Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Windows 10 1809 Zip Extraction Bug Overwrites Files without Confirmation

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Photo

Infected with Unknow malware/rootkit

Started by servy , Nov 17 2010 06:42 AM

  • This topic is locked This topic is locked
58 replies to this topic

#1 servy

servy

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 17 November 2010 - 06:42 AM

Hello,

I am new to this forum and this is my first post. I am facing problem because my AV, malwarebytes, spybot S&D, etc., cannot detect the problem at all. Following are the problems that I am facing.

1. My audio mutes and unmutes itself rapidly and randomly.

2. When watching something in media player classic it toggles its mute button along with XP's mute system.

3. Mozilla firefox opens up of its own. This problem happens even more when minimizing counter-strike 1.6.

4. When typing anything in mozilla, it redirects to the homepage. This also happens sometimes.


I have tried experimenting with various processes starting from user to ,even, system processes. While doing this I noticed one thing. When I am ending the svchost.exe task (the one in the system field named netsvc or something similar) the problem disappears, but soon my system freezes (I know netsvc is a legitimate XP process and that's why it's a necessary stuff). My hypothesis is that there is something hiding in the .dll of that particular svchost that's causing the problem. Still, I don't want to do anything without an expert's consent.

Here is the DDS log


DDS (Ver_10-11-10.01) - NTFSx86
Run by Munna at 17:07:03.07 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.103 [GMT 5.5:30]

AV: Kaspersky PURE *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Munna\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: {0055c089-8582-441b-a0bf-17b458c2a3a8}: IDM Helper
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky pure\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure\avp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\docume~1\alluse~1\avp9\mzvkbd3.dll,c:\docume~1\alluse~1\avp9\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\munna\applic~1\mozilla\firefox\profiles\q43tyokt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getdota.com/
FF - component: c:\documents and settings\munna\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\munna\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\munna\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\munna\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2010-6-20 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-12 28552]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2010-6-20 39352]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-12-15 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-12-15 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2009-12-15 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-12-15 36968]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-10-26 315408]
R2 AVP;Kaspersky PURE;c:\program files\kaspersky lab\kaspersky pure\avp.exe [2009-12-25 340456]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2009-4-6 22432]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2010-7-10 14496]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [2007-5-3 55296]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys --> c:\windows\system32\drivers\vvftav.sys [?]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\zs211.sys --> c:\windows\system32\drivers\ZS211.sys [?]
S4 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S4 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-6-18 410976]
S4 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\munna\locals~1\temp\oes3ee.tmp --> c:\docume~1\munna\locals~1\temp\OES3EE.tmp [?]
S4 olopin;System Server;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\wpro_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]

=============== Created Last 30 ================

2010-11-12 12:31:28 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-10 04:30:29 -------- d-----w- c:\program files\Fraps
2010-11-04 03:55:42 -------- d-----w- c:\docume~1\munna\applic~1\AnvSoft
2010-11-04 03:55:39 -------- d-----w- c:\program files\AnvSoft
2010-11-03 02:28:17 -------- d-----w- c:\program files\Total Video Converter
2010-11-01 17:04:42 188 ----a-w- c:\windows\system32\copy.bat
2010-10-31 04:59:09 -------- d-----w- c:\docume~1\munna\applic~1\mIRC
2010-10-26 13:23:47 162320 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
2010-10-26 13:23:46 -------- d--h--we c:\documents and settings\all users\AVP9
2010-10-26 13:23:36 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-10-26 13:23:36 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-10-26 13:21:01 -------- d-----w- c:\program files\common files\InfoWatch
2010-10-26 13:20:59 -------- d-----w- c:\program files\Kaspersky Lab
2010-10-26 13:18:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-10-25 05:56:44 724992 ----a-w- c:\windows\iun6002.exe
2010-10-24 06:21:30 -------- d-----w- c:\program files\Cisco TFTP Server
2010-10-23 11:02:54 -------- d-----w- C:\docsisConfig
2010-10-23 04:56:49 -------- d-----w- c:\program files\VultureWare DOCSIS Config Editor
2010-10-21 06:12:09 -------- d-----w- c:\program files\Motherboard Monitor 5
2010-10-21 05:02:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-21 05:02:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-20 16:36:40 -------- d-----w- c:\docume~1\munna\applic~1\Malwarebytes
2010-10-20 16:36:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 16:36:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-20 16:36:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 16:36:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 16:05:42 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2010-10-20 16:05:29 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-10-20 16:04:46 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-10-20 16:04:46 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-10-20 16:04:46 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-10-20 16:04:46 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-10-20 16:04:45 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-10-20 16:04:45 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-10-20 16:04:45 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-10-20 16:04:45 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-10-20 16:04:45 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-10-20 16:02:44 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-10-20 16:02:43 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-10-20 07:37:05 -------- d-----w- c:\program files\common files\DirectX

==================== Find3M ====================

2010-10-08 08:14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-08 08:14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 17:08:05.79 ===============



Thank yOu.

Attached Files


BC AdBot (Login to Remove)

 

#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 25 November 2010 - 12:29 AM

Hello, servy.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for :)
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  • Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  • When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
    **Note: It is zipped into a .RAR file. If you do not have a .RAR extractor, you can get one for free here
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 25 November 2010 - 12:10 PM

I have attached all the logs as U requested. I couldn't paste them here as it was too big and I got the error message.

When attaching gmer.txt I faced a "file too big" error, so I zipped it. If U faced any problem due to that then I apologize.

I did all the scan after I disabled through DeFogger.

Thanks for replying. I was losing hope but U came for the rescue.

