Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! malware hell has descended and is preventing avast things and TDSS killer from loading drivers/services!


  • This topic is locked This topic is locked
13 replies to this topic

#1 ZT-repairseek

ZT-repairseek

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 30 August 2012 - 11:50 PM

okay. vista homeprem sp2 32bit, no OS disc, not armed to try to dig up the semi-hidden partition that's supposed to be a recovery disc.

enjoying some downtime, playing an mmo, alttabbed out to check some chat stuff. someone linked some odd article at siliconera, and I made the mistake of clicking. moments later, the game's anti-hack thing had a conniption, as various crap popped along either wanting to happen or crashing.

so I kill that page, kill the browser, break out MBAM. finds some stuff: the aforementioned rootkit.0access and trojan.phex.thagen6. kill those with it, and reboot as it wants... suddenly windows dragging on getting fully up and running. and then when avast's tray icon popped up it was red X time. so I check, and the avast service isn't running. so I click to start it. several times. and then I go to services.msc and go to start it. I get error 1068: the dependancy service or group failed to start. run ESET's online scanner. it finds "a sirefef variant". tell it to kill that. still no luck. go to run aswmbr, initialization error C0000001 - driver not loadedaccess is denied. try to run tdss killer, it tells me new version, I get that, find that tdsskiller can't load it's driver either. I just ran mbam again and got another rootkit.0access. wouldn't be suprised to see another sirefef if I were to rerun ESET.

I opened up autoruns and found a whole (censored)load of stuff coming up "file not found" even though I can find it in windows explorer.
so now I'm panicking because work WILL come up soon enough and as usual I can't be without a working computer for that. I've no way to back things up for nuke&pave or I'd just do that.

so here we go; HJT, DDS, OTL logs. no gmer because of all the definately-harmless stuff that'll bloat the scan time that I can't keep it from looking though anyway, but if someone says it's absolutely necessary I'll have to bite the bullet. another 12+ hours down the tubes in that case. ugh...
and I've defogger'd already too, no worry on that. for speed searching when reviewing these logs I'm going to do the #name thing.

I'm disconnecting the network cable in between checks of this, but since the last reboot was when stuff went bonkers I'm going to avoid that untill necessary due to the efforts to fix this all.



~~~~~~~~~~~~~~~~~~~#HJT~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:34:06 AM, on 8/31/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19272)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Tools\OTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Windows\system32\mmc.exe
C:\Tools\HJT\whatisthismadness.exe

O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\FreeDownloadManager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\ZT01\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: PacketiX VPN Client Task Tray.lnk = C:\Program Files\PacketiXVPNClient\vpncmgr.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\FreeDownloadManager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\FreeDownloadManager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\FreeDownloadManager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\FreeDownloadManager\dllink.htm
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} (TTS Launcher Class) - https://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab
O16 - DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} (Game Starter Control) - https://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab
O16 - DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} (HgTAgent2 Extension Class) - http://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab
O16 - DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} (LovClientLoader.Loader) - http://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB
O16 - DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} (PubPlugin Class) - http://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Avast5\AvastSvc.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\Hamachi\hamachi-2.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\PacketiXVPNClient\vpnclient.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio.exe (file missing)

--
End of file - 4396 bytes


