Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Tool Virus


  • Please log in to reply
11 replies to this topic

#1 Swahed

Swahed

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 27 January 2011 - 07:15 PM

Hello BleepingComputer,
I have a problem which started on Saturday, January the 22nd. I had just finished playing minecraft on my computer and was about to shut it down when a message appeared on the bottom right saying I was infected with something. I knew right away this was a virus just by looking at the icon so I looked up how to get rid of it on the internet.
After reading some pages which had some good advice (or so I thought) I shut down my computer to restart in in safe mode with networking. I turned my computer back on and it wouldn't even start loading. It would instantly crash without enough time to press f8. I realized my flash drive plugged in to a USB port was causing my computer to crash because it started fine after i removed the device. I used Malwarebytes' to scan my computer and then I was told to reset a hosts file using another program, which I don't think turned out successfully. After I had done this I restarted my computer normally and the System Tool Virus appeared to be gone. I used my computer for about two days (computer was very slow and a win32 crash report would show up requiring my to restart my computer) until another warning appeared in the bottom right, this time from a different program. I used the same tactic to remove that and I haven't had another warning virus since then.
Every few hours, though, if I am on firefox, a new tab opens randomly with a random address and firefox blocks it as a site that is potentially dangerous. Today a tab opened that appeared to be Google but the address was www.Google.com/webhp, which I knew was not right. I looked this up and found a BleepingComputer forum post with the same problem, and I followed the directions in that post ( http://www.bleepingcomputer.com/forums/topic309331.html ) and instructions 6 to 9 in this post ( http://www.bleepingcomputer.com/forums/topic34773.html ) to get some specs that I hope someone can look at and help me with my problem.

My computer is still running very slow and I use Advanced System Care Free and Malwarebytes' often to clean my computer.
I don't know if this matters, but my minecraft also has stopped working with an error that says "could not create Java virtual machine" I looked this up and a forum post told me it may be the sign of a virus.

Thank you very much for any help,
Swahed


DDS


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 17:49:01.04 on Thu 01/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2368 [GMT -6:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe
C:\Program Files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\easyse~1.lnk - c:\program files\lg soft india\easysetpackage\bin\EasySetPackage.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-641pc_tew-643pi\WlanCU.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278101893734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\inbqau2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TabRenamizer: {792BDDFE-2E7C-42ed-B18D-18154D2761BD} - %profile%\extensions\{792BDDFE-2E7C-42ed-B18D-18154D2761BD}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-30 47640]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-8-19 20480]
R3 LGDDCDevice;LGDDCDevice;c:\windows\system32\LGI2CDriver.sys [2010-7-10 16384]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-7-23 56992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WLSVC;WLSVC;c:\program files\trendnet\tew-641pc_tew-643pi\WLSVC.exe [2010-8-20 167936]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-7-2 1684736]
S3 LGII2CDevice;LGII2CDevice;c:\windows\system32\LGPII2CDriver.sys [2010-7-10 19456]
S3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2010-7-2 529440]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-01-27 22:50:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-27 22:50:32 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-25 05:26:28 -------- d-----w- c:\docume~1\user\applic~1\IObit
2011-01-25 05:26:27 -------- d-----w- c:\program files\IObit
2011-01-24 23:33:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-24 23:33:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-23 22:22:07 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{f9e62c23-33ff-4df4-af8f-063a4a9c875b}\mpengine.dll
2011-01-23 22:20:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-23 22:20:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-23 03:45:58 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-01-23 03:45:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-23 03:45:52 -------- d-----w- c:\program files\Malwarebytes
2011-01-23 02:15:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\oNoPc09100
2011-01-12 01:07:13 -------- d-----w- c:\program files\iPod
2011-01-12 01:07:10 -------- d-----w- c:\program files\iTunes
2011-01-06 23:11:50 -------- d-----w- c:\program files\GoogleSketchUp

