Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think i have a Rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 ranget

ranget

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 24 March 2011 - 07:42 PM

IDK I'm just extremely annoyed

i just know my computer have a malware of something and it's not being detected by scanners

what Logs should i collect ?

i done a clean up before and gringo helped me

but i still have no privacy

Pleas help Idon't know what to do

i tried black light and found nothing

Edited by ranget, 24 March 2011 - 07:52 PM.

A big thanks to Dider Stevens

sorry for not being around

 


BC AdBot (Login to Remove)

 


#2 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 24 March 2011 - 08:57 PM

system internal tcp end point

uTorrent.exe 3364 TCP 127.0.0.1 10000 0.0.0.0 0 LISTENING
uTorrent.exe 3364 TCP 0.0.0.0 12212 0.0.0.0 0 LISTENING
uTorrent.exe 3364 UDP 0.0.0.0 12212 * *
sidebar.exe 3356 UDP 127.0.0.1 59307 * *
mirc.exe 3196 TCP 192.168.1.2 50319 206.53.60.70 6667 ESTABLISHED 2 54 4 306
mirc.exe 3196 UDP 127.0.0.1 62036 * *
SUPERAntiSpyware.exe 3168 UDP 127.0.0.1 53316 * *
svchost.exe 2884 TCP 0.0.0.0 49157 0.0.0.0 0 LISTENING
svchost.exe 2884 TCPV6 [0:0:0:0:0:0:0:0] 49157 [0:0:0:0:0:0:0:0] 0 LISTENING
wlcomm.exe 2764 TCP 192.168.1.2 49402 64.4.34.200 1863 ESTABLISHED 5 942 5 1,010
wlcomm.exe 2764 UDP 192.168.1.2 9 * *
wlcomm.exe 2764 UDP 192.168.1.2 9 * *
wlcomm.exe 2764 UDP 192.168.1.2 9 * *
wlcomm.exe 2764 UDP 127.0.0.1 55400 * *
vmware.exe 2308 TCP 192.168.1.2 50555 184.85.195.51 443 ESTABLISHED
vmware.exe 2308 TCP 192.168.1.2 50556 184.85.194.52 80 CLOSE_WAIT
vmware.exe 2308 UDP 0.0.0.0 59128 * *
vmware.exe 2308 UDP 0.0.0.0 63087 * *
firefox.exe 2292 TCP 127.0.0.1 50295 127.0.0.1 50296 ESTABLISHED 9 9
firefox.exe 2292 TCP 127.0.0.1 50296 127.0.0.1 50295 ESTABLISHED 9 9
firefox.exe 2292 TCP 127.0.0.1 50297 127.0.0.1 50298 ESTABLISHED
firefox.exe 2292 TCP 127.0.0.1 50298 127.0.0.1 50297 ESTABLISHED
vmware-authd.exe 2284 TCP 0.0.0.0 912 0.0.0.0 0 LISTENING
vmware-authd.exe 2284 TCP 127.0.0.1 50434 127.0.0.1 50435 ESTABLISHED
vmware-authd.exe 2284 TCP 127.0.0.1 50435 127.0.0.1 50434 ESTABLISHED
msnmsgr.exe 2204 TCP 127.0.0.1 49408 0.0.0.0 0 LISTENING
msnmsgr.exe 2204 TCP 127.0.0.1 49408 127.0.0.1 49413 ESTABLISHED 2 32
msnmsgr.exe 2204 TCP 127.0.0.1 49413 127.0.0.1 49408 ESTABLISHED 2 32
msnmsgr.exe 2204 TCP 192.168.1.2 50582 94.245.117.45 80 ESTABLISHED 2 970 2 1,612
msnmsgr.exe 2204 UDP 192.168.1.2 9 * *
msnmsgr.exe 2204 UDP 192.168.1.2 9 * *
msnmsgr.exe 2204 UDP 192.168.1.2 9 * *
msnmsgr.exe 2204 UDP 127.0.0.1 54155 * * 3 3 3 3
psia.exe 2008 TCP 192.168.1.2 50541 91.198.117.121 443 CLOSE_WAIT
svchost.exe 1940 UDP 0.0.0.0 3702 * *
svchost.exe 1940 UDP 0.0.0.0 3702 * *
svchost.exe 1940 UDP 0.0.0.0 49152 * *
svchost.exe 1940 UDPV6 [0:0:0:0:0:0:0:0] 3702 * *
svchost.exe 1940 UDPV6 [0:0:0:0:0:0:0:0] 3702 * *
svchost.exe 1940 UDPV6 [0:0:0:0:0:0:0:0] 49153 * *
cmdagent.exe 856 TCP 192.168.1.2 50521 199.66.201.27 80 CLOSE_WAIT
svchost.exe 796 TCP 0.0.0.0 135 0.0.0.0 0 LISTENING
svchost.exe 796 TCPV6 [0:0:0:0:0:0:0:0] 135 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 780 TCP 0.0.0.0 49154 0.0.0.0 0 LISTENING
svchost.exe 780 UDP 0.0.0.0 500 * *
svchost.exe 780 UDP 0.0.0.0 4500 * *
svchost.exe 780 TCPV6 [0:0:0:0:0:0:0:0] 49154 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 780 UDPV6 [0:0:0:0:0:0:0:0] 500 * *
svchost.exe 780 UDPV6 [0:0:0:0:0:0:0:0] 4500 * *
lsass.exe 528 TCP 0.0.0.0 49155 0.0.0.0 0 LISTENING
lsass.exe 528 TCPV6 [0:0:0:0:0:0:0:0] 49155 [0:0:0:0:0:0:0:0] 0 LISTENING
services.exe 516 TCP 0.0.0.0 49156 0.0.0.0 0 LISTENING
services.exe 516 TCPV6 [0:0:0:0:0:0:0:0] 49156 [0:0:0:0:0:0:0:0] 0 LISTENING
wininit.exe 460 TCP 0.0.0.0 49152 0.0.0.0 0 LISTENING
wininit.exe 460 TCPV6 [0:0:0:0:0:0:0:0] 49152 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 404 TCP 0.0.0.0 49153 0.0.0.0 0 LISTENING
svchost.exe 404 TCPV6 [0:0:0:0:0:0:0:0] 49153 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 404 UDPV6 [fe80:0:0:0:49c:ad6e:a211:422b] 546 * *
svchost.exe 404 UDPV6 [fe80:0:0:0:25f6:21bc:1d54:2e9e] 546 * *
System 4 TCP 192.168.1.2 139 0.0.0.0 0 LISTENING
System 4 TCP 192.168.159.1 139 0.0.0.0 0 LISTENING
System 4 TCP 192.168.204.1 139 0.0.0.0 0 LISTENING
System 4 TCP 0.0.0.0 5357 0.0.0.0 0 LISTENING
System 4 UDP 192.168.1.2 137 * * 15 750 9 450
System 4 UDP 192.168.159.1 137 * *
System 4 UDP 192.168.204.1 137 * *
System 4 UDP 192.168.1.2 138 * *
System 4 UDP 192.168.159.1 138 * *
System 4 UDP 192.168.204.1 138 * *
System 4 TCPV6 [0:0:0:0:0:0:0:0] 5357 [0:0:0:0:0:0:0:0] 0 LISTENING