Thanks again.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Munna at 2010-11-25 21:25:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 1 GB (9%) free of 15 GB
Total RAM: 511 MB (22% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:25:54 PM, on 11/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Munna\Desktop\Downloads\RSIT.exe
C:\Program Files\trend micro\Munna.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://122.50.128.1
O15 - ESC Trusted IP range: http://122.50.128.1
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O20 - AppInit_DLLs: C:\DOCUME~1\ALLUSE~1\AVP9\mzvkbd3.dll,C:\DOCUME~1\ALLUSE~1\AVP9\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky PURE (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
O23 - Service: FortiClient Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7022 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\rundll32.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll [2009-12-25 68112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-10-08 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}]
FilterBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll [2009-12-25 268816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-10-08 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe [2009-12-25 340456]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IDMan"=C:\Program Files\Internet Download Manager\IDMan.exe [2009-09-09 3118512]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
C:\Program Files\Citrix\ICA Client\concentr.exe [2010-03-11 300400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-06-03 1144104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Munna\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2008-02-28 1828136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Driver Setup]
C:\WINDOWS\cndrive32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSODESNV7]
C:\WINDOWS\system32\msvmiode.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nc]
C:\WINDOWS\system32\nc.exe -vv -d -L -p 13425 -e cmd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-04-28 570664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe [2005-04-28 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\smax4.exe [2004-03-26 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-04-01 1368064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe [2010-10-15 1242448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Munna^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MagicDisc\MagicDisc.exe [2009-02-23 576000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3
"rpcapd"=3
"ose"=3
"odserv"=3
"NMIndexingService"=3
"Microsoft Office Groove Audit Service"=3
"JavaQuickStarterService"=2
"idsvc"=3
"DfSdkS"=3
"Windows Hosts Controller"=2
"NrConnmags"=2
"CSObjectsSrv"=2
"TuneUp.Defrag"=3
"NVSvc"=2
"WmiApSrv"=3
"SoundMAX Agent Service (default)"=2
"FA_Scheduler"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\DOCUME~1\ALLUSE~1\AVP9\mzvkbd3.dll,C:\DOCUME~1\ALLUSE~1\AVP9\kloehk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2009-12-25 219664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=60
"NoResolveTrack"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\WINDOWS\System32\25.scr"="C:\WINDOWS\System32\25.scr:*:C:\WINDOWS\system32\Jnstm.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Fortinet\FortiClient\FortiProxy.exe"="C:\Program Files\Fortinet\FortiClient\FortiProxy.exe:*:Enabled:FortiClient Proxy Service"
"C:\Program Files\Fortinet\FortiClient\ipsec.exe"="C:\Program Files\Fortinet\FortiClient\ipsec.exe:*:Enabled:FortiClient VPN Service"
"C:\Program Files\Fortinet\FortiClient\FortiWad.exe"="C:\Program Files\Fortinet\FortiClient\FortiWad.exe:*:Enabled:FortiClient Wan Optimization Service"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Documents and Settings\Munna\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Munna\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe"="C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe"="C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service"
"C:\Program Files\Steam\steamapps\waggs15\counter-strike\hl.exe"="C:\Program Files\Steam\steamapps\waggs15\counter-strike\hl.exe:*:Enabled:Counter-Strike"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\wmpvk2.exe"="C:\WINDOWS\system32\wmpvk2.exe:*:Enabled:LAN Router"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-11-25 21:25:26 ----D---- C:\Program Files\trend micro
2010-11-25 21:25:25 ----D---- C:\rsit
2010-11-24 17:46:30 ----SHD---- C:\found.000
2010-11-24 09:53:52 ----A---- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2010-11-24 09:53:51 ----D---- C:\Program Files\Hitman Pro 3.5
2010-11-24 09:51:04 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-11-22 14:58:07 ----AD---- C:\Kaspersky Rescue Disk 10.0
2010-11-20 13:56:04 ----D---- C:\Program Files\Sophos
2010-11-20 12:12:18 ----A---- C:\TDSSKiller.2.4.8.0_20.11.2010_12.12.18_log.txt
2010-11-12 18:01:28 ----A---- C:\WINDOWS\system32\drivers\pavboot.sys
2010-11-10 10:00:29 ----D---- C:\Program Files\Fraps
2010-11-04 09:25:42 ----D---- C:\Documents and Settings\Munna\Application Data\AnvSoft
2010-11-04 09:25:39 ----D---- C:\Program Files\AnvSoft
2010-11-03 07:58:17 ----D---- C:\Program Files\Total Video Converter
2010-11-01 22:34:42 ----A---- C:\WINDOWS\system32\copy.bat
2010-10-31 10:29:09 ----D---- C:\Documents and Settings\Munna\Application Data\mIRC
2010-10-26 18:51:01 ----D---- C:\Program Files\Common Files\InfoWatch
2010-10-26 18:50:59 ----D---- C:\Program Files\Kaspersky Lab
2010-10-26 18:50:14 ----A---- C:\WINDOWS\system32\drivers\klif.sys
2010-10-26 18:48:42 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

======List of files/folders modified in the last 1 months======

2010-11-25 21:25:26 ----RD---- C:\Program Files
2010-11-25 21:21:24 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2010-11-25 21:21:08 ----D---- C:\WINDOWS\Temp
2010-11-25 21:20:11 ----D---- C:\Documents and Settings\Munna\Application Data\DMCache
2010-11-25 15:45:50 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-11-25 14:39:45 ----D---- C:\WINDOWS\Minidump
2010-11-25 14:39:45 ----D---- C:\WINDOWS
2010-11-25 14:10:31 ----A---- C:\WINDOWS\NeroDigital.ini
2010-11-25 09:19:06 ----D---- C:\Program Files\Garena
2010-11-25 01:09:44 ----D---- C:\WINDOWS\system32\CatRoot2
2010-11-24 19:35:10 ----D---- C:\WINDOWS\Prefetch
2010-11-24 19:34:39 ----SHD---- C:\WINDOWS\Installer
2010-11-24 19:34:07 ----D---- C:\WINDOWS\system32
2010-11-24 18:50:48 ----D---- C:\Documents and Settings\Munna\Application Data\IDM
2010-11-24 17:31:59 ----D---- C:\Documents and Settings\Munna\Application Data\Skype
2010-11-24 17:02:40 ----D---- C:\Documents and Settings\Munna\Application Data\skypePM
2010-11-24 09:53:52 ----D---- C:\WINDOWS\system32\drivers
2010-11-23 15:55:37 ----A---- C:\WINDOWS\kaio.INI
2010-11-20 08:50:28 ----D---- C:\Documents and Settings\Munna\Application Data\uTorrent
2010-11-17 15:51:36 ----D---- C:\Program Files\Nmap
2010-11-13 05:59:46 ----SD---- C:\WINDOWS\Tasks
2010-11-12 21:24:47 ----D---- C:\Program Files\Steam
2010-11-12 18:01:04 ----HD---- C:\WINDOWS\inf
2010-11-12 17:08:40 ----A---- C:\WINDOWS\wininit.ini
2010-11-10 12:40:11 ----SH---- C:\boot.ini
2010-11-10 12:40:11 ----A---- C:\WINDOWS\win.ini
2010-11-10 12:40:11 ----A---- C:\WINDOWS\system.ini
2010-11-09 08:20:53 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-08 17:35:58 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-11-05 10:13:16 ----D---- C:\WINDOWS\Help
2010-11-04 17:48:08 ----D---- C:\Program Files\Cisco TFTP Server
2010-11-04 17:32:11 ----D---- C:\Program Files\VultureWare DOCSIS Config Editor
2010-11-04 17:32:01 ----RD---- C:\Program Files\Skype
2010-11-03 07:58:21 ----RSD---- C:\WINDOWS\Fonts
2010-11-02 09:16:33 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-11-02 08:57:40 ----SD---- C:\Documents and Settings\Munna\Application Data\Microsoft
2010-10-29 08:25:46 ----D---- C:\Program Files\Mozilla Firefox
2010-10-28 18:49:46 ----D---- C:\Program Files\Common Files\Adobe
2010-10-28 18:49:46 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-10-28 18:49:35 ----D---- C:\Program Files\Adobe
2010-10-26 18:51:01 ----D---- C:\Program Files\Common Files
2010-10-26 17:51:39 ----D---- C:\Program Files\WinPcap