==================== Find3M ====================

2011-01-27 22:50:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-15 02:20:45 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-15 02:20:45 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-15 02:20:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-15 02:20:44 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 05:41:00 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD64 rev.05.0 -> Harddisk0\DR0 -> \Device\Scsi\nvgts2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ABF6555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8abfc7b0]; MOV EAX, [0x8abfc82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC18030]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000064[0x8AC95538]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC50030]
\Driver\nvgts[0x8ACCE298] -> IRP_MJ_CREATE -> 0x8ABF6555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\nvgts2Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_WDC_WD64&Prod_01AALS-00J7B&Rev_05.0#4&1a3c904d&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 1250263726 (+7): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:50:14.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 27 January 2011 - 11:38 PM

Hello Swahed ,

Posted Image

Let's disable the main file manually so you can run some tools. Do you have access to a flash drive?

What I want you to look for is in Application Data (If using XP). There will be a folder, with a file in it of the same "name". This will appear random, but it has a pattern. Look for letters and numbers in this order: lower case, upper case, lower case, upper case, lower case, then 5 random numbers. For example:

Folder -----> pEeHl02508\pEeHl02508.exe <-----file inside

Delete the folder.Download the following tool:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Swahed.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 28 January 2011 - 12:03 AM

forum glitch....double post. <_<

Edited by teacup61, 28 January 2011 - 12:04 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Swahed

Swahed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 28 January 2011 - 12:48 AM

Thank you Tea for the fast response, I heard that since all of you are volunteers it could take a while for a response but that was quick and I appreciate it.

I don't know if this is a problem or not but I didn't find the folder you were describing in my Application Data location. I made sure I had show hidden folders enabled as well and still I didn't find the folder.

I didn't know whether I needed to delete that in order to run ComboFix but I decided to run it anyway, I will paste the results from the log below.

ComboFix 11-01-27.04 - User 01/27/2011 23:29:06.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2133 [GMT -6:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\Local
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\3.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\4.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\5.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\6.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\da7z7hbgnwn8h.avi.ddr
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\drxmivytznca.avi.ddr
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\leobnpwpymua.avi.ddr
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\mvubsknxvlmht.avi.ddr
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\pvygegyhobik.avi.ddr
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2).ddp
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(3).ddp
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(4).ddp
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\da7z7hbgnwn8h.avi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\drxmivytznca.avi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\leobnpwpymua.avi.ddp
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\mvubsknxvlmht.avi
c:\documents and settings\User\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\pvygegyhobik.avi.ddp
c:\program files\Internet Explorer\SET6C9.tmp
c:\program files\Internet Explorer\SET6CE.tmp
c:\windows\system\VI30AUT.DLL