systeminternel process monitor

Process PID CPU Private Bytes Working Set Description Company Name
dllhost.exe 5036 2.15 2,880 K 6,820 K COM Surrogate Microsoft Corporation
procexp64.exe 4840 6.46 20,156 K 39,912 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
plugin-container.exe 4780 9,876 K 14,688 K Plugin Container for Firefox Mozilla Corporation
SearchFilterHost.exe 4584 3,420 K 7,400 K
SearchProtocolHost.exe 4456 3,388 K 9,076 K
audiodg.exe 4176 18,316 K 19,600 K
WUDFHost.exe 3888 2,792 K 10,612 K
SearchIndexer.exe 3828 32,884 K 30,248 K Microsoft Windows Search Indexer Microsoft Corporation
vmware-tray.exe 3784 1,956 K 5,752 K VMware Tray Process VMware, Inc.
VDeck.exe 3768 10,904 K 63,748 K VIA HD Audio CPL VIA
Foxit Reader.exe 3472 67,940 K 88,204 K Foxit Reader 4.3, Best Reader for Everyday Use! Foxit Corporation
psi_tray.exe 3440 1,816 K 5,428 K Secunia PSI Tray Secunia
uTorrent.exe 3364 11,484 K 22,396 K µTorrent BitTorrent, Inc.
sidebar.exe 3356 61,016 K 112,120 K Windows Desktop Gadgets Microsoft Corporation
cfp.exe 3348 22,136 K 6,492 K COMODO Internet Security COMODO
msseces.exe 3340 7,224 K 17,696 K Microsoft Security Client User Interface Microsoft Corporation
WmiPrvSE.exe 3336 3,280 K 7,020 K
MD5Checksum.exe 3316 10,084 K 23,132 K MD5 Checksum Tool NoVirusThanks Company Srl
mirc.exe 3196 27,500 K 42,612 K mIRC mIRC Co. Ltd.
vmware-unity-helper.exe 3192 19,164 K 26,876 K VMware Unity Helper VMware, Inc.
SUPERAntiSpyware.exe 3168 19.39 224,524 K 243,964 K SUPERAntiSpyware Application SUPERAntiSpyware.com
WmiPrvSE.exe 3056 6,336 K 14,088 K
taskhost.exe 2992 9,188 K 12,200 K Host Process for Windows Tasks Microsoft Corporation
explorer.exe 2932 43,688 K 57,620 K Windows Explorer Microsoft Corporation
svchost.exe 2884 2,660 K 6,848 K Host Process for Windows Services Microsoft Corporation
wlcomm.exe 2764 33,516 K 43,216 K Windows Live Communications Platform Microsoft Corporation
NisSrv.exe 2648 8,476 K 4,288 K Microsoft Network Inspection System Microsoft Corporation
procexp.exe 2456 2,196 K 6,076 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
SDWinSec.exe 2448 6,704 K 11,848 K Spybot-S&D Security Center integration Safer Networking Ltd.
vmnetdhcp.exe 2428 1,904 K 5,060 K
WLIDSVCM.EXE 2372 2,020 K 4,360 K
vmware.exe 2308 53,188 K 67,972 K VMware Workstation VMware, Inc.
firefox.exe 2292 162,808 K 189,292 K Firefox Mozilla Corporation
vmware-authd.exe 2284 6,664 K 11,676 K VMware Authorization Service VMware, Inc.
explorer.exe 2264 154,140 K 159,560 K Windows Explorer Microsoft Corporation
msnmsgr.exe 2204 155,656 K 135,068 K Windows Live Messenger Microsoft Corporation
WLIDSVC.EXE 2176 6,952 K 18,480 K
vmnat.exe 2112 2,316 K 5,772 K
psia.exe 2008 16,284 K 24,300 K Secunia PSI Agent Secunia
svchost.exe 1940 5,612 K 16,428 K Host Process for Windows Services Microsoft Corporation
SASCore64.exe 1900 1.44 4,432 K 10,968 K
dwm.exe 1876 0.72 36,688 K 52,468 K Desktop Window Manager Microsoft Corporation
svchost.exe 1572 11,984 K 14,696 K Host Process for Windows Services Microsoft Corporation
