inst.exe
c:\documents and settings\Kostya\ffmpeg.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\driVERs\kcomaxxw.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\ymante~1
c:\windows\ystem~1

c:\windows\system32\drivers\kcomaxxw.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF
-------\Legacy_kcomaxxw
-------\Service_kcomaxxw


((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-18 14:29 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-10-18 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-16 18:24 . 2010-10-16 18:24 227 -c--a-w- c:\documents and settings\Administrator.KONDESKTOP\Application Data\37330.bat
2010-10-16 18:24 . 2010-10-16 20:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Update
2010-10-16 18:15 . 2010-10-16 18:15 -------- dc----w- c:\documents and settings\Administrator.KONDESKTOP\Application Data\Malwarebytes
2010-10-16 18:14 . 2010-10-16 18:14 -------- dcsh--w- c:\documents and settings\Administrator.KONDESKTOP\PrivacIE
2010-10-10 17:38 . 2010-07-28 10:27 359016 ----a-w- c:\windows\vncutil.exe
2010-10-10 17:38 . 2010-07-28 10:27 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-10-10 17:38 . 2010-07-28 10:27 129640 ----a-w- c:\windows\RtkAudioService.exe
2010-10-10 17:38 . 2009-11-17 23:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-10-10 17:38 . 2009-11-17 23:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-10-10 01:23 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-10-10 01:23 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-10-09 23:55 . 2010-10-09 23:55 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 14:55 . 2010-10-18 14:44 -------- d-----w- c:\program files\Steam
2010-10-03 17:10 . 2010-10-03 17:12 -------- d-----w- c:\documents and settings\Kostya\Application Data\.minecraft
2010-09-23 21:42 . 2010-09-23 21:42 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-21 23:02 . 2010-09-21 23:02 -------- d-----w- c:\documents and settings\Kostya\Local Settings\Application Data\AIM Toolbar
2010-09-20 18:27 . 2010-09-20 18:27 -------- d-----w- c:\program files\AIM Toolbar
2010-09-20 18:27 . 2010-09-20 18:27 -------- dc----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2010-09-20 18:22 . 2010-09-20 18:22 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-09-20 18:22 . 2010-10-02 04:37 -------- d-----w- c:\documents and settings\Kostya\Local Settings\Application Data\AIM
2010-09-20 18:22 . 2010-09-20 18:22 -------- dc----w- c:\documents and settings\All Users\Application Data\AIM
2010-09-20 18:22 . 2010-09-20 18:22 -------- d-----w- c:\program files\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1C35E912-EBF4-4B63-9BD2-DEE65D1220A9}"= "c:\program files\San Jose Sharks Toolbar\Toolbar.dll" [2009-04-19 1276416]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{1c35e912-ebf4-4b63-9bd2-dee65d1220a9}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E7283C21-C8E6-4B59-8DB8-32C3FA72ADA8}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1C35E912-EBF4-4B63-9BD2-DEE65D1220A9}"= "c:\program files\San Jose Sharks Toolbar\Toolbar.dll" [2009-04-19 1276416]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{1c35e912-ebf4-4b63-9bd2-dee65d1220a9}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E7283C21-C8E6-4B59-8DB8-32C3FA72ADA8}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-17 289584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-03 68856]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
"Steam"="c:\program files\steam\steam.exe" [2010-10-07 1242448]
"Google Update"="c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-28 19557480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kostya^Start Menu^Programs^Startup^Logitech Touch Mouse Server.lnk]
path=c:\documents and settings\Kostya\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk
backup=c:\windows\pss\Logitech Touch Mouse Server.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kostya^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Kostya\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAHeadless]
2009-09-18 11:24 615808 ----a-w- c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-04-29 17:55 3338240 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-07 17:41 133104 ----atw- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2007-09-04 22:52 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- e:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 22:15 13351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2010-07-28 10:27 1833576 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-10-07 14:55 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-05-03 05:18 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-01-12 20:06 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-03-17 04:31 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 17:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WiPeer]
2009-11-18 00:52 2025984 ----a-w- c:\program files\Wipeer\wipeer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMSAccessU"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"StarWindService"=2 (0x2)
"RichVideo"=2 (0x2)
"PnkBstrA"=2 (0x2)
"mple7docserver"=2 (0x2)
"MDM"=2 (0x2)
"maya70docserver"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\BearFlix\\bearflix.exe"=
"e:\\PowerDirector 6\\PowerDirector\\PDR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\San Jose Sharks Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\San Jose Sharks Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2010 1:22 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 HWiNFO32;HWiNFO32 Kernel Driver;e:\program files\HWiNFO32\HWiNFO32.SYS [1/1/2007 3:42 AM 7040]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 5:00 AM 14336]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2/10/2009 11:00 AM 2560]
R3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [12/29/2006 12:27 PM 54784]
S0 lcofoq;lcofoq;c:\windows\system32\drivers\hrdfepd.sys --> c:\windows\system32\drivers\hrdfepd.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:58 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/10/2010 10:38 AM 1691480]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [6/24/2008 8:49 PM 223128]
S4 mple7docserver;Maya 7 PLE Documentation Server;e:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [7/16/2004 11:26 PM 126976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/24/2008 8:42 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:58]