~~~~~~~~~~~~~~~~~~~~~#DDS~~~~~~~~~~~~~~~~~~~~~


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272 BrowserJavaVersion: 10.7.2
Run by ZT01 at 0:34:56 on 2012-08-31
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.exe
C:\Tools\OTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\$Recycle.Bin\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\U
C:\Windows\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=hxxp:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp32&d=1208&m=et1161-03
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\freedownloadmanager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\zt01\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avast] "c:\program files\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\packet~1.lnk - c:\program files\packetixvpnclient\vpncmgr.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\freedownloadmanager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\freedownloadmanager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\freedownloadmanager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\freedownloadmanager\dllink.htm
DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} - hxxps://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab
DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} - hxxps://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab
DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} - hxxp://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab
DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} - hxxp://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB
DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} - hxxp://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab
TCP: Interfaces\{7FC568D2-FC5A-447B-B854-ACECCEF5A807} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{C723B582-89C9-46B3-BED0-D6447C13A797} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-8-9 721000]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-8-9 353688]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-8-9 21256]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-8-9 57656]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast5\AvastSvc.exe [2012-8-9 44808]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\hamachi\hamachi-2.exe [2012-2-28 1373576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 vpnclient;PacketiX VPN Client;c:\program files\packetixvpnclient\vpnclient.exe [2008-5-15 2478080]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-31 04:30:51 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 04:15:07 54016 ----a-w- c:\windows\system32\drivers\ljgkc.sys
2012-08-31 02:17:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-20 21:01:08 -------- d-----w- c:\users\zt01\appdata\local\Google
2012-08-12 16:56:00 -------- d-----w- c:\program files\CCleaner
2012-08-09 20:06:37 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-09 20:06:37 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-09 20:06:29 41224 ----a-w- c:\windows\avastSS.scr
2012-08-09 20:06:17 -------- d-----w- c:\programdata\AVAST Software
2012-08-08 23:28:12 -------- d-----w- C:\_OTL
2012-08-08 23:05:18 -------- d-----w- c:\users\zt01\appdata\local\realtech_VR
2012-08-08 23:04:11 -------- d-----w- c:\programdata\realtech VR
2012-08-08 23:04:04 -------- d-----w- c:\program files\OpenGL Extensions Viewer 4.0
2012-08-08 15:05:06 -------- d-----w- c:\users\zt01\appdata\local\temp
2012-08-08 15:04:03 -------- d-sh--w- C:\$RECYCLE.BIN
.
==================== Find3M ====================
.
2012-08-31 04:30:43 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-31 04:30:43 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-23 14:45:24 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-23 14:45:24 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-09 21:53:56 81408 ----a-w- c:\windows\apppatch\ntleam1.dll
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
.
============= FINISH: 0:35:17.59 ===============



~~~~~~~~~~~~~~~~~~~~#OTL~~~~~~~~~~~~~~~~~~~~~~~~~


OTL logfile created on: 8/31/2012 12:16:11 AM - Run 3
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Tools
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19272)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.91 Gb Available Physical Memory | 66.43% Memory free
5.98 Gb Paging File | 5.14 Gb Available in Paging File | 85.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.09 Gb Total Space | 118.74 Gb Free Space | 41.22% Space Free | Partition Type: NTFS

Computer Name: NEBULUS01 | User Name: ZT01 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Winamp\winamp.exe (Nullsoft)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_vgm.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_psf.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_vio2sf.dll ()
MOD - C:\Program Files\FreeDownloadManager\iefdm2.dll ()
MOD - C:\Program Files\Winamp\Plugins\unrar.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_adlib.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_gsf.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_NotSoFatso.dll ()
MOD - C:\Program Files\Winamp\Plugins\gen_ml.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_nsv.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_wm.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_mp3.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_midi.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_vorbis.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_mod.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_cdda.dll ()
MOD - C:\Program Files\Winamp\Plugins\out_ds.dll ()
MOD - C:\Program Files\Winamp\Plugins\out_wave.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_wave.dll ()
MOD - C:\Program Files\Winamp\Plugins\read_file.dll ()
MOD - C:\Program Files\Winamp\Plugins\in_ym.dll ()
MOD - C:\Program Files\Winamp\Plugins\out_wm.dll ()


========== Win32 Services (SafeList) ==========

SRV - (ef4d161549ad96cf) -- C:\Windows\System32\drivers\ef4d161549ad96cf.sys ()
SRV - (avast! Antivirus) -- C:\Program Files\Avast5\AvastSvc.exe (AVAST Software)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Hamachi2Svc) -- C:\Program Files\Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (SANDBOXIE L.T.D)
SRV - (vpnclient) -- C:\Program Files\PacketiXVPNClient\vpnclient.exe (SoftEther Corporation)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe ()


========== Driver Services (SafeList) ==========

DRV - (XDva398) -- C:\Windows\system32\XDva398.sys File not found
DRV - (XDva397) -- C:\Windows\system32\XDva397.sys File not found
DRV - (XDva393) -- C:\Windows\system32\XDva393.sys File not found
DRV - (XDva392) -- C:\Windows\system32\XDva392.sys File not found
DRV - (XDva391) -- C:\Windows\system32\XDva391.sys File not found
DRV - (XDva387) -- C:\Windows\system32\XDva387.sys File not found
DRV - (XDva385) -- C:\Windows\system32\XDva385.sys File not found
DRV - (XDva383) -- C:\Windows\system32\XDva383.sys File not found
DRV - (XDva370) -- C:\Windows\system32\XDva370.sys File not found
DRV - (XDva285) -- C:\Windows\system32\XDva285.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (EagleXNt) -- C:\Windows\system32\drivers\EagleXNt.sys File not found
DRV - (EagleNT) -- C:\Windows\system32\drivers\EagleNT.sys File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (AWEAlloc) -- system32\DRIVERS\awealloc.sys File not found
DRV - (bsuqwdc) -- C:\Windows\System32\drivers\ljgkc.sys ()
DRV - (ef4d161549ad96cf) -- C:\Windows\System32\drivers\ef4d161549ad96cf.sys ()
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (AswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (Neo_VPN) -- C:\Windows\System32\drivers\Neo_0092.sys (SoftEther Corporation)
DRV - (SbieDrv) -- C:\Program Files\Sandboxie\SbieDrv.sys (SANDBOXIE L.T.D)
DRV - (WinRing0_1_2_0) -- C:\Program Files\GameBooster3\Driver\WinRing0.sys (OpenLibSys.org)
DRV - (BazisVirtualCDBus) -- C:\Windows\System32\drivers\BazisVirtualCDBus.sys (SysProgs.org)
DRV - (NVNET) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp32&d=1208&m=et1161-03
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@gamepot.co.jp/GamepotEXeEnvCtrl;version=1: C:\Program Files\Gamepot\GPEXE\\npGPEXE.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@ogplanet.com/npOGPPlugin: C:\Windows\system32\npOGPPlugin.dll (OGPlanet)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\ZT01\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)



========== Chrome ==========

CHR - homepage: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.79\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.79\pdf.dll
CHR - plugin: Gamepot Execution Environment (Enabled) = C:\Program Files\Gamepot\GPEXE\\npGPEXE.dll
CHR - plugin: Java™ Platform SE 7 U5 (Enabled) = C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\system32\npDeployJava1.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\ZT01\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: OGPlanet Game Plugin (Enabled) = C:\Windows\system32\npOGPPlugin.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/08/18 02:09:34 | 000,600,511 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 csh.actiondesk.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 16124 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\FreeDownloadManager\iefdm2.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\FreeDownloadManager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\FreeDownloadManager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\FreeDownloadManager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\FreeDownloadManager\dllink.htm ()
O16 - DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} https://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab (TTS Launcher Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab (MabinogiWebAvatarRenderer Class)
O16 - DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} https://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab (Game Starter Control)
O16 - DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} http://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab (HgTAgent2 Extension Class)