spoolsv.exe 1472 7,236 K 18,620 K Spooler SubSystem App Microsoft Corporation
atieclxx.exe 1416 3,064 K 7,912 K
sua.exe 1376 1,952 K 5,116 K Secunia Update Agent Secunia
vmware-usbarbitrator.exe 1292 2,988 K 6,500 K VMware USB Arbitration Service VMware, Inc.
svchost.exe 1280 6,008 K 13,248 K Host Process for Windows Services Microsoft Corporation
GoogleUpdate.exe 1236 2,616 K 3,356 K
svchost.exe 1200 7,164 K 13,744 K Host Process for Windows Services Microsoft Corporation
MsMpEng.exe 992 162,236 K 96,508 K Antimalware Service Executable Microsoft Corporation
svchost.exe 940 14,360 K 22,584 K Host Process for Windows Services Microsoft Corporation
cmdagent.exe 856 47,060 K 3,960 K COMODO Internet Security COMODO
svchost.exe 796 5,268 K 10,380 K Host Process for Windows Services Microsoft Corporation
svchost.exe 780 25,060 K 47,420 K Host Process for Windows Services Microsoft Corporation
svchost.exe 716 5,244 K 16,864 K Host Process for Windows Services Microsoft Corporation
winlogon.exe 684 3,220 K 11,004 K
svchost.exe 624 2,320 K 5,476 K Host Process for Windows Services Microsoft Corporation
svchost.exe 608 121,176 K 137,660 K Host Process for Windows Services Microsoft Corporation
lsm.exe 536 3,456 K 5,904 K
lsass.exe 528 1.44 5,452 K 19,592 K Local Security Authority Process Microsoft Corporation
services.exe 516 7,884 K 12,608 K
csrss.exe 480 2,920 K 11,176 K
wininit.exe 460 2,264 K 8,492 K
svchost.exe 404 27,852 K 30,156 K Host Process for Windows Services Microsoft Corporation
csrss.exe 388 2,264 K 9,672 K
atiesrxx.exe 332 2,228 K 5,480 K AMD External Events Service Module AMD
vmware-vmx.exe 328 30,996 K 469,464 K
smss.exe 296 432 K 2,256 K
System 4 2.87 160 K 1,128 K
System Idle Process 0 64.64 0 K 24 K
Interrupts n/a 0 K 0 K Hardware Interrupts
DPCs n/a 0 K 0 K Deferred Procedure Calls



pleas i need help I'm 100% sure that i have RAT of some sort that it's undetected

i found a book on Rootkit but it's 1000 page
i have no time to read it


Please I need help


I got infected by the same man before about a year ago
he infected me as far as i know about three time

the signs of the Rootkit
" three time he modified my computer policy and Blocked my Virtual University site "
i was using kaspersky in the first time
the second i was using Noton 360


when it happened those three times i formatted my C Drive and
Re installed windows

But it keep happening

I deleted all my connection to this man

but i keep getting weird thing on my computer
Like

when i try to write an article the Program Crashes

OR something like that weird stuff happening

i Look at His Face book Page and
he is leaving me notice and hint about what i'm Doing on the computer


" Like i was talking with amazed and bobbie flenkman
about getting my DMV license "

he Posted at his Face book page

i'm at the DMV getting my license




the thing that i don't understand
i always use Updated software
and i always use Firewall and security programs and antispywares

How i got infected ???


