Jump to content

Malwarebytes

Brother's computer is infected again MBAM doesn't work and the browser gets redirected

- - - - -
Started by Havenw, Jan 18 2009 06:10 PM

13 replies to this topic

#1
Havenw
Posted 18 January 2009 - 06:10 PM

    New Member

  • Members
  • Pip
  • 11 posts
This is probably a continuation of my last issue: http://www.malwareby...?showtopic=9690


I got that straightened out but had to go off for a week and didn't get a chance to do any of the protection stuff for my brother's computer.


I come back and he's got stuff on it again.


He can't go to websites like malwarebytes or anything like that (it gets redirected)


Malwarebytes itself hangs when you start it (no indication that it's doing anything beyond the process being in the list). Spybot does the same thing.



So...he's got the nasty stuff on there.


Hijack this still works.

Something called ViewMgr.exe (which he believes is used to make his dual monitors work) crashes when you start windows.



Anyway, here's the Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:07 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04...bwiz/s/stub.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8007 bytes

#2
sjb007
Posted 18 January 2009 - 06:56 PM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Hi there

Please note - During this fix we will be entering into safe mode. Please print out these instructions as your internet connection will not be available to you during this period. You may also copy and paste the fix into a text file and save it in an easy accessable location for reference.

Download SDFix by AndyManchesta and save it to your desktop.
alternate download.

Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix)

Reboot your computer in SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file in your next reply

Now lets try scanning with MBAM once again...

Please update and generate a fresh MBAM log for me
  • Start MalwareBytes AntiMalware
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post the MBAM log back along with a fresh HJT log, and the log from SDFix
Patience is a Virtue
Member of ASAP & UNITE

#3
Havenw
Posted 18 January 2009 - 08:52 PM

    New Member

  • Members
  • Pip
  • 11 posts
Ok. I ran SDFix in safe mode. It found and fixed some stuff. It rebooted the computer and ran again on reboot, then it made a report. It also made it possible to run MBAM again.

Here's the SDfix report:


SDFix: Version 1.240
Run by bwaters on Sun 01/18/2009 at 02:41 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\svchost.exe - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 15:27:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\bwaters\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Steam\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\14meggedyou\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\14meggedyou\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\ehome\\ehshell.exe"="C:\\WINDOWS\\ehome\\ehshell.exe:LocalSubNet:Enabled:Media Center"
"D:\\Steam.exe"="D:\\Steam.exe:*:Enabled:Steam Client"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"D:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"="D:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"D:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"="D:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"
"D:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"="D:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe:*:Enabled:left4dead"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found
C:\WINDOWS\system32\TDSSnrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\AcerDRV\InsD1211.exe"
Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\AcerDRV\InsD1215.exe"
Mon 30 Aug 2004 44,032 A..H. --- "C:\WINDOWS\AcerDRV\rescan.exe"
Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\system32\InsD1211.exe"
Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\system32\InsD1215.exe"
Wed 6 Aug 2003 24,576 A..H. --- "C:\WINDOWS\system32\KCMDNIns.exe"
Thu 17 Nov 2005 24,576 A..HR --- "C:\WINDOWS\system32\Kill1211.exe"
Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Fri 11 Aug 2006 1,024 A..HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Thu 7 Aug 2003 24,576 A..H. --- "C:\WINDOWS\system32\reboot.exe"
Sat 20 Nov 2004 26,112 A..H. --- "C:\WINDOWS\system32\RemD1211.exe"
Wed 16 Nov 2005 26,112 A..H. --- "C:\WINDOWS\system32\RemD1215.exe"
Mon 30 Aug 2004 44,032 A..H. --- "C:\WINDOWS\system32\rescan.exe"
Mon 24 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 21 Aug 2007 1,977 ...HR --- "C:\Documents and Settings\bwaters\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\bwaters\Application Data\U3\temp\Launchpad Removal.exe"

Finished!





I updated and ran MBAM. It found more things, deleted what it could and forced me to restart so it could delete 4 more things on reboot.

Here's the first MBAM report:

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 3

1/18/2009 3:37:43 PM
mbam-log-2009-01-18 (15-37-43).txt

Scan type: Quick Scan
Objects scanned: 62915
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpqxt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\temp\TDSSfe26.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\TDSSffbc.tmp (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\bwaters\Local Settings\Temp\TDSSa013.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


I did that and then ran MBAM again. It found and got rid of one more thing.