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-28 02:32 . 2011-01-28 02:32 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-01-28 02:32 . 2011-01-28 02:32 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-01-28 02:32 . 2011-01-28 02:32 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-28 02:32 . 2010-12-02 09:12 837224 ----a-w- c:\windows\system32\nvgenco32hda.dll
2011-01-28 02:32 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-28 02:32 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-28 02:32 . 2011-01-08 03:27 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-28 02:32 . 2011-01-08 03:27 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-28 01:07 . 2011-01-20 16:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EFB9F3D0-5B23-4536-A4FF-3C51F1BD0389}\mpengine.dll
2011-01-28 00:54 . 2011-01-28 00:55 -------- d-----w- c:\documents and settings\User\Application Data\.minecraft
2011-01-27 22:50 . 2011-01-27 22:50 -------- d-----w- c:\program files\Common Files\Java
2011-01-27 22:50 . 2011-01-27 22:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-27 22:50 . 2011-01-27 22:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-25 05:26 . 2011-01-25 05:26 -------- d-----w- c:\documents and settings\User\Application Data\IObit
2011-01-25 05:26 . 2011-01-25 05:26 -------- d-----w- c:\program files\IObit
2011-01-24 23:33 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-24 23:33 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-24 06:35 . 2011-01-24 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-01-24 06:35 . 2011-01-24 06:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-01-24 04:42 . 2011-01-24 04:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-01-23 22:20 . 2011-01-23 22:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-23 06:21 . 2011-01-23 06:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-23 03:45 . 2011-01-23 03:45 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-01-23 03:45 . 2011-01-23 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-23 03:45 . 2011-01-24 23:47 -------- d-----w- c:\program files\Malwarebytes
2011-01-23 02:15 . 2011-01-23 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\oNoPc09100
2011-01-12 01:07 . 2011-01-12 01:07 -------- d-----w- c:\program files\iPod
2011-01-12 01:07 . 2011-01-12 01:07 -------- d-----w- c:\program files\iTunes
2011-01-08 01:56 . 2011-01-08 01:56 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-08 01:56 . 2011-01-08 01:56 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-08 01:56 . 2011-01-08 01:56 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-08 01:56 . 2011-01-08 01:56 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-08 01:56 . 2011-01-08 01:56 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-08 01:56 . 2011-01-08 01:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 01:56 . 2011-01-08 01:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-06 23:11 . 2011-01-06 23:12 -------- d-----w- c:\program files\GoogleSketchUp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-27 22:50 . 2010-07-02 18:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 03:27 . 2009-08-05 23:50 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27 . 2009-08-05 23:50 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27 . 2009-08-05 23:50 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27 . 2009-08-05 23:50 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27 . 2009-08-05 23:50 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27 . 2009-07-08 01:07 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-01-08 03:27 . 2009-07-08 01:07 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2010-12-15 02:20 . 2010-10-01 00:47 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-15 02:20 . 2010-10-01 00:47 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-15 02:20 . 2010-10-01 00:47 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-15 02:20 . 2010-10-01 00:47 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-03 07:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 05:41 . 2010-11-17 05:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-11 23:10 . 2010-07-24 00:28 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2010-11-11 23:10 . 2010-07-24 00:28 100456 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2010-11-10 04:33 . 2010-08-23 23:32 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-05 03:03 . 2010-11-05 03:03 40960 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-11-05 03:03 . 2010-11-05 03:03 40960 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-11-03 12:25 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-03 136176]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-14 357384]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EasySetPackage.lnk - c:\program files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe [2010-7-10 159744]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe [2010-8-20 368640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-15 02:20 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-06-08 12:52 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 23:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-09 19:28 1226608 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-02-26 06:01 437160 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 16:09 49152 -c--a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-05-31 16:31 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\progra~1\WINDOW~4\MESSEN~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-08 01:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-08 01:56 111208 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-08 03:57 30208 -c----w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-08-14 06:08 18702336 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 22:24 1242448 ----a-w- c:\program files\Games\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Games\\Steam\\Steam.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\redshirtsrule\\half-life 2 deathmatch\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Games\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Tools\\CodecTweakTool.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\common\\company of heroes\\help.htm"=
"c:\\Program Files\\Games\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\redshirtsrule\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\redshirtsrule\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Games\\Steam\\steamapps\\redshirtsrule\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25565:TCP"= 25565:TCP:Minecraft
"25565:UDP"= 25565:UDP:Minecraft
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/27/2010 1:47 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [5/31/2010 10:31 AM 12856]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [8/19/2010 11:18 PM 20480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/23/2010 6:28 PM 100456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-641PC_TEW-643PI\WLSVC.exe [8/20/2010 6:28 PM 167936]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/2/2010 12:13 PM 1684736]
S3 LGDDCDevice;LGDDCDevice;c:\windows\system32\LGI2CDriver.sys [7/10/2010 8:33 PM 16384]
S3 LGII2CDevice;LGII2CDevice;c:\windows\system32\LGPII2CDriver.sys [7/10/2010 8:33 PM 19456]
S3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [7/2/2010 12:23 PM 529440]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/2/2010 11:32 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1563985344-682003330-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 00:04]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1563985344-682003330-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 00:04]