Please help me

if i can't disinfect my computer How do Reinstall a new windows

and be sure that it won't get infected again



DDS LOG attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
.
Motherboard: ASUSTeK Computer INC. | | M4N72-E
Processor: AMD Athlon™ 64 X2 Dual Core Processor 6400+ | AM2 | 3200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 135 GiB total, 91.347 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 39.653 GiB free.
E: is FIXED (NTFS) - 932 GiB total, 615.319 GiB free.
F: is CDROM (CDFS)
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Coprocessor
Device ID: PCI\VEN_10DE&DEV_0753&SUBSYS_82E81043&REV_A2\3&267A616A&0&0B
Manufacturer:
Name: Coprocessor
PNP Device ID: PCI\VEN_10DE&DEV_0753&SUBSYS_82E81043&REV_A2\3&267A616A&0&0B
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Advanced Port Scanner v1.3
Apple Application Support
Apple Software Update
ArcaniA - Gothic 4
Ask Toolbar
AviSynth 2.5
Batman Arkham Asylum
Collaboration Player
Combined Community Codec Pack 2009-09-09
D3DX10
Dead Rising 2
Desktop Client
ESET Online Scanner v3
FeedDemon
Foxit Reader
Google Update Helper
HiJackThis
Inter-Tel Collaboration Client 2.0
Junk Mail filter update
Just Cause 2
K-Lite Codec Pack 5.1.0 (Full)
Lionheart Kings Crusade
Malwarebytes' Anti-Malware
Mass Effect 2
MD5 Checksum Tool 2.7
Mesh Runtime
Messenger Companion
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
mIRC
Move Media Player
Mozilla Firefox (3.6.16)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MUSTEK 1248UB V1.2
NVIDIA PhysX
Platform
QuickTime
Secunia PSI (2.0.0.3001)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Spybot - Search & Destroy
The Sims™ 3
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
TSP_CODEC
UltraISO Premium V9.35
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
VIA Platform Device Manager
VLC media player 1.1.7
VMware Workstation
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinPcap 4.1.2
Wireshark 1.4.4
.
==== End Of File ===========================