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 CSCrySec;InfoWatch Encrypt Sector Library driver; C:\WINDOWS\system32\DRIVERS\CSCrySec.sys [2009-12-14 88632]
R0 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms; C:\WINDOWS\system32\DRIVERS\gagp30kx.sys [2008-04-14 46464]
R0 KLBG;Kaspersky Lab Boot Guard Driver; C:\WINDOWS\system32\DRIVERS\klbg.sys [2009-10-14 36880]
R0 pavboot;pavboot; C:\WINDOWS\system32\drivers\pavboot.sys [2009-06-30 28552]
R0 viamraid;viamraid; C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-28 60928]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2009-07-13 91904]
R1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 35840]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver; C:\WINDOWS\system32\DRIVERS\CSVirtualDiskDrv.sys [2009-12-14 39352]
R1 ctxusbm;Citrix USB Monitor Driver; C:\WINDOWS\system32\DRIVERS\ctxusbm.sys [2009-10-05 65584]
R1 fortiapd;fortiapd; C:\WINDOWS\system32\drivers\fortiapd.sys [2009-12-15 13416]
R1 Fortips;Fortips; C:\WINDOWS\system32\drivers\fortips.sys [2009-12-15 98024]
R1 FortiRdr;FortiRdr; C:\WINDOWS\system32\drivers\FortiRdr.sys [2009-12-15 29928]
R1 FortiShield;FortiShield; C:\WINDOWS\system32\drivers\FortiShield.sys [2009-12-15 36968]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 kl1;Kl1; \??\C:\WINDOWS\system32\drivers\kl1.sys []
R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2010-10-26 315408]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-04-08 116176]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 Fortidrv2;Fortinet Packet Filter Service; C:\WINDOWS\system32\DRIVERS\fortidrv.sys [2009-04-06 22432]
R3 ft_vnic;Fortinet network virtual adapter; C:\WINDOWS\system32\DRIVERS\ftvnic.sys [2009-02-16 14496]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2009-09-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT; C:\WINDOWS\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-15 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-04-27 381056]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-06-07 266880]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GGSAFERDriver;GGSAFER Driver; \??\C:\Program Files\Garena\safedrv.sys []
S3 leafnets;Leaf Networks Adapter; C:\WINDOWS\system32\DRIVERS\leafnets.sys [2007-05-03 55296]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\162.tmp []
S3 MidiSyn;MidiSyn; C:\WINDOWS\system32\drivers\MidiSyn.sys [2002-09-22 235100]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2010-01-21 18048]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-12-30 22016]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2010-06-25 35088]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-12-30 7936]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2008-04-14 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-12-30 7936]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 vvftav;vvftav; C:\WINDOWS\system32\drivers\vvftav.sys []
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2009-07-14 444136]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2009-07-13 132224]
S3 ZSMC30x;USB PC Camera Service ZSMC30x; C:\WINDOWS\System32\Drivers\ZS211.sys []
S4 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\Munna\LOCALS~1\Temp\OES3EE.tmp []
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-06-13 721904]
S4 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123); C:\WINDOWS\system32\drivers\WPRO_40_1123.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AVP;Kaspersky PURE; C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe [2009-12-25 340456]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 FA_Scheduler;FortiClient Service Scheduler; C:\Program Files\Fortinet\FortiClient\scheduler.exe [2009-12-15 53266]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S4 CSObjectsSrv;CryptoStorage control service; C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S4 DfSdkS;Defragmentation-Service; C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-01-09 410976]
S4 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-10-08 153376]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
S4 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S4 olopin;System Server; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2010-06-25 117264]
S4 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2010-01-26 652800]
S4 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe []
S4 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2010-06-13 306432]
S4 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-11-25 21:25:57

======Uninstall list======

-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -maintain plugin
Adobe Reader 9.4.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A94000000001}
Any Video Converter 3.1.0-->"C:\Program Files\AnvSoft\Any Video Converter\unins000.exe"
Ashampoo WinOptimizer 6.23-->"C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\unins000.exe"
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Citrix online plug-in - web-->C:\Documents and Settings\All Users\Application Data\Citrix\Citrix online plug-in - web\TrolleyExpress.exe /uninstall /cleanup
Citrix online plug-in (DV)-->MsiExec.exe /I{8144262B-25B4-44F6-8204-FCC8EF50179F}
Citrix online plug-in (HDX)-->MsiExec.exe /I{EA74A293-3FAC-4D1B-AE3A-3BD47FADDC20}
Citrix online plug-in (USB)-->MsiExec.exe /I{6F8EAC65-314D-4D86-9557-BC9312AACCB0}
Citrix online plug-in (Web)-->MsiExec.exe /I{023D64D7-E7B4-47C7-BE6E-B7C2E8960D08}
Counter-Strike 1.6-->d:\Counter-Strike 1.6\Uninstal.exe
Counter-Strike-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10
DivX Setup-->C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com
FortiClient Endpoint Security-->MsiExec.exe /I{34D6AD5A-C03D-45FF-AA8A-8B306E01B96D}
FreeFixer-->"C:\Program Files\FreeFixer\uninstall.exe"
Garena 2010-->C:\Program Files\Garena\uninst.exe
Google Talk Plugin-->MsiExec.exe /I{26B878A8-5704-3B64-BDBC-4F0EACA38121}
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB959252-v2)-->"C:\WINDOWS\$NtUninstallKB959252-v2$\spuninst\spuninst.exe"
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
Java DB 10.5.3.0-->MsiExec.exe /X{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}
Java™ 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216021FF}
Java™ SE Development Kit 6 Update 21-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160210}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Kaspersky PURE-->MsiExec.exe /I{1A59064A-12A9-469F-99F6-04BF118DBCFF}
Kaspersky PURE-->MsiExec.exe /I{1A59064A-12A9-469F-99F6-04BF118DBCFF}
Klikator-Garena 1.4.3-->C:\Program Files\Klikator-Garena\uninst.exe
K-Lite Mega Codec Pack 5.6.1-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9-->"C:\WINDOWS\$NtUninstallWdf01009$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.9-->"C:\WINDOWS\$NtUninstallWudf01009$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Mozilla Firefox (3.6.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86_v2-->MsiExec.exe /I{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}
MSVC90_x86-->MsiExec.exe /I{AF111648-99A1-453E-81DD-80DBBF6DAD0D}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Nero 8-->MsiExec.exe /X{3C5F1B30-B10B-4579-86DD-D00F662E1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Connectivity Solution-->MsiExec.exe /I{481C9A00-91AC-4065-870C-BD4E28186E5A}
Security Task Manager 1.7h-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957579)-->"C:\WINDOWS\$NtUninstallKB957579$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Serials 2005-->MsiExec.exe /I{A31838F1-8E0D-4CA3-A40A-20825B92F125}
Simple Static IP-->"C:\WINDOWS\Simple Static IP\uninstall.exe" "/U:C:\Program Files\Simple Static IP\Uninstall\uninstall.xml"
Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Sophos Anti-Rootkit 1.5.4-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamViewer 5-->C:\Program Files\TeamViewer\Version5\uninstall.exe
TuneUp Utilities 2008-->MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VLC media player 1.1.0-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)-->C:\PROGRA~1\DIFX\B4723E9A0713E5B1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.inf
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPcap 4.1.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 12.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}
Your Uninstaller! Version 6.3-->"C:\Program Files\Your Uninstaller\unins000.exe"

======Hosts File======

127.0.0.1 localhost
127.0.0.1 208.53.183.46
127.0.0.1 208.53.183.124
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com

======Security center information======

AV: Kaspersky PURE (outdated)
FW: Kaspersky PURE

======System event log======

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0015F2C386CD. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 929
Source Name: Dhcp
Time Written: 20101110104339.000000+330
Event Type: warning
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0015F2C386CD. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 927
Source Name: Dhcp
Time Written: 20101110104329.000000+330
Event Type: warning
User:

Computer Name: HOME
Event Code: 1002
Message: The IP address lease 122.50.131.95 for the Network Card with network address 0015F2C386CD has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 925
Source Name: Dhcp
Time Written: 20101110104307.000000+330
Event Type: error
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0015F2C386CD. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 920
Source Name: Dhcp
Time Written: 20101110095330.000000+330
Event Type: warning
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0015F2C386CD. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 918
Source Name: Dhcp
Time Written: 20101110074638.000000+330
Event Type: warning
User:

=====Application event log=====

Computer Name: HOME
Event Code: 1517
Message: Windows saved user HOME\Munna registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 31
Source Name: Userenv
Time Written: 20101111003919.000000+330
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 0
Message:
Record Number: 19
Source Name: rshd
Time Written: 20101108130821.000000+330
Event Type: error
User:

Computer Name: HOME
Event Code: 0
Message:
Record Number: 18
Source Name: rshd
Time Written: 20101108130619.000000+330
Event Type: error
User:

Computer Name: HOME
Event Code: 8193
Message: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Record Number: 3
Source Name: VSS
Time Written: 20101107145402.000000+330
Event Type: error
User:

Computer Name: HOME
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 2
Source Name: EventSystem
Time Written: 20101107145402.000000+330
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 10, AuthenticAMD
"PROCESSOR_REVISION"=040a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Attached Files

  • Attached File  log.txt   32.55KB   2 downloads
  • Attached File  info.txt   17.98KB   1 downloads
  • Attached File  gmer.zip   42.06KB   2 downloads

Edited by aommaster, 25 November 2010 - 12:13 PM.

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 25 November 2010 - 12:19 PM

Hello, servy.
P2P Program Warning!

µTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

 

I noticed you had Serials 2005 installed. While Warez is not only illegal, a large number of them come bundled with malware that can potentially cause permanent damage to your operating system. I highly recommend you uninstall it.

 

We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • ClickMode and then on "Advanced Mode"
  • You may be presented with a warning dialog. If so, press yes
  • Click on Tools
  • Click on Resident
  • Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  • Close/Exit Spybot Search and Destroy


NEXT:

We need to run MBRCheck
  • Please download MBRCheck from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click MBRCheck.exe to run
  • A report called MBRcheck will be on your desktop once the program is done
  • Please copy and paste that into your reply

In your next reply, please include the following:
  • MBRCheck Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#5 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 25 November 2010 - 10:37 PM

U r very quick at replying. Hats off to u man!

I did knew that using p2p program is hazardous but I didn't knew that people can manipulate it to install/run malware into our computer. I use it at rare occasion. I do take some preventives by only downloading stuffs from popular/trusted authors(Oh! sry I meant crackers :P ). Ok I won't use utorrent untill my PC gets treated by U.

I removed serials 2005 and unchecked the 2 spybot options as U told.

Mbercheck.txt --




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000017d

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF8B65000 \WINDOWS\system32\KDCOM.DLL
0xF8A75000 \WINDOWS\system32\BOOTVID.dll
0xF8665000 klbg.sys
0xF8536000 ACPI.sys
0xF8B67000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8525000 pci.sys
0xF8511000 CSCrySec.sys
0xF8675000 isapnp.sys
0xF8B69000 viaide.sys
0xF88E5000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8685000 MountMgr.sys
0xF84F2000 ftdisk.sys
0xF8B6B000 dmload.sys
0xF84CC000 dmio.sys
0xF88ED000 PartMgr.sys
0xF88F5000 pavboot.sys
0xF8695000 VolSnap.sys
0xF84B4000 atapi.sys
0xF86A5000 viamraid.sys
0xF849C000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF86B5000 disk.sys
0xF86C5000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF847C000 fltmgr.sys
0xF8465000 KSecDD.sys
0xF844E000 WudfPf.sys
0xF83C1000 Ntfs.sys
0xF8394000 NDIS.sys
0xF837A000 Mup.sys
0xF86D5000 gagp30kx.sys
0xF7638000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF7624000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF88A5000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF88B5000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF88C5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7601000 \SystemRoot\system32\DRIVERS\ks.sys
0xF898D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF75DD000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8995000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF88D5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8705000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xF899D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF89A5000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8B85000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xF8715000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8B21000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF75C9000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7587000 \SystemRoot\system32\drivers\smwdm.sys
0xF7563000 \SystemRoot\system32\drivers\portcls.sys
0xF8725000 \SystemRoot\system32\drivers\drmk.sys
0xF7547000 \SystemRoot\system32\drivers\aeaudio.sys
0xF74E9000 \SystemRoot\system32\drivers\senfilt.sys
0xF89AD000 \SystemRoot\system32\DRIVERS\fetnd5.sys
0xF8735000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF8B25000 \SystemRoot\system32\DRIVERS\fortidrv.sys
0xF8B87000 \SystemRoot\system32\DRIVERS\ftvnic.sys
0xF8745000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF8D8B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7D4B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8B29000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF74D2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7D3B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7D2B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF89B5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF74C1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7D1B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF89BD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF89C5000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6C39000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7D0B000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF89CD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6C1C000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xF8B89000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6BBE000 \SystemRoot\system32\DRIVERS\update.sys
0xF8B49000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7CFB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7CEB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8B8B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF89D5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7CCB000 \SystemRoot\system32\drivers\FortiShield.sys
0xF59AF000 \SystemRoot\system32\DRIVERS\klif.sys
0xF8B8D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF5A3C000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B8F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF89E5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF89ED000 \SystemRoot\System32\drivers\vga.sys
0xF8B91000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B93000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF89F5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF89FD000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8B05000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF5447000 \??\C:\WINDOWS\system32\drivers\kl1.sys
0xF5434000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF53B3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF538B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF5369000 \SystemRoot\System32\drivers\afd.sys
0xF7CBB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF533E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF52CE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8A05000 \SystemRoot\system32\drivers\FortiRdr.sys
0xF52B7000 \SystemRoot\system32\drivers\fortips.sys
0xF8B95000 \SystemRoot\system32\drivers\fortiapd.sys
0xF8765000 \SystemRoot\System32\Drivers\Fips.SYS
0xF5291000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF8775000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF8A0D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF5AAE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8785000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF5AA6000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF51B5000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0xF8A15000 \SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys
0xF87C5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF519D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8B97000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF59AB000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8A1D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8D48000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA6D0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9FA3000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA190000 \SystemRoot\system32\drivers\sysaudio.sys
0xB9ED1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8BAD000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB9D8F000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9A2C000 \??\C:\DOCUME~1\Munna\LOCALS~1\Temp\pxtdipow.sys
0xB8BA3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB8F24000 \??\C:\Program Files\Garena\safedrv.sys
0xF8C0F000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 26):
0 System Idle Process
4 System
2028 C:\WINDOWS\system32\smss.exe
196 csrss.exe
232 C:\WINDOWS\system32\winlogon.exe
264 C:\WINDOWS\system32\services.exe
292 C:\WINDOWS\system32\lsass.exe
480 C:\WINDOWS\system32\svchost.exe
608 svchost.exe
1076 C:\WINDOWS\system32\svchost.exe
1152 svchost.exe
1416 svchost.exe
1808 C:\WINDOWS\explorer.exe
2016 C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
192 C:\Program Files\Internet Download Manager\IDMan.exe
376 C:\WINDOWS\system32\ctfmon.exe
1036 C:\WINDOWS\system32\spoolsv.exe
1708 svchost.exe
1664 C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
528 C:\WINDOWS\system32\svchost.exe
3760 alg.exe
3492 C:\Program Files\Mozilla Firefox\firefox.exe
3996 C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
1004 C:\Program Files\Mozilla Firefox\plugin-container.exe
1088 C:\WINDOWS\system32\msiexec.exe
2480 C:\Documents and Settings\Munna\Desktop\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000003`bff0ca00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000008`c005b000 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x0000000c`7ff5fc00 (NTFS)