Here's the second MBAM report:


Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 3

1/18/2009 3:45:34 PM
mbam-log-2009-01-18 (15-45-34).txt

Scan type: Quick Scan
Objects scanned: 63015
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\bwaters\Local Settings\Temp\TDSS9f0a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


I restarted one more time.

Here's the current Hijack this Log after the last restart:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:23 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://pegasusauth04...bwiz/s/stub.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8046 bytes

#4
sjb007
Posted 18 January 2009 - 09:05 PM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Hi Havenw

Good work with the scans. In this next part im going to ask for a couple of more deep scans which will again produce reports for you to post.

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

** Ensure you install the recovery console

Also ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

----------------------------
Once done....
----------------------------

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop and post it back in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with both logs in your next reply
Patience is a Virtue
Member of ASAP & UNITE

#5
Havenw
Posted 18 January 2009 - 09:57 PM

    New Member

  • Members
  • Pip
  • 11 posts
Alright. Just ran combo fix and GMER.


I ran combofix twice because the first time I apparently didn't have the recovery console installed (and whatever bad things that meant didn't happen because the computer is still working).


Combofix never said I didn't have the recovery console installed until I saw it wasn't installed in the logfile. Either I missed it saying that or whatever.

Anyway here are the two Combofix logs and the GMER log that took place after both Combofix logs.


Combofix log 1

ComboFix 09-01-18.01 - bwaters 2009-01-18 16:09:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1632 [GMT -5:00]
Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npclntax.dll
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004963_.tmp.dll
c:\windows\system32\_004964_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004972_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004985_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\_004990_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004995_.tmp.dll
c:\windows\system32\_004996_.tmp.dll
c:\windows\system32\_004998_.tmp.dll
c:\windows\system32\_005001_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005004_.tmp.dll
c:\windows\system32\_005005_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005007_.tmp.dll
c:\windows\system32\_005010_.tmp.dll
c:\windows\system32\_005011_.tmp.dll
c:\windows\system32\_005012_.tmp.dll
c:\windows\system32\_005013_.tmp.dll
c:\windows\system32\_005014_.tmp.dll
c:\windows\system32\_005019_.tmp.dll
c:\windows\system32\_005021_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-18 15:55 . 2009-01-18 15:55 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix
2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe
2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB
2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player
2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe
2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO
2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe
2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe
2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe
2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb
2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll
2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 20:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 17:42 --------- d-s---w c:\program files\Xfire
2009-01-18 17:40 --------- d-----w c:\program files\mIRC
2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire
2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Norton 360
2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 20:02 --------- d-----w c:\program files\Google
2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update
2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple
2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire
2008-12-26 05:08 6,301,344 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-12-21 22:49 --------- d-----w c:\program files\Diablo II
2008-12-17 16:06 --------- d-----w c:\program files\HLSW
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends
2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat
2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe
2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe
2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll
2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll
2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll
2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat
2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt
2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM
2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Steam.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]
S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]
S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-18 c:\windows\Tasks\Norton Security Scan for bwaters.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-wclock - c:\documents and settings\bwaters\Application Data\Google\yfijv17721328.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stub.ocx - O16 -: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C}
hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab
c:\windows\Downloaded Program Files\stub.inf
FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\
FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 16:13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,
f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\
"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\program files\Razer\Lycosa\razertra.exe
c:\windows\system32\wscntfy.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-01-18 16:16:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 21:16:03

Pre-Run: 153,119,903,744 bytes free
Post-Run: 153,166,688,256 bytes free

355 --- E O F --- 2009-01-14 08:02:04














ComboFix log 2

ComboFix 09-01-18.01 - bwaters 2009-01-18 16:37:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT -5:00]
Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-18 15:55 . 2009-01-18 15:55 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix
2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe
2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB
2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player
2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe
2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO
2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe
2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe
2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe
2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb
2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll
2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 20:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 17:42 --------- d-s---w c:\program files\Xfire
2009-01-18 17:40 --------- d-----w c:\program files\mIRC
2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire
2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Norton 360
2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 20:02 --------- d-----w c:\program files\Google
2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update
2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple
2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire
2008-12-24 02:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-21 22:49 --------- d-----w c:\program files\Diablo II
2008-12-17 16:06 --------- d-----w c:\program files\HLSW
2008-12-11 20:37 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat
2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe
2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe
2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll
2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll
2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll
2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat
2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt
2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM
2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_16.15.15.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 22:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Steam.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]
S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]
S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-18 c:\windows\Tasks\Norton Security Scan for bwaters.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\stub.ocx - O16 -: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C}
hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab
c:\windows\Downloaded Program Files\stub.inf
FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\
FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 16:38:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,
f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\
"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74
.
Completion time: 2009-01-18 16:40:34
ComboFix-quarantined-files.txt 2009-01-18 21:39:59
ComboFix2.txt 2009-01-18 21:16:31