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:58]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-839522115-1003Core.job
- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 17:41]

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-839522115-1003UA.job
- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 17:41]

2010-10-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hfboards.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kostya\Application Data\Mozilla\Firefox\Profiles\v88nwv6a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100920182257062&tb_oid=20-09-2010&tb_mrud=20-09-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hfboards.com
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Kostya\Application Data\Mozilla\Firefox\Profiles\v88nwv6a.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - plugin: e:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rfixsetup7070010000mod.exe - c:\documents and settings\Kostya\Application Data\5E686C88E15389E0E9238E6B4E83B7D9\rfixsetup7070010000mod.exe
SafeBoot-klmdb.sys
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
AddRemove-BearShare - e:\progra~1\BEARSH~1\\UNWISE.EXE
AddRemove-Call of Duty Modern Warfare 2_is1 - e:\program files\Activision\Modern Warfare 2\unins000.exe
AddRemove-Cucusoft iPhone Tool Kits_is1 - c:\program files\Cucusoft\iPhone Tool Kits\unins000.exe
AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
AddRemove-LucasArts' Grim Fandango - c:\program files\LucasArts\Grim\DeIsL1.isu
AddRemove-Pharaoh - c:\sierra\Pharaoh\Uninst.isu
AddRemove-Plants vs. Zombies - c:\program files\PopCap Games\Plants vs. Zombies\PopUninstall.exe
AddRemove-Steam - c:\progra~1\Steam\UNWISE.EXE
AddRemove-Uplink - c:\program files\Uplink\Uninst.isu


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1035525444-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,c6,e4,84,56,92,e0,2e,8f,f3,a6,ac,2d,14,41,44,7b,e8,5f,8c,73,b7,ac,
9f,36,3f,f8,3c,ad,55,33,3f,cc,f6,3a,75,8e,eb,a4,91,3c,5a,b4,20,73,90,0c,57,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1644491937-1035525444-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f8,de,28,21,55,8b,0f,6a,e1,1d,b9,87,ff,82,6d,35,7f,08,e8,ad,76,
be,31,82,91,ea,ac,7e,16,c7,bf,09,97,bf,70,05,24,ab,90,8f,fe,e5,da,37,cf,73,\
"rkeysecu"=hex:4f,b7,ca,a0,21,06,d0,f4,2e,fa,da,5f,98,03,2e,5b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94,
fd
"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,
78,d5,ad,68,1b,c8,4a,9b,03
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,
70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]
"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14
"2"=hex:47,6d,e8,b1,c6,c5,94,c0
"3"=hex:64,c7,55,02,87,bc,11,16,b5,fd,db,c8,d8,5b,89,d8,ec,97,b0,77,06,da,cb,
d9,39,94,14,a9,16,f1,da,00,7d,0b,7e,ac,0e,be,99,e3,3a,e3,c8,99,6a,61,20,a1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:59,c8,db,4e,44,81,2c,dd
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||w*]
"91A14B995DF7C0B42ABAA16065968F3A"="e:\\Program Files\\Alias22\\Maya7.0\\presets\\Ashli\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-18 07:51:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-18 14:51

Pre-Run: 74,093,518,848 bytes free
Post-Run: 74,845,384,704 bytes free

- - End Of File - - 1684A7535F539A9E727881B1FA0E91FF


#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 18 October 2010 - 03:08 PM

Good to hear. :)

Let me look through this log and get back to you. There is still some more to do.