DDS Log2

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Home at 5:20:47.52 on Fri 03/25/2011
Internet Explorer: 8.0.7601.17514
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2193 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Home\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.svuonline.org/isis_beta/index.php
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: {E049B9F2-394D-4B81-9BE9-2341966ED4B8} = 156.154.70.22,156.154.71.22
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
mRun-x64: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
AppInit_DLLs-X64: C:\Windows\System32\guard64.dll C:\Windows\system32\guard64.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\4wayeej3.default\
FF - prefs.js: browser.startup.homepage - www.Google.com
FF - prefs.js: network.proxy.ftp - 184.106.227.223
FF - prefs.js: network.proxy.ftp_port - 443
FF - prefs.js: network.proxy.gopher - 184.106.227.223
FF - prefs.js: network.proxy.gopher_port - 443
FF - prefs.js: network.proxy.http - 184.106.227.223
FF - prefs.js: network.proxy.http_port - 443
FF - prefs.js: network.proxy.socks - 184.106.227.223
FF - prefs.js: network.proxy.socks_port - 443
FF - prefs.js: network.proxy.ssl - 184.106.227.223
FF - prefs.js: network.proxy.ssl_port - 443
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Home\AppData\Roaming\Move Networks\plugins\npqmp071700000016.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Foxit PDF Creator Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Home\AppData\Roaming\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2011-1-6 250008]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2011-1-6 39888]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-10-24 188928]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\System32\drivers\nm3.sys [2010-6-9 46392]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-10-27 203776]
R2 cpuz133;cpuz133;C:\Windows\System32\drivers\cpuz133_x64.sys [2011-1-25 20968]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-2 1153368]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-1-10 399416]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-1-26 9085952]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-1-26 299520]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-10-24 40832]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 72064]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2009-5-8 1196032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-15 136176]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-1-25 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-3-6 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-6 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-1-25 1255736]
S4 metasploitPostgreSQL;metasploitPostgreSQL;C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "C:/METASP~1/POSTGR~1/data" --> C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-03-24 23:10:04 -------- d-----w- C:\Users\Home\AppData\Local\{1C2105BC-3D23-473E-B5BE-14714E7A6814}
2011-03-24 19:24:20 -------- d-----w- C:\Users\Home\AppData\Local\{22349842-484E-43A5-8A38-F094ADC88EB9}
2011-03-24 06:09:50 8424784 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{BDD23D35-61D5-455F-8F00-A439A166385B}\mpengine.dll
2011-03-24 02:35:32 -------- d-----w- C:\Users\Home\AppData\Local\{14B8F4A3-AD7E-4430-B8D0-D3B06ABDB051}
2011-03-23 21:39:01 66520 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
2011-03-23 21:39:01 25048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll
2011-03-23 21:39:01 140248 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll
2011-03-23 21:39:00 492504 ----a-w- C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll
2011-03-23 21:39:00 1018328 ----a-w- C:\Program Files (x86)\Mozilla Firefox\js3250.dll
2011-03-23 14:06:55 -------- d-----w- C:\Users\Home\AppData\Local\{825781A0-9892-4C33-8601-FCDE8970953F}
2011-03-22 21:40:09 -------- d-----w- C:\PROGRA~3\Kaspersky Lab
2011-03-22 16:36:36 -------- d-----w- C:\Users\Home\AppData\Local\{6608CAAC-6242-4FAC-BEDE-D27A919E311F}
2011-03-21 13:23:16 -------- d-----w- C:\Users\Home\AppData\Local\{33AEC7D1-B040-49E1-B522-B4651CCF3CC8}
2011-03-20 13:17:26 -------- d-----w- C:\Users\Home\AppData\Local\{6938D090-D386-4DA1-9290-0CD8EAF39D3A}
2011-03-20 03:39:07 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-03-20 03:39:07 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-03-20 01:17:00 -------- d-----w- C:\Users\Home\AppData\Local\{CA30C6AD-0858-4CFF-BD9D-CFC3D185544C}
2011-03-20 00:52:09 -------- d-----w- C:\Users\Home\AppData\Roaming\SUPERAntiSpyware.com
2011-03-20 00:52:09 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-03-20 00:52:06 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-03-20 00:52:03 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-03-19 15:56:01 -------- d-----w- C:\Program Files\Wireshark
2011-03-19 13:16:34 -------- d-----w- C:\Users\Home\AppData\Local\{F23819BD-AD79-42A8-B8C6-E5200F12ED61}
2011-03-18 19:56:56 -------- d-----w- C:\Users\Home\AppData\Local\{5924BD56-239C-4049-953B-3B1FE1CA32A3}
2011-03-17 23:47:39 -------- d-----w- C:\Users\Home\AppData\Local\{B3BF6729-93CD-4CD5-850E-F52A55E354E2}
2011-03-16 23:28:17 29696 ----a-w- C:\Windows\System32\drivers\tap0901.sys
2011-03-16 23:21:49 -------- d-----w- C:\Program Files (x86)\WinPcap
2011-03-16 23:20:33 -------- d-----w- C:\Users\Home\AppData\Roaming\Wireshark
2011-03-16 13:01:38 -------- d-----w- C:\Users\Home\AppData\Local\{EB71622B-EC93-49DF-8347-6B64E0417EF9}
2011-03-15 16:59:29 -------- d-----w- C:\Users\Home\AppData\Local\{07A0950A-F304-4E29-8919-1058205735D0}