O16 - DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} http://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB (LovClientLoader.Loader)
O16 - DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} http://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab (PubPlugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7FC568D2-FC5A-447B-B854-ACECCEF5A807}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C723B582-89C9-46B3-BED0-D6447C13A797}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Wallpaper\Rena-TR.bmp
O24 - Desktop BackupWallPaper: C:\Wallpaper\Rena-TR.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/30 22:17:34 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/08/20 17:02:08 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/20 17:01:08 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\Google
[2012/08/12 12:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/08/09 16:06:37 | 000,721,000 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/08/09 16:06:37 | 000,353,688 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/08/09 16:06:37 | 000,057,656 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/08/09 16:06:37 | 000,035,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/08/09 16:06:37 | 000,021,256 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/08/09 16:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/08/09 16:06:29 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/08/09 16:06:29 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/08/09 16:06:17 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/08/08 19:28:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/08/08 19:05:18 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\realtech_VR
[2012/08/08 19:04:11 | 000,000,000 | ---D | C] -- C:\ProgramData\realtech VR
[2012/08/08 19:04:04 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenGL Extensions Viewer 4.0
[2012/08/08 19:04:04 | 000,000,000 | ---D | C] -- C:\Program Files\OpenGL Extensions Viewer 4.0
[2012/08/08 11:05:06 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/08 11:05:06 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\temp
[2012/08/08 11:04:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

========== Files - Modified Within 30 Days ==========

[2012/08/31 00:15:07 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\ljgkc.sys
[2012/08/31 00:11:04 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
[2012/08/30 23:39:42 | 000,631,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/30 23:39:42 | 000,118,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/30 23:33:35 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/30 23:33:35 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/30 23:33:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/30 23:29:37 | 000,000,000 | ---- | M] () -- C:\Users\ZT01\defogger_reenable
[2012/08/30 21:46:25 | 000,072,832 | ---- | M] () -- C:\Windows\System32\drivers\ef4d161549ad96cf.sys
[2012/08/30 17:11:01 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
[2012/08/30 16:29:45 | 000,000,095 | ---- | M] () -- C:\Windows\winamp.ini
[2012/08/27 12:59:51 | 000,008,412 | ---- | M] () -- C:\SRTJ.clt
[2012/08/18 02:09:34 | 000,600,511 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2012/08/16 19:10:07 | 000,001,445 | ---- | M] () -- C:\Users\ZT01\.recently-used.xbel
[2012/08/09 16:23:11 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/08/07 16:34:50 | 000,000,534 | ---- | M] () -- C:\Users\ZT01\Documents\My Sharing Folders.lnk
[2012/08/02 18:08:28 | 000,002,347 | ---- | M] () -- C:\Users\Public\Desktop\Jasc Paint Shop Pro 9.lnk
[2012/08/02 18:08:18 | 000,001,825 | ---- | M] () -- C:\pspbrwse.jbf

========== Files Created - No Company Name ==========

[2012/08/31 00:15:07 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\ljgkc.sys
[2012/08/30 23:29:37 | 000,000,000 | ---- | C] () -- C:\Users\ZT01\defogger_reenable
[2012/08/30 21:46:25 | 000,072,832 | ---- | C] () -- C:\Windows\System32\drivers\ef4d161549ad96cf.sys
[2012/08/20 17:01:09 | 000,000,904 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
[2012/08/20 17:01:08 | 000,000,852 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
[2012/08/16 19:10:07 | 000,001,445 | ---- | C] () -- C:\Users\ZT01\.recently-used.xbel
[2012/08/02 18:08:18 | 000,001,825 | ---- | C] () -- C:\pspbrwse.jbf
[2012/06/29 13:50:03 | 003,602,816 | ---- | C] () -- C:\Windows\System32\ntkrnlpa.exe
[2012/06/29 13:50:02 | 002,045,440 | ---- | C] () -- C:\Windows\System32\win32k.sys
[2012/06/28 01:16:30 | 000,000,029 | ---- | C] () -- C:\Windows\Index.ini
[2012/06/19 00:10:11 | 000,000,004 | ---- | C] () -- C:\Windows\storedt.ini
[2012/06/01 15:58:53 | 000,068,972 | ---- | C] () -- C:\Windows\System32\nglide_uninst.exe
[2012/05/08 21:53:14 | 001,294,336 | ---- | C] () -- C:\Windows\System32\glide3x.dll
[2012/04/27 09:56:18 | 000,053,248 | ---- | C] () -- C:\Windows\System32\nglide_config.exe
[2012/04/26 11:00:05 | 006,948,203 | ---- | C] () -- C:\Program Files\Avant Browser.zip
[2012/04/02 17:49:21 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2012/03/04 15:08:57 | 000,000,000 | ---- | C] () -- C:\Windows\System32\cid_store.dat
[2012/03/03 20:20:52 | 000,220,220 | ---- | C] () -- C:\Users\ZT01\AppData\Roaming\Fenrir Inc.zip
[2012/02/27 18:53:19 | 130,591,970 | ---- | C] () -- C:\Users\ZT01\AppData\Roaming\.minecraft.zip
[2011/05/23 16:18:49 | 000,002,488 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2011/05/15 14:48:39 | 000,040,960 | ---- | C] () -- C:\Windows\DelPiv.exe
[2011/04/04 19:40:06 | 000,000,054 | ---- | C] () -- C:\Windows\JascCmdFile.INI
[2011/03/16 20:38:55 | 000,128,080 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/02/20 17:51:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/02/20 17:51:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/02/20 17:51:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/02/20 17:51:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/02/20 17:51:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/02/01 23:15:52 | 000,000,056 | ---- | C] () -- C:\Windows\kgt2k.INI
[2011/02/01 21:27:26 | 000,062,208 | ---- | C] () -- C:\Windows\iun1401.exe
[2011/02/01 20:48:40 | 000,000,126 | ---- | C] () -- C:\Windows\wininit.ini
[2011/02/01 20:45:06 | 000,000,393 | ---- | C] () -- C:\Windows\SIERRA.INI
[2011/02/01 20:43:43 | 000,086,528 | ---- | C] () -- C:\Windows\bnetunin.exe
[2011/02/01 20:43:43 | 000,061,440 | ---- | C] () -- C:\Windows\diabunin.exe
[2011/02/01 20:29:04 | 000,000,095 | ---- | C] () -- C:\Windows\winamp.ini
[2011/01/31 21:07:50 | 000,050,664 | ---- | C] () -- C:\Windows\System32\PSHED.DLL
[2011/01/31 21:07:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/31 21:07:23 | 000,019,944 | ---- | C] () -- C:\Windows\System32\kdusb.dll
[2011/01/31 21:07:23 | 000,017,896 | ---- | C] () -- C:\Windows\System32\kd1394.dll
[2011/01/31 21:07:23 | 000,017,384 | ---- | C] () -- C:\Windows\System32\kdcom.dll
[2011/01/31 21:07:22 | 000,438,744 | ---- | C] () -- C:\Windows\System32\mcupdate_GenuineIntel.dll
[2011/01/31 21:07:18 | 000,986,600 | ---- | C] () -- C:\Windows\System32\winload.exe
[2011/01/31 21:07:17 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/31 21:07:17 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2012/08/28 23:30:11 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\.minecraft
[2012/01/01 02:29:52 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\AnnkakeSpa
[2012/03/03 20:05:35 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Avant Downloader
[2011/03/02 15:30:49 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Canneverbe Limited
[2012/08/30 18:44:05 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Dropbox
[2011/02/05 17:59:07 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\FALCOM
[2011/02/28 15:53:26 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Fenrir & Co
[2011/10/03 18:11:12 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\fltk.org
[2011/02/01 19:43:22 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Foxit Software
[2012/08/18 11:01:44 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Free Download Manager
[2012/07/17 19:30:55 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\GPEXE
[2011/11/27 20:24:07 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\HgTAgent
[2012/05/31 18:43:47 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\ImgBurn
[2012/05/30 03:36:56 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\InfraRecorder
[2011/05/21 14:07:18 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Jasc
[2011/02/01 21:11:31 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Leadertech
[2011/12/07 15:12:53 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\MoreTerra
[2011/02/01 01:34:30 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\NoteTab Light
[2011/02/02 02:21:57 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\NoteTab Pro
[2012/06/19 14:54:06 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\runic games
[2012/06/14 13:04:36 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\SEGA
[2011/02/05 18:32:59 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Softplicity
[2012/06/19 01:38:10 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\uTorrent
[2012/08/30 23:32:45 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >


let's bypass gripes about bittorrent stuff, we've all heard it before and I think my last blowup over the subject was probably widely seen by the helper staff. no reason to step on that landmine again.

please help me out with this. I'm no happier about bothering you folks again so soon than you are to hear from me again so soon, I'm sure. the sooner we can fix this without catastrophic data loss the better. T_T

Edited by ZT-repairseek, 31 August 2012 - 12:42 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 02 September 2012 - 10:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs for my review.

#3 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 02 September 2012 - 03:40 PM

thank you for your prompt assistance, nasdaq. as commanded, I have run the requested programs, and shall now provide the associated logfiles.