DR

#7 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 October 2010 - 03:16 PM

Absolutely, thanks again for the help!

#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 20 October 2010 - 05:50 AM

OK, please do the following:

1. Open Notepad and copy/paste the text in the codebox below into it:


http://www.bleepingcomputer.com/forums/topic354223.html/page__gopid__1977839  
  
Collect::
c:\documents and settings\Administrator.KONDESKTOP\Application Data\37330.bat
c:\windows\system32\drivers\hrdfepd.sys
c:\windows\system32\drivers\kcomaxxw.sys

Driver::
lcofoq

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components] 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

After you copy/paste into Notepad, make sure the following line is all continuous, on one line. With the new format of the forum, for some reason it is separating it into 2 lines.
Check that there are no spaces on the line as well. It seems to want to put a space between
Installer\ and UserData, which throws it to the next line.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components]



2. Save the above as CFScript.txt on your Desktop.

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix.exe again.

Posted Image

4. During this run ComboFix will collect and automatically upload some sample files.
You will see it say ComboFix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
� C:\ComboFix.txt


==============

Note::
If ComboFix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.
In the box marked Link to topic where this file was requested: Copy/Paste this address:
http://www.bleepingcomputer.com/forums/topic354223.html/page__gopid__1977839

Thanks.



DR


#9 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 20 October 2010 - 07:55 PM

I followed your instructions. Here is the log requested.

ComboFix 10-10-20.01 - Kostya 10/20/2010 15:38:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2031 [GMT -7:00]
Running from: c:\documents and settings\Kostya\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kostya\Desktop\CFScript.txt

file zipped: c:\documents and settings\Administrator.KONDESKTOP\Application Data\37330.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Kostya\LOCALS~1\Temp\ext64399.dll
c:\documents and settings\Administrator.KONDESKTOP\Application Data\37330.bat
c:\documents and settings\Kostya\Local Settings\temp\ext64399.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lcofoq


((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
.