2011-03-15 16:42:31 -------- d-----w- C:\Users\Home\AppData\Local\Google
2011-03-15 16:21:11 -------- d-----w- C:\Program Files (x86)\NoVirusThanks
2011-03-15 16:06:01 -------- d-----w- C:\Users\Home\AppData\Local\{E1C72CBD-2988-444B-A507-9A5A225DB5FC}
2011-03-15 16:04:43 -------- d-----w- C:\Users\Home\AppData\Local\{761322BC-C9CC-438D-8AF9-47A3338AE883}
2011-03-15 13:13:04 -------- d-----w- C:\Users\Home\AppData\Local\{DF8A31EC-4E93-46F0-B200-3171936766D3}
2011-03-15 13:12:15 -------- d-----w- C:\Users\Home\AppData\Local\{C5BEF125-409F-4908-8DCA-1C8F8AB64FAA}
2011-03-14 05:43:03 -------- d-----w- C:\Users\Home\AppData\Local\{8B79BF2D-DBA1-4813-8AE2-0A282757E3BD}
2011-03-13 14:17:16 -------- d-----w- C:\Users\Home\AppData\Local\VMware
2011-03-13 14:13:46 81008 ----a-w- C:\Windows\System32\drivers\vmci.sys
2011-03-13 14:13:41 68720 ----a-w- C:\Windows\System32\drivers\vmx86.sys
2011-03-13 14:13:22 334448 ----a-w- C:\Windows\SysWow64\vmnetdhcp.exe
2011-03-13 14:13:21 404080 ----a-w- C:\Windows\SysWow64\vmnat.exe
2011-03-13 14:13:19 30320 ----a-w- C:\Windows\System32\drivers\vmnetuserif.sys
2011-03-13 14:13:15 968816 ----a-w- C:\Windows\System32\vnetlib64.dll
2011-03-13 14:13:02 31856 ----a-w- C:\Windows\System32\drivers\VMkbd.sys
2011-03-13 14:13:00 38512 ----a-w- C:\Windows\System32\drivers\hcmon.sys
2011-03-13 14:11:57 -------- d-----w- C:\Program Files (x86)\Common Files\VMware
2011-03-13 14:11:03 -------- d-----w- C:\Program Files (x86)\VMware
2011-03-13 10:41:49 -------- d-----w- C:\Users\Home\AppData\Local\{A6C7E8A7-3ABB-4379-9AFC-610949D70100}
2011-03-12 14:03:34 -------- d-----w- C:\Users\Home\AppData\Local\{C0186482-FC5F-4A4E-9941-C0DE8C2AF034}
2011-03-11 11:25:13 -------- d-----w- C:\Users\Home\AppData\Local\{B6B75719-D7BB-40B8-A9A8-45C94D98ED68}
2011-03-09 08:49:14 -------- d-----w- C:\Users\Home\AppData\Local\{348FF6FE-1415-4193-81A3-5FDCEB1F16AC}
2011-03-09 06:13:58 723968 ----a-w- C:\Windows\System32\EncDec.dll
2011-03-09 06:13:57 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-03-09 06:13:57 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2011-03-09 06:13:57 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-03-09 06:13:57 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-03-09 06:13:57 1118720 ----a-w- C:\Windows\System32\sbe.dll
2011-03-09 06:13:56 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2011-03-09 06:13:56 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-03-09 05:44:08 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-03-09 05:44:08 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-03-09 05:44:08 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-03-09 05:44:08 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-03-09 05:44:08 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-03-08 08:18:45 -------- d-----w- C:\Users\Home\AppData\Local\{5D92C57C-8FC3-4B81-A8AC-D45C435FF61C}
2011-03-07 16:06:14 -------- d-----w- C:\Users\Home\AppData\Local\{1886D22E-53C8-4CDB-87E0-202DE584E920}
2011-03-07 04:05:39 -------- d-----w- C:\Users\Home\AppData\Local\{2A8B5BDF-4172-45F1-8023-A6D09142E170}
2011-03-06 16:05:10 -------- d-----w- C:\Users\Home\AppData\Local\{FE96169E-345B-42BE-84EA-9302CA78C6B7}
2011-03-06 15:19:05 -------- d-----w- C:\Users\Home\AppData\Local\{26976E5F-ECD0-4512-99D6-BC1778265F79}
2011-03-06 14:43:40 2560 ----a-w- C:\Windows\System32\drivers\en-US\rdpwd.sys.mui
2011-03-06 14:43:39 6144 ----a-w- C:\Windows\System32\drivers\en-US\rdvgkmd.sys.mui
2011-03-06 14:43:28 4096 ----a-w- C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui
2011-03-06 14:43:28 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2011-03-06 14:42:54 6144 ----a-w- C:\Windows\System32\drivers\en-US\IPMIDrv.sys.mui
2011-03-06 14:42:53 4608 ----a-w- C:\Windows\System32\drivers\en-US\kbdclass.sys.mui
2011-03-06 14:34:31 4096 ----a-w- C:\Windows\System32\drivers\ar-SA\tsusbhub.sys.mui
2011-03-06 14:34:31 3584 ----a-w- C:\Windows\System32\drivers\ar-SA\tsusbflt.sys.mui
2011-03-06 14:34:08 6144 ----a-w- C:\Windows\System32\drivers\ar-SA\rdvgkmd.sys.mui
2011-03-06 14:34:08 2560 ----a-w- C:\Windows\System32\drivers\ar-SA\rdpwd.sys.mui
2011-03-06 14:25:59 468992 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-03-06 14:24:59 89088 ----a-w- C:\Windows\System32\amstream.dll
2011-03-06 14:23:28 -------- d-----w- C:\Windows\System32\SPReview
2011-03-06 14:23:00 -------- d-----w- C:\Windows\System32\EventProviders
2011-03-05 07:09:01 -------- d-----w- C:\Users\Home\AppData\Local\{172A0EF7-66F0-49AA-9F02-CDF71B6E3F86}
2011-03-04 16:06:31 -------- d-----w- C:\Users\Home\AppData\Local\{1E433FBF-16AB-4800-AA39-149D1EE4D6C5}
2011-03-03 15:02:11 -------- d-----w- C:\Users\Home\AppData\Local\{242C15A4-95ED-48A1-B6C0-F28CC85C079E}
2011-03-02 11:07:14 -------- d-----w- C:\Users\Home\AppData\Local\{C201CFAC-041B-4008-9416-843EFBD739FE}
2011-03-01 17:35:04 -------- d-----w- C:\Users\Home\AppData\Local\{B59487F1-8E88-4730-95FF-9C110C2D8FAF}
2011-03-01 14:51:27 -------- d-----w- C:\Users\Home\AppData\Local\{26146F75-CB4D-437D-BE10-AB9A8AF9172E}
2011-02-28 15:43:52 -------- d-----w- C:\Users\Home\AppData\Local\{5D476E78-D5A7-4C6B-BEE0-5DEA00B6524F}
2011-02-28 14:11:01 -------- d-----w- C:\Users\Home\AppData\Local\{BBDEFAFC-6F52-4099-8AB6-A55A5E8DF28D}
2011-02-27 20:58:34 -------- d-----w- C:\Users\Home\AppData\Local\{7F3E59DD-F115-471B-8585-D006F72B3153}
2011-02-27 16:05:03 -------- d-----w- C:\Windows\AxInstSV