~~~~~~~~~~~~~~~~~~~~~#Combofix~~~~~~~~~~~~~~~~~~~~


ComboFix 12-09-01.01 - ZT01 2/2012 Sun 16:02:53.4.2 - x86
Running from: c:\tools\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\@
c:\$recycle.bin\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\n
c:\$recycle.bin\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\U\00000001.@
c:\$recycle.bin\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\U\80000000.@
c:\$recycle.bin\S-1-5-21-3266769259-3880101330-600960622-1000\$19fa7abdb0eb45aef740e424f8a9805d\@
c:\$recycle.bin\S-1-5-21-3266769259-3880101330-600960622-1000\$19fa7abdb0eb45aef740e424f8a9805d\n
c:\windows\system32\drivers\ef4d161549ad96cf.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ef4d161549ad96cf
-------\Service_ef4d161549ad96cf
.
.
((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 )))))))))))))))))))))))))))))))
.
.
2012-09-02 20:08 . 2012-09-02 20:10 -------- d-----w- c:\users\ZT01\AppData\Local\temp
2012-09-02 20:08 . 2012-09-02 20:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-02 20:08 . 2012-09-02 20:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-31 04:31 . 2012-08-31 04:31 -------- d-----w- c:\program files\Common Files\Java
2012-08-31 04:30 . 2012-08-31 04:30 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 02:17 . 2012-08-31 02:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-20 21:01 . 2012-08-20 21:01 -------- d-----w- c:\users\ZT01\AppData\Local\Google
2012-08-12 16:56 . 2012-08-29 05:07 -------- d-----w- c:\program files\CCleaner
2012-08-09 20:06 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-09 20:06 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-09 20:06 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-09 20:06 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-09 20:06 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-09 20:06 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-08-09 20:06 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-09 20:06 . 2012-08-09 20:06 -------- d-----w- c:\programdata\AVAST Software
2012-08-08 23:28 . 2012-08-08 23:28 -------- d-----w- C:\_OTL
2012-08-08 23:05 . 2012-08-08 23:05 -------- d-----w- c:\users\ZT01\AppData\Local\realtech_VR
2012-08-08 23:04 . 2012-08-08 23:04 -------- d-----w- c:\programdata\realtech VR
2012-08-08 23:04 . 2012-08-08 23:04 -------- d-----w- c:\program files\OpenGL Extensions Viewer 4.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 04:30 . 2012-03-03 22:49 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-31 04:30 . 2011-03-07 22:43 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-23 14:45 . 2012-04-02 14:47 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-23 14:45 . 2011-06-08 00:27 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-09 21:53 . 2012-08-09 21:53 81408 ----a-w- c:\windows\apppatch\ntleam1.dll
2012-07-15 22:05 . 2012-07-15 22:05 40960 ----a-r- c:\users\ZT01\AppData\Roaming\Microsoft\Installer\{57464BB0-495D-42BD-B409-E8DB7E24AADE}\NewShortcut1_57464BB0495D42BDB409E8DB7E24AADE.exe
2012-07-03 17:46 . 2011-02-01 01:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"avast"="c:\program files\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PacketiX VPN Client Task Tray.lnk - c:\program files\PacketiXVPNClient\vpncmgr.exe [2008-5-15 2682880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3266769259-3880101330-600960622-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
- c:\users\ZT01\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 21:01]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
- c:\users\ZT01\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=hxxp:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp32&d=1208&m=et1161-03
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\FreeDownloadManager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\FreeDownloadManager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\FreeDownloadManager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\FreeDownloadManager\dllink.htm
DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} - hxxps://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab
DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} - hxxps://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab
DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} - hxxp://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab
DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} - hxxp://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB
DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} - hxxp://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-02 16:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3266769259-3880101330-600960622-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*8*瑢ck\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3266769259-3880101330-600960622-1000\Software\「0ラ0・ア0・キ0・・ *ヲ0」0カ0・ノ0g0ubU0・_0・・ォ0・ *「0ラ0・ア0・キ0・・]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\MOSS\W*i*n*d*o*w*s*Hr菇b!\{6A36DFA4-83F5-FC67-DDB2-0AD22AB03E71}]
"DesktopFolder"="c:\\Users\\Public\\Desktop\\"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3208)
c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Avast5\AvastSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-09-02 16:17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-02 20:17
ComboFix2.txt 2012-08-08 15:05
ComboFix3.txt 2011-02-21 23:11
ComboFix4.txt 2011-02-20 21:57
.
Pre-Run: 127,472,914,432 bytes free
Post-Run: 127,205,105,664 bytes free
.
- - End Of File - - E7F264B2A75FFBE5A2D39F7BD21013E6



~~~~~~~~~~~~~~~~~~~#Security Check~~~~~~~~~~~~~~~~~~~


Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.1
Java 7 Update 7
Java version out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Avast5 AvastUI.exe
Avast5 AvastSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````


~~~~~~~~~~~~~~~#AdwCleaner~~~~~~~~~~~~~~~~~~~~~~~

# AdwCleaner v2.000 - Logfile created 09/02/2012 at 16:25:02
# Updated 30/08/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : ZT01 - NEBULUS01
# Boot Mode : Normal
# Running from : C:\Tools\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19272

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.89

File : C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [759 octets] - [02/09/2012 16:25:02]

########## EOF - C:\AdwCleaner[R1].txt - [818 octets] ##########



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a cursory inspection with Autoruns reveals the "file not found" entries to have reduced to
A: a pile of XDva###.sys things that I've been seeing right along on this machine, through multiple cleanups, and
B:
1) an entry for AWEalloc.sys
2) a piece of combofix (catchme.sys) I assume comes and goes as part of the cleaning process
3) ipinip.sys (IP in IP tunnel driver)
4) mbr.sys which was in a temp folder
5) two IPX traffic drivers, one for filtering and one for forwarding
6) EagleNT.sys and EagleXNt.sys
and 7) rdpclip

other than the combofix one I don't know what these are, and while their presence is not something that settles well, I will not remove them unless informed it is safe to do so.
this remains a massive change from what I saw before making my initial post on this round of "evil things that sneak through the realtime web shield on avast", so I shall suppose we are making good progress. that said, it seems combofix didn't like something about the mvp hosts file and ate it; that's easy enough to resolve once we're done, anyway.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 03 September 2012 - 07:50 AM

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

I'm not seeing the Service/Driver section on the ComboFix log.
I hope you did not modify the log.

This is listed in the OTL log. I need more information before we continue.

DRV - (bsuqwdc) -- C:\Windows\System32\drivers\ljgkc.sys


>>> Run Jotti's malware scan: Please copy this line (in bold):
C:\Windows\System32\drivers\ljgkc.sys
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

===

If found to be bad remove it with ComboFix.

Open notepad and copy/paste the text in the quote box below into it:

File::
C:\Windows\System32\drivers\ljgkc.sys

Driver::
bsuqwdc


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what issues persists.