2011-01-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\inbqau2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TabRenamizer: {792BDDFE-2E7C-42ed-B18D-18154D2761BD} - %profile%\extensions\{792BDDFE-2E7C-42ed-B18D-18154D2761BD}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nwiz - nwiz.exe
AddRemove-GoldenEye: Source - c:\program files\Games\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 23:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD64 rev.05.0 -> Harddisk0\DR0 -> \Device\Scsi\nvgts2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AC15555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac1b7b0]; MOV EAX, [0x8ac1b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC60030]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x8ACCC410]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC53A38]
\Driver\nvgts[0x8AC60630] -> IRP_MJ_CREATE -> 0x8AC15555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\nvgts2Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_WDC_WD64&Prod_01AALS-00J7B&Rev_05.0#4&1a3c904d&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 1250263726 (+7): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-01-27 23:42:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-28 05:42

Pre-Run: 519,293,411,328 bytes free
Post-Run: 519,573,807,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - B02B1BB00E4A669B929C25C13E5BF0C9

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 28 January 2011 - 12:57 PM

Hi there,

You're welcome :)

Well good. :thumbup2: SO many times nothing will run until at least the file is gone.....the folder did show up in the log : c:\documents and settings\All Users\Application Data\oNoPc09100

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FOLDER::
c:\documents and settings\All Users\Application Data\oNoPc09100


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Swahed

Swahed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 28 January 2011 - 02:10 PM

I posted that last reply late at night right before I was going to bed, so naturally I shut down my computer like I always do. When I woke up this morning and started my computer up it loaded fine and I typed in my password to log on. When the computer logged me on I could see my desktop background, but no taskbar or icons on my desktop. I thought maybe I should just wait a few minutes. No luck. I opened the task manager and went to New Task and typed in "explorer" to see if I could get the taskbar back, I could see the hourglass cursor for about 10 seconds then nothing happened. I left it to see if maybe it just needed to load but no, nothing happened. I typed in "SFC /scannow" but it requested my windows disk, which I don't have. So after restarting my computer to see if it was a one time thing, then restarting it again, I typed in "firefox" to reply to this.

I have no idea what happened and every time I restart my computer I am getting an error message after a few minutes that says "Generic Host Process for Win32 Services had encountered a problem and needs to close." I don't know if that means anything but sometimes after I dismiss the message nothing on my computer works, even when I click shut down my computer stays running.

Also, I can't open any file locations in the New Task function such as "c:\program files" etc.

This is extremely frustrating for me and it's probably beginning to get frustrating for you too so I apologize for all of these problems.

Thanks again

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 28 January 2011 - 04:12 PM

Do you have the start button?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Swahed

Swahed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 28 January 2011 - 04:40 PM

No, there is nothing but my desktop background.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 28 January 2011 - 04:42 PM

How about in safe mode?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Swahed

Swahed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 28 January 2011 - 11:32 PM

Even in Safe Mode there is no taskbar, icons or start button. The windows button doesn't open it either.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:50 AM

Posted 29 January 2011 - 03:16 PM

Hello,

Let's get creative then......

Open Task Manager, browse to the dll cache, and explorer.exe, copy it, then browse to Windows and explorer.exe, rename it to explorer.old and paste the new one in. Then see if you can open explorer after. You may need to reboot for it to take effect. Not sure.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Swahed

Swahed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 January 2011 - 02:39 AM

This is just getting weirder and weirder, I logged on today expecting no taskbar or desktop but for some reason it was there! I was confused but I opened firefox to check this forum as fast as I could anyway, thinking maybe my computer fixed itself? (fail, I know) As soon as I opened firefox a new tab opened to the webpage "www.Google.com/webhp" I know this is a sign of an infection from another forum on this site.
Should I still try running ComboFix with that text file like you requested in a previous post or should I wait and do something else first?

This is really confusing to me I have no idea if it was ComboFix that messed with my explorer, a virus or just a random glitch.

Thanks and sorry that this is so time consuming and annoying.


Edit: Upon restarting, the taskbar, start button and desktop are all gone again.

Also, I tried browsing for the dll cache in my system32 folder but I couldn't find it. I read on the internet that I need to have show hidden
operating system folders enabled. I tried to enable it but I can't seem to access the "Tools" menu while using the browse function.

Edited by Swahed, 30 January 2011 - 01:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users