2011-02-27 14:06:40 388096 ----a-r- C:\Users\Home\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-27 14:06:40 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-02-27 13:09:21 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-27 12:06:36 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-02-27 10:33:01 -------- d-----w- C:\Windows\System32\appmgmt
2011-02-27 08:28:30 -------- d-----w- C:\Users\Home\AppData\Local\{F6ED02C6-9ACA-4468-A2C6-ADC692D0C6F5}
2011-02-23 09:08:06 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-02-23 09:08:06 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-02-23 09:08:05 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-23 09:08:04 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
.
==================== Find3M ====================
.
2011-03-06 14:51:28 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-03-06 14:51:27 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-02-08 18:37:22 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
2011-02-07 15:14:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-03 12:23:56 81946 ----a-w- C:\Windows\SysWow64\vb5ko.dll
2011-01-26 21:37:22 9085952 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-01-26 21:22:20 22295040 ----a-w- C:\Windows\System32\atio6axx.dll
2011-01-26 21:00:46 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-01-26 21:00:32 596480 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-01-26 20:59:48 17204736 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-01-26 20:59:12 708608 ----a-w- C:\Windows\System32\aticfx64.dll
2011-01-26 20:56:30 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-01-26 20:56:16 479232 ----a-w- C:\Windows\System32\atieclxx.exe
2011-01-26 20:55:38 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-01-26 20:54:22 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-01-26 20:54:02 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-01-26 20:53:56 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-01-26 20:53:44 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-01-26 20:53:38 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-01-26 20:53:34 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-01-26 20:53:28 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-01-26 20:49:46 4105728 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-01-26 20:40:04 4847616 ----a-w- C:\Windows\System32\atidxx64.dll
2011-01-26 20:32:48 1208320 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-01-26 20:32:14 1912832 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-01-26 20:32:02 3222016 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-01-26 20:28:54 4170752 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-01-26 20:27:54 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-01-26 20:27:52 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-01-26 20:27:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-01-26 20:27:42 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-01-26 20:27:32 6982144 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-01-26 20:25:52 5580800 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-01-26 20:24:20 3463680 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-01-26 20:22:00 5316096 ----a-w- C:\Windows\System32\atiumd64.dll
2011-01-26 20:20:46 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-01-26 20:14:16 354304 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-01-26 20:14:10 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-01-26 20:13:58 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-01-26 20:13:54 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-01-26 20:13:54 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-01-26 20:13:52 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-01-26 20:13:44 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-01-26 20:13:34 299520 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-01-26 20:12:48 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-01-26 20:12:42 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-01-26 20:12:34 38400 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-01-26 20:12:26 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-01-26 20:11:48 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-01-26 20:08:48 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-01-26 20:08:48 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-01-26 20:08:42 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-01-26 20:08:42 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-01-25 08:28:03 0 ----a-w- C:\Windows\ativpsrm.bin
2011-01-07 12:14:11 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-01-07 09:51:01 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-01-07 09:20:44 366592 ----a-w- C:\Windows\System32\atmfd.dll
2011-01-07 07:45:57 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-01-07 06:01:22 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-01-07 05:43:36 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-01-06 15:37:00 39888 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2011-01-06 15:36:58 250008 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2011-01-06 15:36:58 14184 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2011-01-05 10:34:00 612864 ----a-w- C:\Windows\System32\vbscript.dll
2011-01-05 06:56:24 3129344 ----a-w- C:\Windows\System32\win32k.sys
2011-01-05 05:55:55 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2010-12-28 23:42:04 285480 ----a-w- C:\Windows\SysWow64\guard32.dll
2010-12-28 23:42:02 362784 ----a-w- C:\Windows\System32\guard64.dll
.
============= FINISH: 5:22:09.61 ===============