#5 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 03 September 2012 - 10:17 AM

well.
here we go with the adw log:

# AdwCleaner v2.000 - Logfile created 09/03/2012 at 10:59:32
# Updated 30/08/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : ZT01 - NEBULUS01
# Boot Mode : Normal
# Running from : C:\Tools\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19272

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Google Chrome v21.0.1180.89

File : C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [886 octets] - [02/09/2012 16:25:02]
AdwCleaner[S1].txt - [1239 octets] - [03/09/2012 10:59:32]

########## EOF - C:\AdwCleaner[S1].txt - [1299 octets] ##########



and no, I don't mess with the contents of log files. that defeats their purpose, doesn't it?

as for the file you wanted me to feed through jotti's, it apparently has stopped existing. both pasting the line into the file open dialog and putting the filename into the search field in windows explorer come up with nothing.(nothing, in the open dialog's case, means "file not found", just to be clear) either it's hidden itself well or combofix ate it, I guess. shall I make a new OTL log now and see if it's in there again?

dunno what you'd prefer to do about that missing log sect- wait. looking back at my posted log I see a section with that heading, containing only:

-------\Legacy_ef4d161549ad96cf
-------\Service_ef4d161549ad96cf

should there be more to it?

and I forgot to mention in my previous post that as of combofix being run, avast looks like it's working again, so if desired it should be possible now to fire off scans with it, aswmbr, and possibly tdss killer, as well. (haven't poked it yet, simply noticed that avast isn't failing to load it's stuff) *glances at the avast UI* also it seems there's now a program update for it. when we're done I'll have to tend to that. *nod*

Edited by ZT-repairseek, 03 September 2012 - 10:20 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 03 September 2012 - 01:00 PM

and no, I don't mess with the contents of log files. that defeats their purpose, doesn't it?

The drivers and other running programs would normally be listed under this section of the ComboFix log.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
===

Run ComboFix with my last script instructions.
Post the log.

You might as well run these tool now and post the logs if you can.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Let me know what problem persists.

#7 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 03 September 2012 - 02:11 PM

you did say "services/devices" and there is a heading such as that in that log; point of confusion. *edit* though looking back over it I see both headings in the older log.

anyway. TDSS killer came up clean, so it didn't give an option to save a log. first time I went to run aswmbr I hit a driver IRQL BSOD, but upon the computer finishing with dragging it's heels getting back to windows, I retried and no explosion occurred.

combofix did the "hey I have a new version..." thing when I ran it, so I updated along the way. I note that his log doesn't have the section marked "Drivers/Services" but has the "reg loading points" section you were looking for.

~~~~~~~~~~~~~~~~~~~~~~~~~~#ComboFix~~~~~~~~~~~~~~~~~~~~~~~~~~~



ComboFix 12-09-03.07 - ZT01 3/2012 Mon 14:25:06.5.2 - x86
Running from: c:\tools\ComboFix.exe
Command switches used :: c:\tools\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\System32\drivers\ljgkc.sys"
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 18:31 . 2012-09-03 18:31 -------- d-----w- c:\users\ZT01\AppData\Local\temp
2012-09-03 18:31 . 2012-09-03 18:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-03 18:31 . 2012-09-03 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-31 04:31 . 2012-08-31 04:31 -------- d-----w- c:\program files\Common Files\Java
2012-08-31 04:30 . 2012-08-31 04:30 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 02:17 . 2012-08-31 02:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-20 21:01 . 2012-08-20 21:01 -------- d-----w- c:\users\ZT01\AppData\Local\Google
2012-08-12 16:56 . 2012-08-29 05:07 -------- d-----w- c:\program files\CCleaner
2012-08-09 20:06 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-09 20:06 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-09 20:06 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-09 20:06 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-09 20:06 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-09 20:06 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-08-09 20:06 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-09 20:06 . 2012-08-09 20:06 -------- d-----w- c:\programdata\AVAST Software
2012-08-08 23:28 . 2012-08-08 23:28 -------- d-----w- C:\_OTL
2012-08-08 23:05 . 2012-08-08 23:05 -------- d-----w- c:\users\ZT01\AppData\Local\realtech_VR
2012-08-08 23:04 . 2012-08-08 23:04 -------- d-----w- c:\programdata\realtech VR
2012-08-08 23:04 . 2012-08-08 23:04 -------- d-----w- c:\program files\OpenGL Extensions Viewer 4.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 04:30 . 2012-03-03 22:49 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-31 04:30 . 2011-03-07 22:43 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-23 14:45 . 2012-04-02 14:47 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-23 14:45 . 2011-06-08 00:27 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-09 21:53 . 2012-08-09 21:53 81408 ----a-w- c:\windows\apppatch\ntleam1.dll
2012-07-15 22:05 . 2012-07-15 22:05 40960 ----a-r- c:\users\ZT01\AppData\Roaming\Microsoft\Installer\{57464BB0-495D-42BD-B409-E8DB7E24AADE}\NewShortcut1_57464BB0495D42BDB409E8DB7E24AADE.exe
2012-07-03 17:46 . 2011-02-01 01:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"avast"="c:\program files\Avast5\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PacketiX VPN Client Task Tray.lnk - c:\program files\PacketiXVPNClient\vpncmgr.exe [2008-5-15 2682880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3266769259-3880101330-600960622-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
- c:\users\ZT01\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 21:01]
.
2012-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
- c:\users\ZT01\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-20 21:01]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=hxxp:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp32&d=1208&m=et1161-03
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\FreeDownloadManager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\FreeDownloadManager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\FreeDownloadManager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\FreeDownloadManager\dllink.htm
DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} - hxxps://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab
DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} - hxxps://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab
DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} - hxxp://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab
DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} - hxxp://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB
DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} - hxxp://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-03 14:31
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3266769259-3880101330-600960622-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*8*瑢ck\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3266769259-3880101330-600960622-1000\Software\「0ラ0・ア0・キ0・・ *ヲ0」0カ0・ノ0g0ubU0・_0・・ォ0・ *「0ラ0・ア0・キ0・・]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\MOSS\W*i*n*d*o*w*s*Hr菇b!\{6A36DFA4-83F5-FC67-DDB2-0AD22AB03E71}]
"DesktopFolder"="c:\\Users\\Public\\Desktop\\"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4632)
c:\users\ZT01\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-09-03 14:33:56
ComboFix-quarantined-files.txt 2012-09-03 18:33
ComboFix2.txt 2012-09-02 20:17
ComboFix3.txt 2012-08-08 15:05
ComboFix4.txt 2011-02-21 23:11
ComboFix5.txt 2012-09-03 18:23
.
Pre-Run: 127,307,685,888 bytes free
Post-Run: 127,287,660,544 bytes free
.
- - End Of File - - 7BE29BD125C0BF6B9E9FBA909CF359E8