Pre-Run: 153,172,746,240 bytes free
Post-Run: 153,154,125,824 bytes free

288 --- E O F --- 2009-01-14 08:02:04













GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-18 16:50:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A7C51E8

AttachedDevice \FileSystem\Ntfs \Ntfs psdfilter.sys (PSD Filter Driver/HiTRUST)

Device \FileSystem\Fastfat \FatCdrom 8A42C2B8
Device \Driver\usbohci \Device\USBPDO-0 8A5BE790
Device \Driver\NetBT \Device\NetBT_Tcpip_{740880D2-C2C2-43C3-8A59-84596189BADD} 88F4B1E8
Device \Driver\usbehci \Device\USBPDO-1 8A5CC1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7C71E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7C71E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7C71E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7C71E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7561E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7561E8
Device \Driver\Cdrom \Device\CdRom0 8A5141E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7561E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88F4B1E8
Device \Driver\NetBT \Device\NetbiosSmb 88F4B1E8
Device \Driver\USBSTOR \Device\00000094 89CBB790
Device \Driver\USBSTOR \Device\00000095 89CBB790
Device \Driver\USBSTOR \Device\00000088 89CBB790
Device \Driver\USBSTOR \Device\00000096 89CBB790
Device \Driver\USBSTOR \Device\00000097 89CBB790
Device \Driver\usbohci \Device\USBFDO-0 8A5BE790
Device \Driver\usbehci \Device\USBFDO-1 8A5CC1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88ECC1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88ECC1E8
Device \Driver\Ftdisk \Device\FtControl 8A7561E8
Device \FileSystem\Fastfat \Fat 8A42C2B8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat psdfilter.sys (PSD Filter Driver/HiTRUST)

Device \FileSystem\Cdfs \Cdfs 8A403790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

---- EOF - GMER 1.0.14 ----

#6
sjb007
Posted 19 January 2009 - 08:02 AM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Hi there

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote

File::
c:\windows\system32\prunnet.exe

FileLook::
c:\windows\setupupd\temp\wsdueng.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.

Posted Image

Combofix will then execute the script and produce a fresh log.

Next......

Download and scan with CCleaner Slim
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Next......

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:
Posted Image

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back in your next reply with the log from combofix and the kaspersky results
Patience is a Virtue
Member of ASAP & UNITE

#7
Havenw
Posted 19 January 2009 - 08:33 PM

    New Member

  • Members
  • Pip
  • 11 posts
Alright. Kaspersky took over 2 hours but it's finally done.

I did all three things. Here's the combofix log.