Gmer Log

Didn't find anything
But i couldn't run all the stting just some
of them actually

Edited by ranget, 24 March 2011 - 10:51 PM.

A big thanks to Dider Stevens

sorry for not being around

 


#3 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 25 March 2011 - 06:38 AM

those are the new Log i done today


ask anything and i'll do it

Attached Files


Edited by ranget, 25 March 2011 - 06:39 AM.

A big thanks to Dider Stevens

sorry for not being around

 


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 07:03 AM

Hi,

gmer doesn't run on 64bit OS, that's normal. Rootkits also don't run on 64bit, so we're good.

Please run a new scan with OTL:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 08:44 AM

i followed the instruction

and OTL generated one report

i couldn't post it's content in the replay because it's too long to post

and too big to attach in the attachment 364kB
so here a compressed .Rar version and pastebin


Sorry i had to compress it before the upload



http://pastebin.com/G7Ve4hSb


thanks for the help

Attached Files


Edited by ranget, 31 March 2011 - 08:53 AM.

A big thanks to Dider Stevens

sorry for not being around

 


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 10:50 AM

Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\SysWOW64\drivers\gt680x.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Can you tell me what is in this folder: C:\Users\Home\AppData\Local\{26976E5F-ECD0-4512-99D6-BC1778265F79}

Did you set up proxies in Firefox?

reagrds myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 02:41 PM

Thanks for the replay

this is the scan result

http://virusscan.jotti.org/en/scanresult/b3d4bc1cba96eac457ec21898a50e1e05c455c4f

http://www.virustotal.com/file-scan/report.html?id=f2b791eb0ca7a64d2057cece086b0203d9f42d68f09e2a3d76cbdd6ad91c0798-1301599865


and i didn't found anything in this directory :
C:\Users\Home\AppData\Local\{26976E5F-ECD0-4512-99D6-BC1778265F79}


for the Proxy
well there is this proxy

38.121.78.74:443


but it's not being used (activated ) when i did the scan



thanks for the help again

A big thanks to Dider Stevens

sorry for not being around

 


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 03:14 PM

Hi,

there's a second proxy:
#FF - prefs.js..network.proxy.backup.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.backup.ssl_port: 9051

Did you set up that proxy too?

Please run OTL again and use the following settings:
  • Check Scan All Users.
  • For Processes choose none.
  • For Modules choose none.
  • For Services choose none.
  • For Drivers choose none.
  • For Standard Registry choose none.
  • For Extra Registry choose none.
  • For Files Created Within choose none.
  • For Files Modified Within choose none.
  • Under Custom Scans/Fixes paste:
    C:\Users\Home\AppData\Local\{7F3E59DD-F115-471B-8585-D006F72B3153} /s
    
  • Finally hit Run Scan and wait for the log to open.
  • Please post the content of the log into your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 04:40 PM

maybe it's the TOR proxy i'm not sure



this the scan you requested


OTL logfile created on: 31/03/2011 11:40:00 ã - Run 5
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Home\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00002801 | Country: Syria | Language: ARS | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 51.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 135.13 Gb Total Space | 91.81 Gb Free Space | 67.94% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 33.97 Gb Free Space | 34.79% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 609.99 Gb Free Space | 65.48% Space Free | Partition Type: NTFS

Computer Name: HOME-PC | User Name: Home | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========


< C:\Users\Home\AppData\Local\{7F3E59DD-F115-471B-8585-D006F72B3153} /s >

< End of report >




THanks

Edited by ranget, 31 March 2011 - 04:40 PM.

A big thanks to Dider Stevens

sorry for not being around

 


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 05:42 PM

Hi,

please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 06:08 PM

i did what you asked for


Thanks for the help

Attached Files


A big thanks to Dider Stevens

sorry for not being around

 


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 06:17 PM

Hi,

please run this script with COmboFix:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\users\Home\AppData\Local\{C4B52021-AC7E-4480-A9E2-D8B63CEE4F47}
c:\users\Home\AppData\Local\{7797FF26-28A5-4159-A5BC-AE9DBFFF2E38}
c:\users\Home\AppData\Local\{2769B35D-CB1A-434D-879B-5944748381BC}
c:\users\Home\AppData\Local\{BB37373B-1CC4-4847-B233-2735F02D45B5}
c:\users\Home\AppData\Local\{B9170254-C767-4215-8BE7-D8B3CE3CD9CF}
c:\users\Home\AppData\Local\{795F4FF9-5270-4838-AC15-F32FFB1CE6B1}
c:\users\Home\AppData\Local\{BA072EF6-2A4C-42F7-945A-2042CA9B1BA0}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 06:33 PM

Hi did what you asked for

this the file

Attached Files


A big thanks to Dider Stevens

sorry for not being around

 


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:51 PM

Posted 31 March 2011 - 06:48 PM

Hi,

do you have an idea what could be creating those folders? One got created this morning at 8am.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 ranget

ranget
  • Topic Starter

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 31 March 2011 - 07:02 PM

i don't know :huh:


but if you want i can boot from

XP on disc

but you need to guide me through it

thanks for the help

Edited by ranget, 31 March 2011 - 07:10 PM.

A big thanks to Dider Stevens

sorry for not being around

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users