~~~~~~~~~~~~~~~~~~~~~#aswmbr~~~~~~~~~~~~~~~~~~~~~~


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-03 14:42:40
-----------------------------
14:42:40.556 OS Version: Windows 6.0.6002 Service Pack 2
14:42:40.556 Number of processors: 2 586 0x6B02
14:42:40.556 ComputerName: NEBULUS01 UserName: ZT01
14:42:41.758 Initialize success
14:42:41.867 AVAST engine defs: 12090300
14:42:45.595 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f
14:42:45.595 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 6
14:42:45.626 Disk 0 MBR read successfully
14:42:45.626 Disk 0 MBR scan
14:42:45.658 Disk 0 unknown MBR code
14:42:45.689 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
14:42:45.751 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295003 MB offset 20973568
14:42:45.751 Disk 0 scanning sectors +625140400
14:42:45.876 Disk 0 scanning C:\Windows\system32\drivers
14:43:03.598 Service scanning
14:43:18.964 Modules scanning
14:43:30.835 Disk 0 trace - called modules:
14:43:30.866 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
14:43:30.866 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8681dac8]
14:43:30.866 3 CLASSPNP.SYS[8a79d8b3] -> nt!IofCallDriver -> [0x850b24f0]
14:43:30.882 5 acpi.sys[8060f6bc] -> nt!IofCallDriver -> \Device\0000005f[0x85a38620]
14:43:31.865 AVAST engine scan C:\Windows
14:43:39.056 AVAST engine scan C:\Windows\system32
14:46:18.878 AVAST engine scan C:\Windows\system32\drivers
14:47:01.934 AVAST engine scan C:\Users\ZT01
14:51:32.891 AVAST engine scan C:\ProgramData
14:52:00.690 Scan finished successfully
14:53:24.446 Disk 0 MBR has been saved successfully to "C:\Tools\MBR.dat"
14:53:24.462 The log file has been saved successfully to "C:\Tools\aswMBR9312.txt"



I'm going to reboot again now, and see how long things take to get moving. the overt symptoms I had noticed originally (avast and such being prevented from working, windows' sounds vanishing{though not the sounds of other software, I discovered from testing}) went away the first time we used combofix. but if I've learned anything in my various trips here, it's that there's often stuff that hides better than that, so your expertise is needed and appreciated.

by the by, I'd like some word about those autoruns entries once we've gotten everything else squared away; neatness and such.


***post reboot edit***
ended up doing two reboots; the first one dragged more than the second both shutting down and getting back up. while I don't remember the icons blanking as though the cache was being rebuilt before, that may simply be forgetfulness. up to you I guess to determine if it's yea or nay on that being normalcy.

*late night edit*
for some reason an instance of svchost spikes cpu usage when I unplug or replug the network cable at present; I don't remember if that was normal either. maybe I'm just being paranoid on this one...

Edited by ZT-repairseek, 04 September 2012 - 01:16 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 04 September 2012 - 07:43 AM

Your ComboFix log is clean.

a cursory inspection with Autoruns reveals the "file not found" entries to have reduced to
A: a pile of XDva###.sys things that I've been seeing right along on this machine, through multiple cleanups, and
B:
1) an entry for AWEalloc.sys
2) a piece of combofix (catchme.sys) I assume comes and goes as part of the cleaning process
3) ipinip.sys (IP in IP tunnel driver)
4) mbr.sys which was in a temp folder
5) two IPX traffic drivers, one for filtering and one for forwarding
6) EagleNT.sys and EagleXNt.sys
and 7) rdpclip


The drivers that are while listed are not shown in the Combofix log. They are in the OTL log even if the drivers have been deleted from the computer.


XDva###.sys all good they are from Wiselogic Co., Ltd.
catchme.sys correct used by ComboFix.
ipinip.sys good from Microsoft.
mbr.sys used by ComboFix or an MBR (Master Boot Record) tool.
two IPX traffic drivers - Have you been trying to use the IPX protocol for gaming by chance? The are required and call by NwlnkFwd when required.
EagleNT.sys and EagleXNt.sys good from AhnLab
rdpclip required by vista. see this link http://www.file.net/process/rdpclip.exe.html
===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Let me know what issues remains with this computer.

#9 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 04 September 2012 - 10:28 AM

since those driver entries are all marked "file not found", thus my concerns; bad sign? things safe to clean up? etc.

and uuurgh. where is this malware crap coming from. more threats this time in eset though combofix and TDSS killer were clean... I've done nothing that would involve risking more infections since making my initial post in this thread, as that would be counterproductive, so...

ESET has found the following:

html/iframe.b.gen.virus
a variant of win32/rootkit.kryptik.oh trojan
a variant of win32/rootkit.kryptik.oh trojan
a variant of win32/kryptik.alef trojan
a variant of win32/sirefef.fa trojan
a variant of win32/kryptik.alef trojan

and then seems to have stalled after 00:51:35. I'm going to hit stop and rerun the scan, in hopes of it not stalling.

*edit* when I hit stop, the results thing lists the status as "finished" rather than something like "interrupted by user". thinking I should re-run it, because I think it normally says something about being done? the last file it was on was C:\VC_RED.msi, which three seconds of searching reveals to be a legit microsoft thing; if it's going in alphabetical order then the only further files in root would be vcredist.bmp which I assume is related to that, and "wlcount.txt" which contains only a 7. also, it seems I forgot to uncheck 'remove found threats' so it did it's own cleaning job. crap. hope that's not a problem.

buuuut now I'm SLIGHTLY less panicked because the threats found were in Qoobox\quarantine, with the exception of the HTML one, suggesting they're things that another tool (was it combofix that uses qoobox as it's quarantine/work area?) had already caught. still not calmed down though. here's the actual exported text file:


C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\n.vir a variant of Win32/Kryptik.ALEF trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$19fa7abdb0eb45aef740e424f8a9805d\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-3266769259-3880101330-600960622-1000\$19fa7abdb0eb45aef740e424f8a9805d\n.vir a variant of Win32/Kryptik.ALEF trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ef4d161549ad96cf.sys.vir a variant of Win32/Rootkit.Kryptik.OH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_ef4d161549ad96cf_.sys.zip a variant of Win32/Rootkit.Kryptik.OH trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A1370UI3\mx_nan_a[1].txt HTML/Iframe.B.Gen virus deleted - quarantined


I think I'll wait for your approval on what to do though, to exit/rerun eset, go delete it's quarantined things, or what. you're the one with the knowledge on this stuff, after all.

Edited by ZT-repairseek, 04 September 2012 - 10:40 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 04 September 2012 - 01:00 PM

An inline frame is used to embed another document within the current HTML document.


I think that it's a false positive.
The Quarantined folder for ComboFix will be delete when we remove the tool.
Wait for now.

===

Let see if we can remove the empty drivers with the new OTL version.

[*]Download the latest version OTL to your desktop.


Run OTL - Double-click OTL.exe Posted Image to start it.