2010-10-18 14:29 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-10-18 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-16 18:24 . 2010-10-16 20:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Update
2010-10-16 18:15 . 2010-10-16 18:15 -------- dc----w- c:\documents and settings\Administrator.KONDESKTOP\Application Data\Malwarebytes
2010-10-16 18:14 . 2010-10-16 18:14 -------- dcsh--w- c:\documents and settings\Administrator.KONDESKTOP\PrivacIE
2010-10-10 17:38 . 2010-07-28 10:27 359016 ----a-w- c:\windows\vncutil.exe
2010-10-10 17:38 . 2010-07-28 10:27 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-10-10 17:38 . 2010-07-28 10:27 129640 ----a-w- c:\windows\RtkAudioService.exe
2010-10-10 17:38 . 2009-11-17 23:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-10-10 17:38 . 2009-11-17 23:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-10-10 01:23 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-10-10 01:23 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-10-09 23:55 . 2010-10-09 23:55 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 14:55 . 2010-10-20 22:46 -------- d-----w- c:\program files\Steam
2010-10-03 17:10 . 2010-10-03 17:12 -------- d-----w- c:\documents and settings\Kostya\Application Data\.minecraft
2010-09-23 21:42 . 2010-09-23 21:42 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-21 23:02 . 2010-09-21 23:02 -------- d-----w- c:\documents and settings\Kostya\Local Settings\Application Data\AIM Toolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1C35E912-EBF4-4B63-9BD2-DEE65D1220A9}"= "c:\program files\San Jose Sharks Toolbar\Toolbar.dll" [2009-04-19 1276416]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{1c35e912-ebf4-4b63-9bd2-dee65d1220a9}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E7283C21-C8E6-4B59-8DB8-32C3FA72ADA8}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1C35E912-EBF4-4B63-9BD2-DEE65D1220A9}"= "c:\program files\San Jose Sharks Toolbar\Toolbar.dll" [2009-04-19 1276416]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{1c35e912-ebf4-4b63-9bd2-dee65d1220a9}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E7283C21-C8E6-4B59-8DB8-32C3FA72ADA8}]
[HKEY_CLASSES_ROOT\FCTB000059881.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-17 289584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-03 68856]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
"Steam"="c:\program files\steam\steam.exe" [2010-10-07 1242448]
"Google Update"="c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-28 19557480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kostya^Start Menu^Programs^Startup^Logitech Touch Mouse Server.lnk]
path=c:\documents and settings\Kostya\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk
backup=c:\windows\pss\Logitech Touch Mouse Server.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kostya^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Kostya\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAHeadless]
2009-09-18 11:24 615808 ----a-w- c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-04-29 17:55 3338240 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-07 17:41 133104 ----atw- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2007-09-04 22:52 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- e:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 22:15 13351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2010-07-28 10:27 1833576 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-10-07 14:55 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-05-03 05:18 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-01-12 20:06 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-03-17 04:31 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 17:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WiPeer]
2009-11-18 00:52 2025984 ----a-w- c:\program files\Wipeer\wipeer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMSAccessU"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"StarWindService"=2 (0x2)
"RichVideo"=2 (0x2)
"PnkBstrA"=2 (0x2)
"mple7docserver"=2 (0x2)
"MDM"=2 (0x2)
"maya70docserver"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\BearFlix\\bearflix.exe"=
"e:\\PowerDirector 6\\PowerDirector\\PDR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\San Jose Sharks Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\San Jose Sharks Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2010 1:22 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 HWiNFO32;HWiNFO32 Kernel Driver;e:\program files\HWiNFO32\HWiNFO32.SYS [1/1/2007 3:42 AM 7040]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 5:00 AM 14336]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2/10/2009 11:00 AM 2560]
R3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [12/29/2006 12:27 PM 54784]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:58 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/10/2010 10:38 AM 1691480]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [6/24/2008 8:49 PM 223128]
S4 mple7docserver;Maya 7 PLE Documentation Server;e:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [7/16/2004 11:26 PM 126976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/24/2008 8:42 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:58]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:58]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-839522115-1003Core.job
- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 17:41]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1035525444-839522115-1003UA.job
- c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 17:41]

2010-10-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hfboards.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kostya\Application Data\Mozilla\Firefox\Profiles\v88nwv6a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100920182257062&tb_oid=20-09-2010&tb_mrud=20-09-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hfboards.com
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Kostya\Application Data\Mozilla\Firefox\Profiles\v88nwv6a.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Kostya\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - plugin: e:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1035525444-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,c6,e4,84,56,92,e0,2e,8f,f3,a6,ac,2d,14,41,44,7b,e8,5f,8c,73,b7,ac,
9f,36,3f,f8,3c,ad,55,33,3f,cc,f6,3a,75,8e,eb,a4,91,3c,5a,b4,20,73,90,0c,57,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1644491937-1035525444-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f8,de,28,21,55,8b,0f,6a,e1,1d,b9,87,ff,82,6d,35,7f,08,e8,ad,76,
be,31,82,91,ea,ac,7e,16,c7,bf,09,97,bf,70,05,24,ab,90,8f,fe,e5,da,37,cf,73,\
"rkeysecu"=hex:4f,b7,ca,a0,21,06,d0,f4,2e,fa,da,5f,98,03,2e,5b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94,
fd
"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,
78,d5,ad,68,1b,c8,4a,9b,03
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,
70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]
"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14
"2"=hex:47,6d,e8,b1,c6,c5,94,c0
"3"=hex:64,c7,55,02,87,bc,11,16,b5,fd,db,c8,d8,5b,89,d8,ec,97,b0,77,06,da,cb,
d9,39,94,14,a9,16,f1,da,00,7d,0b,7e,ac,0e,be,99,e3,3a,e3,c8,99,6a,61,20,a1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:59,c8,db,4e,44,81,2c,dd
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||w*]
"91A14B995DF7C0B42ABAA16065968F3A"="e:\\Program Files\\Alias22\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-10-20 15:54:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-20 22:54
ComboFix2.txt 2010-10-18 14:51

Pre-Run: 74,249,592,832 bytes free
Post-Run: 74,636,914,688 bytes free

- - End Of File - - B7C9140ADF030799305147B3CC43FD7B
Upload was successful

#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 20 October 2010 - 09:08 PM

Great. :thumbup2:

I will let you know how the uploads look ASAP.