PhysicalDrive0 Model Number: ST380013A, Rev: 8.01

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 25 November 2010 - 11:31 PM

Hello, servy.
MBR seems fine. Let's run Combofix now :)

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please go here and download combofix from one of the locations listed
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper,

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#7 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 26 November 2010 - 01:12 AM

As U asked,here is the combofix log result




ComboFix 10-11-25.01 - Munna 11/26/2010 11:23:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.114 [GMT 5.5:30]
Running from: c:\documents and settings\Munna\Desktop\ComboFix.exe
AV: Kaspersky PURE *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-25 15:55 . 2010-11-25 15:55 -------- d-----w- c:\program files\trend micro
2010-11-25 15:55 . 2010-11-25 15:55 -------- d-----w- C:\rsit
2010-11-24 12:16 . 2010-11-24 12:16 -------- d-----w- C:\found.000
2010-11-24 04:23 . 2010-11-24 04:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-24 04:23 . 2010-11-24 04:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-24 04:21 . 2010-11-24 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-11-22 09:28 . 2010-11-22 10:33 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-11-20 08:26 . 2010-11-20 08:26 -------- d-----w- c:\program files\Sophos
2010-11-12 12:31 . 2009-06-30 05:07 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-10 04:30 . 2010-11-10 07:17 -------- d-----w- c:\program files\Fraps
2010-11-06 06:07 . 2010-11-06 06:07 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 06:07 . 2010-11-06 06:07 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-11-04 03:55 . 2010-11-04 03:55 -------- d-----w- c:\documents and settings\Munna\Application Data\AnvSoft
2010-11-04 03:55 . 2010-11-04 03:55 -------- d-----w- c:\program files\AnvSoft
2010-11-03 02:28 . 2010-11-04 12:03 -------- d-----w- c:\program files\Total Video Converter
2010-11-01 17:04 . 2010-11-02 11:40 188 ----a-w- c:\windows\system32\copy.bat
2010-10-31 04:59 . 2010-11-01 09:42 -------- d-----w- c:\documents and settings\Munna\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-25 05:56 . 2010-10-25 05:56 724992 ----a-w- c:\windows\iun6002.exe
2010-10-08 08:14 . 2010-10-08 08:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-08 08:14 . 2010-10-08 08:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-10 18:31 . 2010-03-10 18:31 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-10 19:10 . 2010-03-10 19:10 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-10 18:32 . 2010-03-10 18:32 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-10 18:31 . 2010-03-10 18:31 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-10 18:31 . 2010-03-10 18:31 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-10 18:30 . 2010-03-10 18:30 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-10 18:31 . 2010-03-10 18:31 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-10 18:31 . 2010-03-10 18:31 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 08:19 . 2009-10-05 08:19 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-10 18:32 . 2010-03-10 18:32 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2009-12-25 11:12 129552 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-09-09 3118512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2009-12-25 340456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Munna^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Munna\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 17:37 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 23:17 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-10 18:51 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-17 10:00 133104 ----atw- c:\documents and settings\Munna\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:17 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 12:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 11:14 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 11:44 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 08:31 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 08:31 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 08:31 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-04-28 11:22 589824 ----a-r- c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2004-03-26 09:10 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-04-01 05:22 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 10:01 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-10-15 04:52 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 06:14 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"DfSdkS"=3 (0x3)
"Windows Hosts Controller"=2 (0x2)
"NrConnmags"=2 (0x2)
"CSObjectsSrv"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"NVSvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"FA_Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiWad.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Munna\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\steamapps\\waggs15\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7821:TCP"= 7821:TCP:*:Disabled:wgvzls
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"11187:TCP"= 11187:TCP:FD
"1013:TCP"= 1013:TCP:BS
"8472:TCP"= 8472:TCP:FD
"49456:TCP"= 49456:TCP:FD
"10701:TCP"= 10701:TCP:FD
"3264:TCP"= 3264:TCP:FD
"22244:TCP"= 22244:TCP:FD
"7939:TCP"= 7939:TCP:FD
"37696:TCP"= 37696:TCP:FD
"40183:TCP"= 40183:TCP:FD
"10321:TCP"= 10321:TCP:FD
"17303:TCP"= 17303:TCP:FD
"11351:TCP"= 11351:TCP:FD
"45981:TCP"= 45981:TCP:FD
"32809:TCP"= 32809:TCP:FD
"50920:TCP"= 50920:TCP:FD
"27667:TCP"= 27667:TCP:FD
"10522:TCP"= 10522:TCP:FD

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [6/20/2010 10:53 AM 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/12/2010 6:01 PM 28552]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [6/20/2010 10:53 AM 39352]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [12/15/2009 11:41 AM 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [12/15/2009 11:41 AM 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [12/15/2009 11:41 AM 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [12/15/2009 11:41 AM 36968]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [4/6/2009 1:20 PM 22432]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [7/10/2010 2:20 PM 14496]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/3/2007 5:18 AM 55296]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\162.tmp --> c:\windows\system32\162.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:37 PM 35088]
S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys --> c:\windows\system32\drivers\vvftav.sys [?]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\Drivers\ZS211.sys --> c:\windows\system32\Drivers\ZS211.sys [?]
S4 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 5:34 PM 743992]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [6/18/2010 12:17 AM 410976]
S4 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp --> c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp [?]
S4 olopin;System Server;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:30 PM 14336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2010 6:08 PM 721904]
S4 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
olopin
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getdota.com/
FF - component: c:\documents and settings\Munna\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Munna\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Munna\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Munna\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Microsoft Driver Setup - c:\windows\cndrive32.exe
MSConfigStartUp-MSODESNV7 - c:\windows\system32\msvmiode.exe
MSConfigStartUp-nc - c:\windows\system32\nc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 11:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\162.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):99,31,24,b2,64,5c,27,f5,63,dc,2b,be,20,38,fc,a7,43,db,a5,40,4a,
9c,12,46,eb,e7,c1,02,e1,2f,7d,14,bc,80,2b,aa,31,8a,14,49,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d3575dfb-f8dc-4018-9a04-b93c2a17e885}]
@Denied: (Full) (Everyone)
"Model"=dword:00000121
"Therad"=dword:00000018

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Internet Download Manager\idmmkb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Fortinet\FortiClient\scheduler.exe
c:\program files\Fortinet\FortiClient\FCDBLog.exe
c:\program files\Fortinet\FortiClient\fcappdb.exe
c:\program files\Fortinet\FortiClient\FortiProxy.exe
c:\program files\Fortinet\FortiClient\FortiTray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\progra~1\Fortinet\FORTIC~1\FORTIS~1.EXE
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-11-26 11:38:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-26 06:08

Pre-Run: 1,203,474,432 bytes free
Post-Run: 1,304,047,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1DF2D1EC153B42DFE9840742FDD795F4

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 26 November 2010 - 08:18 AM

Hi!