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - (XDva398) -- C:\Windows\system32\XDva398.sys File not found
    DRV - (XDva397) -- C:\Windows\system32\XDva397.sys File not found
    DRV - (XDva393) -- C:\Windows\system32\XDva393.sys File not found
    DRV - (XDva392) -- C:\Windows\system32\XDva392.sys File not found
    DRV - (XDva391) -- C:\Windows\system32\XDva391.sys File not found
    DRV - (XDva387) -- C:\Windows\system32\XDva387.sys File not found
    DRV - (XDva385) -- C:\Windows\system32\XDva385.sys File not found
    DRV - (XDva383) -- C:\Windows\system32\XDva383.sys File not found
    DRV - (XDva370) -- C:\Windows\system32\XDva370.sys File not found
    DRV - (XDva285) -- C:\Windows\system32\XDva285.sys File not found
    DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
    DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
    DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
    DRV - (EagleXNt) -- C:\Windows\system32\drivers\EagleXNt.sys File not found
    DRV - (EagleNT) -- C:\Windows\system32\drivers\EagleNT.sys File not found
    DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
    DRV - (AWEAlloc) -- system32\DRIVERS\awealloc.sys File not found
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Please let me know of the difficulties with this computer.

#11 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 04 September 2012 - 01:47 PM

the entries are now gone from autoruns' scan, barring the rdpclip one, but I -think- that being as it is, is a result of an intentionally disabled service anyway.

~~~~~~~~~~~~~~~~~#OTL~~~~~~~~~~~~~~~~~~~~

OTL logfile created on: 9/4/2012 2:28:36 PM - Run 4
OTL by OldTimer - Version 3.2.60.0 Folder = C:\Tools
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19272)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 77.28% Memory free
5.95 Gb Paging File | 5.38 Gb Available in Paging File | 90.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.09 Gb Total Space | 116.87 Gb Free Space | 40.57% Space Free | Partition Type: NTFS

Computer Name: NEBULUS01 | User Name: ZT01 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Avast5\AvastSvc.exe (AVAST Software)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Hamachi2Svc) -- C:\Program Files\Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (SANDBOXIE L.T.D)
SRV - (vpnclient) -- C:\Program Files\PacketiXVPNClient\vpnclient.exe (SoftEther Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe ()


========== Driver Services (SafeList) ==========

DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (AswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (Neo_VPN) -- C:\Windows\System32\drivers\Neo_0092.sys (SoftEther Corporation)
DRV - (SbieDrv) -- C:\Program Files\Sandboxie\SbieDrv.sys (SANDBOXIE L.T.D)
DRV - (WinRing0_1_2_0) -- C:\Program Files\GameBooster3\Driver\WinRing0.sys (OpenLibSys.org)
DRV - (BazisVirtualCDBus) -- C:\Windows\System32\drivers\BazisVirtualCDBus.sys (SysProgs.org)
DRV - (NVNET) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp32&d=1208&m=et1161-03
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@gamepot.co.jp/GamepotEXeEnvCtrl;version=1: C:\Program Files\Gamepot\GPEXE\\npGPEXE.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@ogplanet.com/npOGPPlugin: C:\Windows\system32\npOGPPlugin.dll (OGPlanet)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\ZT01\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)



========== Chrome ==========

CHR - homepage: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1307304502&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\ZT01\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Gamepot Execution Environment (Enabled) = C:\Program Files\Gamepot\GPEXE\\npGPEXE.dll
CHR - plugin: Java™ Platform SE 7 U5 (Enabled) = C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\system32\npDeployJava1.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\ZT01\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\ZT01\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: OGPlanet Game Plugin (Enabled) = C:\Windows\system32\npOGPPlugin.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\ZT01\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/08/18 02:09:34 | 000,600,511 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 csh.actiondesk.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 16124 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\FreeDownloadManager\iefdm2.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\FreeDownloadManager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\FreeDownloadManager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\FreeDownloadManager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\FreeDownloadManager\dllink.htm ()
O16 - DPF: {145C073F-9098-41CA-81E1-295D17CDFD55} https://ta.mk-style.com/weblauncher/common/CnCGameLauncher.cab (TTS Launcher Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab (MabinogiWebAvatarRenderer Class)
O16 - DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} https://gash.gamania.co.jp/acxauth/cab/2.0.1/lcjggame.cab (Game Starter Control)
O16 - DPF: {E2729F99-A050-4F4D-AE9F-7492C5532F49} http://down.hangame.co.jp/jp/dist/hgtagent2/hgtagent2.cab (HgTAgent2 Extension Class)
O16 - DPF: {E4BC6F2E-E1BB-4F76-A400-87FF46653A8E} http://lov.ujj.co.jp/mypage/activex/LovClientLoader.CAB (LovClientLoader.Loader)
O16 - DPF: {F8160836-0C11-4CA4-AD87-944542C7BCBD} http://down.hangame.co.jp/jp/purple/launcher/PubPlugin.cab (PubPlugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7FC568D2-FC5A-447B-B854-ACECCEF5A807}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C723B582-89C9-46B3-BED0-D6447C13A797}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Wallpaper\Rena-TR.bmp
O24 - Desktop BackupWallPaper: C:\Wallpaper\Rena-TR.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/03 14:33:58 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/09/03 14:33:58 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\temp
[2012/09/03 14:33:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/09/03 14:23:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/08/31 00:31:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/08/30 22:17:34 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/08/20 17:02:08 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/20 17:01:08 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\Google
[2012/08/12 12:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/08/09 16:06:37 | 000,721,000 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/08/09 16:06:37 | 000,353,688 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/08/09 16:06:37 | 000,057,656 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/08/09 16:06:37 | 000,035,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/08/09 16:06:37 | 000,021,256 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/08/09 16:06:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/08/09 16:06:29 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/08/09 16:06:29 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/08/09 16:06:17 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/08/08 19:28:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/08/08 19:05:18 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Local\realtech_VR
[2012/08/08 19:04:11 | 000,000,000 | ---D | C] -- C:\ProgramData\realtech VR
[2012/08/08 19:04:04 | 000,000,000 | ---D | C] -- C:\Users\ZT01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenGL Extensions Viewer 4.0
[2012/08/08 19:04:04 | 000,000,000 | ---D | C] -- C:\Program Files\OpenGL Extensions Viewer 4.0

========== Files - Modified Within 30 Days ==========

[2012/09/04 14:33:37 | 000,631,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/09/04 14:33:37 | 000,118,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/09/04 14:26:49 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/04 14:26:48 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/04 14:26:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/04 14:11:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
[2012/09/03 17:11:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