ComboFix 09-01-19.01 - bwaters 2009-01-19 12:43:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1591 [GMT -5:00]
Running from: c:\documents and settings\bwaters\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bwaters\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\prunnet.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 16:41 . 2009-01-18 16:41 250 --a------ c:\windows\gmer.ini
2009-01-18 15:55 . 2009-01-18 18:00 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-18 14:40 . 2009-01-18 14:40 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-18 14:33 . 2009-01-18 14:34 <DIR> d-------- c:\windows\ERUNT
2009-01-18 14:33 . 2009-01-18 15:27 <DIR> d-------- C:\SDFix
2009-01-18 03:41 . 2009-01-18 03:43 <DIR> d-------- c:\windows\system32\Adobe
2009-01-17 22:07 . 2009-01-17 22:07 202,040 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-17 22:07 . 2009-01-17 22:07 137,688 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 22:07 . 2009-01-17 22:07 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-17 22:00 . 2009-01-17 22:01 <DIR> d-------- C:\PB
2009-01-16 23:53 . 2009-01-16 23:53 <DIR> d-------- c:\program files\compLexity Demo Player
2009-01-16 12:18 . 2009-01-18 09:31 51,369 --a------ c:\windows\Sysvxd.exe
2009-01-14 20:01 . 2009-01-14 20:01 <DIR> d-------- c:\program files\CEVO
2009-01-14 20:01 . 2007-03-13 20:19 1,017,545 --a------ c:\windows\system32\cpuz.exe
2009-01-14 20:01 . 2006-03-31 17:48 119,056 --a------ c:\windows\system32\reg_c3.exe
2009-01-14 20:01 . 2007-03-13 19:26 73,728 --a------ c:\windows\system32\pv_c3.exe
2009-01-12 14:13 . 2009-01-12 14:13 <DIR> d-------- c:\program files\MSECache
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-11 18:23 . 2009-01-11 18:25 <DIR> d-------- c:\windows\NV26082724.TMP
2009-01-11 18:23 . 2009-01-11 18:23 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-11 18:23 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb
2009-01-11 16:41 . 2009-01-11 16:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 15:05 . 2009-01-18 15:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\bwaters\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-11 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 15:05 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 15:05 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 00:08 . 2008-12-26 00:08 1,560,576 --a------ c:\windows\system32\nvcuda.dll
2008-12-26 00:08 . 2008-12-26 00:08 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 08:19 --------- d-----w c:\program files\mIRC
2009-01-18 23:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 17:42 --------- d-s---w c:\program files\Xfire
2009-01-18 03:04 --------- d-----w c:\documents and settings\bwaters\Application Data\Xfire
2009-01-11 23:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Symantec
2009-01-11 22:56 --------- d-----w c:\program files\Norton 360
2009-01-11 20:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 20:02 --------- d-----w c:\program files\Google
2009-01-11 20:00 --------- d-----w c:\program files\Apple Software Update
2009-01-11 19:59 --------- d-----w c:\program files\Common Files\Apple
2009-01-02 20:29 --------- d-----w c:\documents and settings\bwaters\Application Data\LimeWire
2008-12-24 02:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-21 22:49 --------- d-----w c:\program files\Diablo II
2008-12-17 16:06 --------- d-----w c:\program files\HLSW
2008-12-11 20:37 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-28 00:18 --------- d-----w c:\program files\Nitto 1320 Legends
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-04-18 02:00 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-02 18:37 1,388 ----a-w c:\documents and settings\bwaters\Application Data\ViewerApp.dat
2007-03-21 18:39 38,259 ----a-w c:\program files\uninstall.exe
2007-03-16 05:39 2,846,376 ----a-w c:\program files\fraps.exe
2007-03-16 05:37 110,592 ----a-w c:\program files\fraps.dll
2007-03-16 05:36 122,880 ----a-w c:\program files\frapslcd.dll
2006-12-22 04:55 56,832 ----a-w c:\program files\fraps64.dll
2006-12-22 04:55 293,376 ----a-w c:\program files\fraps64.dat
2006-12-21 12:43 11,366 ----a-w c:\program files\changes.txt
2006-12-19 12:59 1,860 ----a-w c:\program files\README.HTM
2008-09-21 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\setupupd\temp\wsdueng.dll ----
Company: Microsoft Corporation
File Description: Windows Update Dynamic Update Engine
File Version: 5.4.2517.0 (main.010713-1717)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: wsdueng.dll
MD5: 3eb0f65bc9220b25f9234afe0e43df87


((((((((((((((((((((((((((((( snapshot@2009-01-18_16.15.15.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-18 21:41:43 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2001-07-14 22:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll
+ 2009-01-18 21:41:43 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-19 17:23:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_c30.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2006-12-06 159744]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bwaters^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\bwaters\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 15:50 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 17:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-10 15:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 15:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 15:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 19:15 45056 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 15:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-03 15:48 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-09 12:00 1410296 D:\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-02 21:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-05-31 19:48 16208384 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-15 21:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2005-06-06 12:40 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Steam.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\steamapps\\surfinpipe4ever@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"d:\\steamapps\\COMMON\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-07-22 21888]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-28 21920]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-07-20 22144]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2006-12-30 19020]
S3 tcpip_patcher;tcpip_patcher;\??\c:\program files\Ares\tcpip_patcher.sys --> c:\program files\Ares\tcpip_patcher.sys [?]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2006-12-30 162900]
S3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [2006-12-31 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dee647e-92fe-11dc-96cd-001921585e7b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-19 c:\windows\Tasks\Norton Security Scan for bwaters.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://pegasusauth04.pearsoncmg.com/webwiz/s/stub.cab
FF - ProfilePath - c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\
FF - component: c:\documents and settings\bwaters\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:45:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1778062971-758770647-2713701779-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:38,f6,b7,95,0d,61,e5,69,3f,54,bd,ce,a2,57,ad,23,1e,07,95,c0,b0,b2,9d,
f8,b9,cd,4d,21,de,24,1d,1f,05,c8,5e,fe,bd,c8,f1,08,e8,85,b1,67,02,62,7a,03,\
"??"=hex:e2,3f,91,cd,32,a8,84,a4,d8,71,37,a7,c0,27,0e,74
.
Completion time: 2009-01-19 12:46:46
ComboFix-quarantined-files.txt 2009-01-19 17:46:11
ComboFix2.txt 2009-01-18 21:16:31

Pre-Run: 152,861,212,672 bytes free
Post-Run: 152,889,839,616 bytes free

303 --- E O F --- 2009-01-14 08:02:04










Here's the Kaspersky report.