I have a few questions, before we proceed:
  • Do you know what the following files are (ie. if you put them there yourself):
    c:\windows\iun6002.exe
    c:\windows\system32\copy.bat
  • Have you manually opened any ports to your system?
  • Are you experiencing the problems you mentioned in your first post?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#9 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 26 November 2010 - 08:44 AM

Hello

1. Yes I do know what copy.bat is, but I don't have any idea about the other one "c:\windows\iun6002.exe". I have made the copy.bat to copy my netcat.exe to system folder. I was just curious how backdoor programs worked so I had to test with such a program. I was afraid of picking anything too dangerous so I downloaded the safest program "the swiss army knife -- netcat". I just took some tutorials and made it. I don't think hackers would target it, would they? Anyways netcat isn't working but I forgot to delete it from the system folder. My bad!!

I don't know anything about iun6002.exe. I haven't kept that there.

2. Yes I tried to make a backdoor on my own computer to test netcat. But when I end the process from task manager the backdoor fails. So is it safe to say that netcat isn't causing any vulnerability.

3. Well the audio problems seems to be fixed but I got a new prob after running the combofix. When playing cs 1.6, I used to get firefox opening up on its own but now internet explorer is opening on its own. I think combofix made my iexplorer as the default explorer so it is popping instead of firefox. Still to confirm it I need to do more tests, I mean I have to play more cs 1.6. LOL.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 26 November 2010 - 08:54 AM

Hi!

Yes, Combofix does reset file associations which is why IE pops up instead of FireFox.

So now, as I understand it, you've attempted to create a backdoor by yourself on your system, which is why I'm seeing signs of a backdoor infection. I'd like to warn you that opening a backdoor on your system is a bad idea and that even after an attempted cleaning operation, your computer may still be vulnerable.

Take a look at some of the links below:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

I can close this backdoor if you'd like me to do so. Would you like me to do that? Are you experiencing any problems other than the browser window appearing while playing Counter Strike?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#11 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 26 November 2010 - 10:11 AM

Hi

Yes, I did open the netcat backdoor, but it was in the past. Still, I would like if U could look into my computer for any open backdoors.

I was thinking to format my PC but then I thought "what if the malware raises it's ugly head again?". So I came to this forum to know what malware caused my system to behave like this.

Other than firefox popping up in cs 1.6, I get the problem of redirection to the home page of firefox. While I am typing this reply, it redirected once.

One more thing, my Kaspersky firewall detected a DoS.Generic.SYNFlood attack from 174.133.70.101. I traced the ip and it was from US. Then I felt that just by tracing the ip I cannot prevent the attack, so I left it. I also got attacked from 1.1.1.1 with same DoS.Generic.SYNFlood attack. Doesn't it mean my computer attacking itself? Funny huh. Any suggestions would be appreciated.

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 26 November 2010 - 10:55 AM

Hello, servy.
Do these redirects only occur in Firefox? Does it redirect you to your homepage? Or some other site?

This script should take care of backdoor that you had present on your system.
We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    File::
c:\windows\iun6002.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7821:TCP"=-
"9999:TCP"=-
"9991:TCP"=-
"11187:TCP"=-
"1013:TCP"=-
"8472:TCP"=-
"49456:TCP"=-
"10701:TCP"=-
"3264:TCP"=-
"22244:TCP"=-
"7939:TCP"=-
"37696:TCP"=-
"40183:TCP"=-
"10321:TCP"=-
"17303:TCP"=-
"11351:TCP"=-
"45981:TCP"=-
"32809:TCP"=-
"50920:TCP"=-
"27667:TCP"=-
"10522:TCP"=-

Netsvc::
olopin

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d3575dfb-f8dc-4018-9a04-b93c2a17e885}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#13 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 26 November 2010 - 11:34 AM

Hi

I don't know about other browsers but soon I would test it. It only redirects me to homepage. Dunno who made such a harmless yet annoying malware.

One bad news. All the problems are in full force. I meant the audio problem reappeared (muting and unmuting), though it seems to happen only in cs, also the popping of firefox hasn't stopped. The redirects are more frequent than before. While writing this reply I got 6-7 redirects.

Thanks for shutting those ports. :thumbup2: Out of curiosity, I want to ask how did U differentiated between legitimate ports from illegitimate ones. I am thinking to take admission in malware response training program offered by bleeping computer. Maybe someday I would acquire ur knowledge of malwares.

Here is the combo fix log, U asked for



ComboFix 10-11-25.01 - Munna 11/26/2010 21:37:33.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.306 [GMT 5.5:30]
Running from: c:\documents and settings\Munna\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Munna\Desktop\CFScript.txt
AV: Kaspersky PURE *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\iun6002.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\iun6002.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-25 15:55 . 2010-11-25 15:55 -------- d-----w- c:\program files\trend micro
2010-11-25 15:55 . 2010-11-25 15:55 -------- d-----w- C:\rsit
2010-11-24 12:16 . 2010-11-24 12:16 -------- d-----w- C:\found.000
2010-11-24 04:23 . 2010-11-24 04:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-24 04:23 . 2010-11-24 04:23 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-24 04:21 . 2010-11-24 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-11-22 09:28 . 2010-11-22 10:33 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-11-20 08:26 . 2010-11-20 08:26 -------- d-----w- c:\program files\Sophos
2010-11-12 12:31 . 2009-06-30 05:07 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-10 04:30 . 2010-11-10 07:17 -------- d-----w- c:\program files\Fraps
2010-11-06 06:07 . 2010-11-06 06:07 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 06:07 . 2010-11-06 06:07 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-11-04 03:55 . 2010-11-04 03:55 -------- d-----w- c:\documents and settings\Munna\Application Data\AnvSoft
2010-11-04 03:55 . 2010-11-04 03:55 -------- d-----w- c:\program files\AnvSoft
2010-11-03 02:28 . 2010-11-04 12:03 -------- d-----w- c:\program files\Total Video Converter
2010-11-01 17:04 . 2010-11-02 11:40 188 ----a-w- c:\windows\system32\copy.bat
2010-10-31 04:59 . 2010-11-01 09:42 -------- d-----w- c:\documents and settings\Munna\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 08:14 . 2010-10-08 08:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-08 08:14 . 2010-10-08 08:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-10 18:31 . 2010-03-10 18:31 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-10 19:10 . 2010-03-10 19:10 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-10 18:32 . 2010-03-10 18:32 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-10 18:31 . 2010-03-10 18:31 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-10 18:31 . 2010-03-10 18:31 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-10 18:30 . 2010-03-10 18:30 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-10 18:31 . 2010-03-10 18:31 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-10 18:31 . 2010-03-10 18:31 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 08:19 . 2009-10-05 08:19 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-10 18:32 . 2010-03-10 18:32 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2009-12-25 11:12 129552 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE\shellex.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-09-09 3118512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE\avp.exe" [2009-12-25 340456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Munna^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Munna\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 17:37 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 23:17 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-10 18:51 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-17 10:00 133104 ----atw- c:\documents and settings\Munna\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:17 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 12:37 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 11:14 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 11:44 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 08:31 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 08:31 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 08:31 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-04-28 11:22 589824 ----a-r- c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2004-03-26 09:10 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-04-01 05:22 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 10:01 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-10-15 04:52 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 06:14 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"DfSdkS"=3 (0x3)
"Windows Hosts Controller"=2 (0x2)
"NrConnmags"=2 (0x2)
"CSObjectsSrv"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"NVSvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"FA_Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiWad.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Munna\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\steamapps\\waggs15\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [6/20/2010 10:53 AM 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/12/2010 6:01 PM 28552]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [6/20/2010 10:53 AM 39352]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [12/15/2009 11:41 AM 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [12/15/2009 11:41 AM 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [12/15/2009 11:41 AM 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [12/15/2009 11:41 AM 36968]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [4/6/2009 1:20 PM 22432]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [7/10/2010 2:20 PM 14496]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/3/2007 5:18 AM 55296]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\162.tmp --> c:\windows\system32\162.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:37 PM 35088]
S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys --> c:\windows\system32\drivers\vvftav.sys [?]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\Drivers\ZS211.sys --> c:\windows\system32\Drivers\ZS211.sys [?]
S4 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [12/21/2009 5:34 PM 743992]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [6/18/2010 12:17 AM 410976]
S4 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp --> c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp [?]
S4 olopin;System Server;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:30 PM 14336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2010 6:08 PM 721904]
S4 WPRO_40_1123;WinPcap Packet Driver (WPRO_40_1123);c:\windows\system32\drivers\WPRO_40_1123.sys --> c:\windows\system32\drivers\WPRO_40_1123.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.getdota.com/
FF - component: c:\documents and settings\Munna\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Munna\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Munna\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Munna\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Munna\LOCALS~1\Temp\OES3EE.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\162.tmp"
.
Completion time: 2010-11-26 21:45:49
ComboFix-quarantined-files.txt 2010-11-26 16:15
ComboFix2.txt 2010-11-26 06:08