[2012/09/03 14:39:19 | 295,959,852 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/09/03 13:05:34 | 000,000,095 | ---- | M] () -- C:\Windows\winamp.ini
[2012/09/02 17:39:16 | 000,002,347 | ---- | M] () -- C:\Users\Public\Desktop\Jasc Paint Shop Pro 9.lnk
[2012/09/02 16:10:06 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS.MVP
[2012/08/30 23:29:37 | 000,000,000 | ---- | M] () -- C:\Users\ZT01\defogger_reenable
[2012/08/27 12:59:51 | 000,008,412 | ---- | M] () -- C:\SRTJ.clt
[2012/08/18 02:09:34 | 000,600,511 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2012/08/16 19:10:07 | 000,001,445 | ---- | M] () -- C:\Users\ZT01\.recently-used.xbel
[2012/08/09 16:23:11 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/08/07 16:34:50 | 000,000,534 | ---- | M] () -- C:\Users\ZT01\Documents\My Sharing Folders.lnk

========== Files Created - No Company Name ==========

[2012/09/03 14:39:19 | 295,959,852 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/08/30 23:29:37 | 000,000,000 | ---- | C] () -- C:\Users\ZT01\defogger_reenable
[2012/08/20 17:01:09 | 000,000,904 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000UA.job
[2012/08/20 17:01:08 | 000,000,852 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3266769259-3880101330-600960622-1000Core.job
[2012/08/16 19:10:07 | 000,001,445 | ---- | C] () -- C:\Users\ZT01\.recently-used.xbel
[2012/06/28 01:16:30 | 000,000,029 | ---- | C] () -- C:\Windows\Index.ini
[2012/06/19 00:10:11 | 000,000,004 | ---- | C] () -- C:\Windows\storedt.ini
[2012/06/01 15:58:53 | 000,068,972 | ---- | C] () -- C:\Windows\System32\nglide_uninst.exe
[2012/05/08 21:53:14 | 001,294,336 | ---- | C] () -- C:\Windows\System32\glide3x.dll
[2012/04/27 09:56:18 | 000,053,248 | ---- | C] () -- C:\Windows\System32\nglide_config.exe
[2012/04/26 11:00:05 | 006,948,203 | ---- | C] () -- C:\Program Files\Avant Browser.zip
[2012/04/02 17:49:21 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2012/03/04 15:08:57 | 000,000,000 | ---- | C] () -- C:\Windows\System32\cid_store.dat
[2012/03/03 20:20:52 | 000,220,220 | ---- | C] () -- C:\Users\ZT01\AppData\Roaming\Fenrir Inc.zip
[2012/02/27 18:53:19 | 130,591,970 | ---- | C] () -- C:\Users\ZT01\AppData\Roaming\.minecraft.zip
[2011/05/23 16:18:49 | 000,002,488 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2011/05/15 14:48:39 | 000,040,960 | ---- | C] () -- C:\Windows\DelPiv.exe
[2011/04/04 19:40:06 | 000,000,054 | ---- | C] () -- C:\Windows\JascCmdFile.INI
[2011/03/16 20:38:55 | 000,128,080 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/02/20 17:51:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/02/20 17:51:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/02/20 17:51:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/02/20 17:51:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/02/20 17:51:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/02/01 23:15:52 | 000,000,056 | ---- | C] () -- C:\Windows\kgt2k.INI
[2011/02/01 21:27:26 | 000,062,208 | ---- | C] () -- C:\Windows\iun1401.exe
[2011/02/01 20:48:40 | 000,000,126 | ---- | C] () -- C:\Windows\wininit.ini
[2011/02/01 20:45:06 | 000,000,393 | ---- | C] () -- C:\Windows\SIERRA.INI
[2011/02/01 20:43:43 | 000,086,528 | ---- | C] () -- C:\Windows\bnetunin.exe
[2011/02/01 20:43:43 | 000,061,440 | ---- | C] () -- C:\Windows\diabunin.exe
[2011/02/01 20:29:04 | 000,000,095 | ---- | C] () -- C:\Windows\winamp.ini
[2011/01/31 21:07:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/31 21:07:17 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/31 21:07:17 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2012/08/28 23:30:11 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\.minecraft
[2012/01/01 02:29:52 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\AnnkakeSpa
[2012/03/03 20:05:35 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Avant Downloader
[2011/03/02 15:30:49 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Canneverbe Limited
[2012/08/30 18:44:05 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Dropbox
[2011/02/05 17:59:07 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\FALCOM
[2011/02/28 15:53:26 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Fenrir & Co
[2011/10/03 18:11:12 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\fltk.org
[2011/02/01 19:43:22 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Foxit Software
[2012/08/18 11:01:44 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Free Download Manager
[2012/07/17 19:30:55 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\GPEXE
[2011/11/27 20:24:07 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\HgTAgent
[2012/05/31 18:43:47 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\ImgBurn
[2012/05/30 03:36:56 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\InfraRecorder
[2011/05/21 14:07:18 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Jasc
[2011/02/01 21:11:31 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Leadertech
[2011/12/07 15:12:53 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\MoreTerra
[2011/02/01 01:34:30 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\NoteTab Light
[2011/02/02 02:21:57 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\NoteTab Pro
[2012/06/19 14:54:06 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\runic games
[2012/06/14 13:04:36 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\SEGA
[2011/02/05 18:32:59 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\Softplicity
[2012/06/19 01:38:10 | 000,000,000 | ---D | M] -- C:\Users\ZT01\AppData\Roaming\uTorrent
[2012/09/04 14:25:55 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >


I've attached the log from the fix, just in case. also had eset clean up after itself before the reboot since that seems to be the standard procedure; apologies if I screwed up there.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 05 September 2012 - 07:09 AM

All good.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#13 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 05 September 2012 - 09:08 AM

generally, prevention is my standard focus. when things slip past the mix of mvp hosts file, avast's shields, and spywareblaster, that's when I start worrying. and when it's like what kicked off this thread... yeah, panic.

still kinda wondering why now disconnecting/reconnecting the LAN cable causes a CPU spike, but then again it might have done so before and I simply fail to remember it happening; sometimes behaviours like that (ones you don't see often due to them being related to things you don't normally do often) escape my memories. *shrug*

also that link doesn't want to work. either something in the URL hiccuped or the hosts file is stepping on it's toes. eh.

thank you very much for your help. if anything seems to have exploded that shouldn't have I'll post back to this thread, but with any luck/providence that won't happen. also if the mbam/avast scans I'm about to fire off turn up anything panic-worthy.

but again, thanks for your help.


*edit*

ended up having to visit one of my email inboxes befoe avast was done with a quickscan, and I didn't stop the browser from hitting msn's front page when I logged out. avast found crud in the temporary internet files, but got them as expected; having ccleaner nuke temporary internet files should assure that's all covered. *does so* I'm associating that with MSN's page simply because the names on various bits of it were things that are obviously msn "headlines". if anything starts getting out of whack though, a new post will happen.

Edited by ZT-repairseek, 05 September 2012 - 11:09 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 PM

Posted 05 September 2012 - 12:40 PM

still kinda wondering why now disconnecting/reconnecting the LAN cable causes a CPU spike

It might just be that avast is sensing new drivers used and checking if it's malware.
My Norton does that when I open logs. I sense the heat from the desktop computer for a few seconds.

The topic will be open for 5 more days. If you need to return please do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users