*KASPERSKY ONLINE SCANNER 7 REPORT*
Monday, January 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3
(build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 17:10:23
Records in database: 1648886

*Scan settings*
Scan using the following database extended
Scan archives yes
Scan mail databases yes
*Scan area* My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\
*Scan statistics*
Files scanned 121838
Threat name 8
Infected objects 12
Suspicious objects 0
Duration of the scan 02:06:37


*File name* *Threat name* *Threats count*
C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip
Infected: not-a-virus:AdWare.Win32.Maxifiles.ad 3
C:\Program Files\mIRC\mirc.exe Infected:
not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar Infected:
IM-Flooder.Win32.VB.dn 2
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bdfu 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.blh 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.asz 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.TDSS.atb 1
C:\SDFix\backups\catchme.zip Infected: Rootkit.Win32.TDSS.dbg 1
D:\downloads\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
* The selected area was scanned.*

#8
sjb007
Posted 20 January 2009 - 08:21 AM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Hi there

Please download OTMoveIt3 by OldTimer.

Save it to your desktop.
Double-click on OTMoveIt3.exe

Using notepad copy the lines in the codebox below:

Quote

:Processes
explorer.exe

:Services

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

:Files
c:\windows\system32\prunnet.exe
C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip
C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar
C:\SDFix\backups\backups.zip

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

Post back the results and let me know how things are running now
Patience is a Virtue
Member of ASAP & UNITE

#9
Havenw
Posted 20 January 2009 - 01:39 PM

    New Member

  • Members
  • Pip
  • 11 posts
It seems to be running fine since a little bit ago (around the time we did combofix and stuff I think)



How do you stop windows from asking you to run the recovery console (say unless you want to). It keep asking to choose between windows xp and the recovery console on start up.


Here's the OTMoveIt log.



========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-\\ deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\prunnet.exe not found.
C:\Documents and Settings\bwaters\Desktop\trucks\DiabloHackPack.zip moved successfully.
C:\Program Files\Xfire\downloads\goodgame_eswc_2005_us.rar moved successfully.
C:\SDFix\backups\backups.zip moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\bwaters\LOCALS~1\Temp\etilqs_QlaWe6TH6MON025OMrIT scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\bwaters\LOCALS~1\Temp\~DF6A82.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01202009_083339

Files moved on Reboot...
File C:\DOCUME~1\bwaters\LOCALS~1\Temp\etilqs_QlaWe6TH6MON025OMrIT not found!
C:\DOCUME~1\bwaters\LOCALS~1\Temp\~DF6A82.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat not found!
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\bwaters\Local Settings\Application Data\Mozilla\Firefox\Profiles\h57av97j.default\XUL.mfl moved successfully.

#10
sjb007
Posted 20 January 2009 - 11:50 PM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Hi there

Things are looking better.

Quote

How do you stop windows from asking you to run the recovery console (say unless you want to).

The recovery console option should only show for 2 seconds, if you wish to delete the recovery console option then we can run through the necessary steps to do so. Reply and let me know whether you wish to keep it or not.
Patience is a Virtue
Member of ASAP & UNITE

#11
Havenw
Posted 21 January 2009 - 01:08 AM

    New Member

  • Members
  • Pip
  • 11 posts
I'll keep it around for now.

Anything else we need to do?

#12
sjb007
Posted 21 January 2009 - 07:35 AM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
HI

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.
Patience is a Virtue
Member of ASAP & UNITE

#13
Havenw
Posted 22 January 2009 - 12:56 AM

    New Member

  • Members
  • Pip
  • 11 posts
We're done.

Thanks for all the help.

#14
sjb007
Posted 22 January 2009 - 07:50 AM

    Advanced Member

  • Experts
  • PipPipPip
  • 117 posts
  • Gender:Male
  • Location:UK
Not a problem, only too glad to help

I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!
Patience is a Virtue
Member of ASAP & UNITE
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us