Pre-Run: 1,338,970,112 bytes free
Post-Run: 1,324,519,424 bytes free

- - End Of File - - 1900555EDBC8F73158F62C7CD4B68D45





Thanks for ur assistance.

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:46 AM

Posted 26 November 2010 - 11:41 AM

Hello, servy.
Those ports are globally open, which means all programs have access to them. Unless there's a specific reason a port should be opened, they should all be closed.

By the way, do you know what Garena is? Did you install it yourself?

We need to run a custom OTL scan
  • Please download OTL
  • Save it to your desktop.
  • Please run OTL on your desktop.
  • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\drivers\*.sys /90
  • Click the Run Scan button
  • A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:
  • OTL Log

Edited by aommaster, 26 November 2010 - 11:42 AM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#15 servy

servy
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
    •  
  • Local time:11:16 AM

Posted 26 November 2010 - 12:04 PM

Hi

I have installed Garena myself. It's a freeware which lets me play warcraft 3 dota. I don't think there is any malware in it but I do expect that hackers can manipulate it to breach my security. Still I choose it to stay there. If U have any tips that U can give then please do so.


OTL log follows--




OTL logfile created on: 11/26/2010 10:27:56 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Munna\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 225.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.00 Gb Total Space | 1.26 Gb Free Space | 8.38% Space Free | Partition Type: NTFS
Drive D: | 20.00 Gb Total Space | 0.72 Gb Free Space | 3.60% Space Free | Partition Type: NTFS
Drive E: | 15.00 Gb Total Space | 0.47 Gb Free Space | 3.13% Space Free | Partition Type: NTFS
Drive F: | 24.52 Gb Total Space | 0.81 Gb Free Space | 3.30% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Munna | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/24 09:47:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Munna\Desktop\OTL.exe
PRC - [2010/10/29 08:25:26 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/10/29 08:25:23 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2009/12/25 16:42:48 | 000,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
PRC - [2009/09/09 20:06:54 | 003,118,512 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IDMan.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/11/24 09:47:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Munna\Desktop\OTL.exe
MOD - [2009/03/26 21:05:39 | 000,034,224 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\idmmkb.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\WUDFSvc.dll -- (WudfSvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\pxeqog.dll -- (olopin)
SRV - [2010/06/25 22:37:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/06/13 17:36:21 | 000,306,432 | ---- | M] (TuneUp Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/01/26 12:41:08 | 000,652,800 | ---- | M] (Nokia) [Disabled | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Disabled | Stopped] -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2009/12/15 11:18:04 | 000,053,266 | ---- | M] (Fortinet Inc.) [Auto | Stopped] -- C:\Program Files\Fortinet\FortiClient\scheduler.exe -- (FA_Scheduler)
SRV - [2009/01/09 12:46:24 | 000,410,976 | ---- | M] (mst software GmbH, Germany) [Disabled | Stopped] -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe -- (DfSdkS)
SRV - [2007/12/20 10:41:56 | 000,029,440 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\ZS211.sys -- (ZSMC30x)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\WPRO_40_1123.sys -- (WPRO_40_1123) WinPcap Packet Driver (WPRO_40_1123)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\vvftav.sys -- (vvftav)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\162.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Garena\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\DOCUME~1\Munna\LOCALS~1\Temp\OES3EE.tmp -- (GarenaPEngine)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/10/26 18:50:14 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2010/06/25 22:37:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/06/13 18:08:23 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/01/21 14:53:16 | 000,018,048 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/12/30 11:30:56 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/12/30 11:30:48 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/12/30 11:30:48 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/12/15 11:41:54 | 000,036,968 | ---- | M] (Fortinet Inc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\FortiShield.sys -- (FortiShield)
DRV - [2009/12/15 11:41:52 | 000,029,928 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FortiRdr.sys -- (FortiRdr)
DRV - [2009/12/15 11:41:50 | 000,098,024 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fortips.sys -- (Fortips)
DRV - [2009/12/15 11:41:42 | 000,013,416 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fortiapd.sys -- (fortiapd)
DRV - [2009/12/14 12:44:24 | 000,088,632 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CSCrySec.sys -- (CSCrySec)
DRV - [2009/12/14 12:44:24 | 000,039,352 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV - [2009/10/14 20:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\klbg.sys -- (KLBG)
DRV - [2009/10/05 10:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2009/10/02 18:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 13:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 14:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/04/06 13:20:08 | 000,022,432 | ---- | M] (Fortinet Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fortidrv.sys -- (Fortidrv2)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/02/16 14:23:26 | 000,014,496 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ftvnic.sys -- (ft_vnic)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/05/16 14:01:00 | 006,557,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/14 00:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/05/03 05:18:00 | 000,055,296 | ---- | M] (Leaf Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\leafnets.sys -- (leafnets)
DRV - [2004/08/15 00:26:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/05/08 10:21:44 | 000,035,840 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/04/27 23:19:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2002/09/22 00:23:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.getdota.com/"
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.7
FF - prefs.js..extensions.enabledItems: {40a1f5d7-afc2-498f-b264-02668d616ff6}:1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.5.12s
FF - prefs.js..extensions.enabledItems: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}:1.4.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.192
FF - prefs.js..extensions.enabledItems: {038dc421-b19e-4711-a218-1fd10de9163b}:1.0.0.2


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/30 17:43:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/24 19:34:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky PURE\THBExt [2010/10/26 18:52:28 | 000,000,000 | ---D | M]