DR

#11 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 20 October 2010 - 09:24 PM

There's no rush whatsoever. I really appreciate your help on this matter :)

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 21 October 2010 - 12:49 PM

Let's make sure you are clean.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your

    desktop.
  • This page should check your installed version and determine if you need an update.
  • Look for "JDK 6 Update 22 (JDK or JRE)" (may not be necessary if it does it automatically).
  • Click the "Download JRE".
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove

Programs
and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then

    Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses

Enhanced Auto update to automatically remove the

previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the

Java Automatic Update feature and you will not

have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe)

adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to

Start > Control Panel > Java > Advanced > Miscellaneous
and uncheck the box for Java Quick Starter. Click Ok

and reboot your computer.


Next Launch Malwarebytes' Anti-Malware
  • Click on the Update tab and allow MBAM to update.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from

    here and just double-click on mbam-rules.exe to

    install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found

    ".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database

    version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with

the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM

from removing all the malware.



And then next please perform a scan with

Kaspersky Online Virus Scanner
.
-- Requires free Java Runtime Environment (JRE) to be installed

before scanning for malware as ActiveX is no longer being used.

-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and

    Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the http://i526.photobucket.com/albums/cc345/MPKwings/Kasaccept.png

    ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus

    definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the

    http://i526.photobucket.com/albums/cc345/MPKwings/KasperskySettings.png... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the

    http://i526.photobucket.com/albums/cc345/MPKwings/Kassave.png... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows

    closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time

protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.




Thanks.

DR

#13 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 22 October 2010 - 12:59 AM

Thank you so much for takign the time to help me. The logs are pasted below

MBAM Scan Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4905

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/21/2010 1:46:48 PM
mbam-log-2010-10-21 (13-46-48).txt

Scan type: Quick scan
Objects scanned: 160048
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky Online Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 21, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 21, 2010 17:43:52
Records in database: 4184827
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 263428
Threats found: 8
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 06:07:14


File name / Threat / Threats count
C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\10\6f8474a-4791f8ec Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\10\6f8474a-4791f8ec Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\10\6f8474a-4791f8ec Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-44a995af Infected: Exploit.Java.Agent.du 1
C:\Documents and Settings\Kostya\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@APPDIR@\DBControlPanel.exe Infected: Backdoor.Win32.Poison.awex 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\kbdhid.sys.vir_ Infected: Virus.Win32.TDSS.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{81B89485-726B-4DF2-8060-EEA4DCA325DB}\RP1\A0000006.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{81B89485-726B-4DF2-8060-EEA4DCA325DB}\RP1\A0003116.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{81B89485-726B-4DF2-8060-EEA4DCA325DB}\RP1\A0003183.exe Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{81B89485-726B-4DF2-8060-EEA4DCA325DB}\RP1\A0003185.exe Infected: Trojan.Win32.Patched.kl 1

Selected area has been scanned.

#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 22 October 2010 - 07:41 PM

I need to tell you that one or more of the identified infections on your computer was a backdoor trojan.

It has been removed but because of the type of infection it is best to know it's capabilities..

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please change all passwords where applicable, and it would also be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been killed, because of it's backdoor functionality, your PC could have been compromised and technically there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


So now, to continue, I would like you to manually delete the following files:

C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\10\6f8474a-4791f8ec
C:\Documents and Settings\Kostya\Application Data\Sun\Java\Deployment\cache\6.0\61\384ba27d-44a995af
C:\Documents and Settings\Kostya\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@APPDIR@\DBControlPanel.exe

Then please tell me how your computer is running and whether you are experiencing any abnormalities.

Thanks.

DR


#15 Krahn

Krahn
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 22 October 2010 - 08:13 PM

I've deleted the files without a problem. My computer SEEMS to be running fine. I haven't noticed anythign out of the ordinary. However, the way this virus first originated is still strange to me. I'm very careful, for the most part, as I've gone through this before. I was simply on my computer, having not downloaded anything for at least an hour, and then popups started occurring.

If you feel I should format and reinstall, then I will certainly do so.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users