[2010/06/13 17:43:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Munna\Application Data\Mozilla\Extensions
[2010/11/26 21:56:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions
[2010/10/31 16:38:22 | 000,000,000 | ---D | M] (Add N Edit Cookies) -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}
[2010/06/15 23:40:58 | 000,000,000 | ---D | M] (Mega Manager Integration) -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
[2010/11/12 15:24:50 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/10/11 10:02:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/11/18 08:08:27 | 000,000,000 | ---D | M] (FoxTab) -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
[2010/11/09 16:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\SkipScreen@SkipScreen
[2010/11/18 08:08:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\extensions\staged-xpis
[2010/07/29 10:19:22 | 000,010,017 | ---- | M] () -- C:\Documents and Settings\Munna\Application Data\Mozilla\Firefox\Profiles\q43tyokt.default\searchplugins\mywebsearch.xml
[2010/11/26 21:56:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/08 13:45:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/26 18:53:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/03/11 00:01:02 | 000,124,272 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CCMSDK.dll
[2010/03/11 00:02:52 | 000,070,512 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2010/03/11 00:01:48 | 000,091,504 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2010/03/11 00:01:24 | 000,022,384 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2010/10/08 13:44:53 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/03/11 00:40:56 | 000,423,248 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2010/03/11 00:02:48 | 000,023,920 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2010/11/26 21:43:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O15 - HKCU\..Trusted Ranges: Range1979 ([http] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 202.138.96.2 203.98.96.5 202.62.224.5 202.138.103.100 202.56.250.6 202.62.224.2 202.56.250.5
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software GmbH)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/11/26 21:45:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/11/26 11:22:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/26 11:18:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/26 11:18:13 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/26 11:18:13 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/26 11:18:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/26 11:18:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/26 11:17:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/25 21:25:26 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/11/25 21:25:25 | 000,000,000 | ---D | C] -- C:\rsit
[2010/11/24 17:46:30 | 000,000,000 | ---D | C] -- C:\found.000
[2010/11/24 09:53:51 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/11/24 09:51:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/11/24 09:46:55 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Munna\Desktop\OTL.exe
[2010/11/22 14:58:07 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2010/11/20 13:56:04 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/11/12 18:01:28 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/11/10 10:00:29 | 000,000,000 | ---D | C] -- C:\Program Files\Fraps
[2010/11/04 09:26:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Munna\My Documents\Any Video Converter
[2010/11/04 09:25:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Munna\Application Data\AnvSoft
[2010/11/04 09:25:39 | 000,000,000 | ---D | C] -- C:\Program Files\AnvSoft
[2010/11/03 08:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Munna\Desktop\psp
[2010/11/03 07:58:17 | 000,000,000 | ---D | C] -- C:\Program Files\Total Video Converter
[2010/10/31 10:29:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Munna\Application Data\mIRC

========== Files - Modified Within 30 Days ==========

[2010/11/26 21:43:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/26 16:43:43 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Munna\Desktop\Proposed_Disb-Nov.10(2).xls
[2010/11/26 15:47:57 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/11/26 11:31:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/26 11:31:28 | 536,072,192 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/26 11:22:19 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/26 11:15:45 | 003,908,662 | R--- | M] () -- C:\Documents and Settings\Munna\Desktop\ComboFix.exe
[2010/11/25 01:04:10 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\Munna\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/24 17:24:43 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/11/24 09:53:52 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/11/24 09:53:51 | 000,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/11/24 09:47:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Munna\Desktop\OTL.exe
[2010/11/23 15:55:37 | 000,000,032 | ---- | M] () -- C:\WINDOWS\kaio.INI
[2010/11/22 10:34:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/20 01:31:46 | 000,115,465 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/11/20 01:31:46 | 000,097,545 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/11/17 12:01:51 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Munna\defogger_reenable
[2010/11/17 10:11:48 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Munna\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/15 19:46:21 | 000,283,136 | ---- | M] () -- C:\Documents and Settings\Munna\Desktop\Central Bank clerical ad -2010.doc
[2010/11/12 17:08:40 | 000,000,048 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/11/10 12:40:11 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/11/08 15:36:42 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/08 15:23:07 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Munna\Desktop\Mozilla Firefox.lnk
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/04 09:25:48 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Munna\Desktop\Any Video Converter.lnk
[2010/11/03 14:13:24 | 000,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/02 17:10:08 | 000,000,188 | ---- | M] () -- C:\WINDOWS\System32\copy.bat
[2010/11/02 09:16:33 | 000,430,826 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/02 09:16:33 | 000,067,424 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2010/11/26 16:19:09 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Munna\Desktop\Proposed_Disb-Nov.10(2).xls
[2010/11/26 11:22:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/26 11:22:13 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/26 11:18:13 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/26 11:18:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/26 11:18:13 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/26 11:18:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/26 11:18:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/26 11:14:42 | 003,908,662 | R--- | C] () -- C:\Documents and Settings\Munna\Desktop\ComboFix.exe
[2010/11/24 09:53:52 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/11/24 09:53:51 | 000,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/11/17 12:01:42 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Munna\defogger_reenable
[2010/11/17 10:11:48 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Munna\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/15 19:46:13 | 000,283,136 | ---- | C] () -- C:\Documents and Settings\Munna\Desktop\Central Bank clerical ad -2010.doc
[2010/11/08 15:23:07 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Munna\Desktop\Mozilla Firefox.lnk
[2010/11/04 09:25:48 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Munna\Desktop\Any Video Converter.lnk
[2010/11/01 22:34:42 | 000,000,188 | ---- | C] () -- C:\WINDOWS\System32\copy.bat
[2010/08/26 03:19:48 | 000,000,016 | ---- | C] () -- C:\WINDOWS\QH32.INI
[2010/07/20 08:50:53 | 000,000,032 | ---- | C] () -- C:\WINDOWS\kaio.INI
[2010/07/14 16:20:48 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/07/14 16:20:46 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/07/14 16:20:46 | 002,378,752 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2010/07/14 16:20:46 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/07/14 16:20:46 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/07/14 16:20:44 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/06/25 22:33:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/06/20 16:54:06 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/06/20 16:54:06 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2010/06/20 16:54:06 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/06/20 16:54:06 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/06/20 15:08:29 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/15 23:49:39 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2010/06/14 11:16:11 | 000,064,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/13 22:27:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/13 18:17:25 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/13 17:22:59 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/06/13 17:18:19 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2010/06/13 17:18:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\sensor.INI
[2010/06/13 17:18:13 | 000,003,699 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/06/13 17:18:10 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/06/13 17:13:56 | 000,050,688 | ---- | C] () -- C:\Documents and Settings\Munna\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/11/10 12:40:11 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/11/26 11:22:19 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/11/26 21:45:50 | 000,017,128 | ---- | M] () -- C:\ComboFix.txt
[2010/11/26 11:31:28 | 536,072,192 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/26 05:57:39 | 000,002,617 | ---- | M] () -- C:\install.log
[2010/06/13 17:08:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/13 17:08:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 17:30:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/06/19 19:45:38 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/11/26 11:31:27 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/11/20 12:13:34 | 000,040,026 | ---- | M] () -- C:\TDSSKiller.2.4.8.0_20.11.2010_12.12.18_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 05:41:54 | 000,380,445 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\expsrv.dll
[2008/04/14 05:42:02 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/06/13 22:25:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/06/13 22:25:12 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/06/13 22:25:12 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/11/24 09:53:52 | 000,016,968 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/10/26 18:50:14 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B3D74A13

< End of report >


Don't U want the extras.txt that OTL created?? If U do then just tell me.

Thanks
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·