Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unable to complete spyware scans ... computer freezes [CLOSED]


  • This topic is locked This topic is locked

#1
HackedCactus

HackedCactus

    Member

  • Member
  • PipPip
  • 12 posts
Hi

My computer freezes everytime I try to scan for adware or viruses. Norton AntiVirus 2007 (with the latest definitions) Ad-aware SE 2007, Spybot Search and Destroy v1.5.2 and Spyware Terminator all freeze during the scanning process. At first I can still move my mouse and it just looks like 100% of the systems resources are being used and slowing down my computer, but then after 20 seconds or so the mouse and the whole computer freezes and I need to push restart. With all the scans it never freezes on the same file although, more often than not, scanning the registry causes the freeze (although I've tried scans excluding the registry and the computer still froze). It just seems to be the scanning process that causes the freeze.

I've cleaned my registry using registry mechanic but that didn't seem to help.
I've tried CC Cleaner too but the scan also froze whilst analysing.

I have something nasty lurking. Please help!

My computer specs are:
AMD Athlon 3200+ 2GHz
1GB DDR RAM
80GB Hard drive
NVidia GeForce 7300 GT Graphics Card

Windows XP SP2

My Hijack This log looks like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:59 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\DAP\DAP.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\PowerISO\PWRISOVM.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\Rundll32.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
F:\Program Files\MagicDisc\MagicDisc.exe
F:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] F:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "F:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] F:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AsusStartupHelp] F:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
O4 - HKLM\..\Run: [NSLauncher] F:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [f00473b8] rundll32.exe "F:\WINDOWS\system32\umrcmfhh.dll",b
O4 - HKLM\..\Run: [BMcb8f2231] Rundll32.exe "F:\WINDOWS\system32\mahbgxtk.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Image Converter 2 ??? - F:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192940351187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1190990934437
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://leadfootcruis...ad/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0391709E-0C6D-4F3E-924A-C8134E53B332}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFE419BD-CD8F-4910-B2F2-1F471FAC0F9C}: NameServer = 192.168.2.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10036 bytes

Edited by greyknight17, 11 May 2008 - 08:31 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

See if you have better luck running the below two programs. If you have problem running the first one, try using the second one.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for your reply Greyknight17.

I performed a scan with Malwarebytes ' Anti-Malware. I had some partial success. My hard drive is partitioned into a C drive and a F drive (which contains my active Windows XP installation). Scanning C drive completed successfully and detected a number of threats which were subsequently deleted. One of the threats detected was the Vundo/Winfixer trojan. Everytime I tried to scan the F drive (even in safe mode) the program freezed on me. It often freezed while scanning the Windows folder or the Local Settings folder.

Here' the Malwarebytes ' Anti-Malware log for the scan on C (which is the only scan which would complete):


Malwarebytes' Anti-Malware 1.11
Database version: 669

Scan type: Full Scan (C:\|)
Objects scanned: 67072
Time elapsed: 33 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
F:\WINDOWS\system32\rvwxdyot.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\urqNeeDW.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\__c0059A9C.dat (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d7f67b2-ac46-46ab-8e50-c707ee3de0f0} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0d7f67b2-ac46-46ab-8e50-c707ee3de0f0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0059a9c (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcb8f2231 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\urqneedw -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\urqneedw -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\rvwxdyot.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\toydxwvr.ini (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\urqNeeDW.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\WDeeNqru.ini (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\WDeeNqru.ini2 (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\ntkkgxuo.dll (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\__c0059A9C.dat (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\__c00772E9.dat (Trojan.Agent) -> No action taken.

--------------------------------------

Some of the infected files could only be deleted on restart. I restarted and ran the scan on C again. It detected 4 infected files which I subsequently deleted. Here is the log:

Malwarebytes' Anti-Malware 1.11
Database version: 669

Scan type: Full Scan (C:\|)
Objects scanned: 67233
Time elapsed: 31 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\rvwxdyot.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\toydxwvr.ini (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\urqNeeDW.dll (Trojan.Vundo) -> No action taken.
F:\WINDOWS\system32\WDeeNqru.ini (Trojan.Vundo) -> No action taken.

-------------------------------------------------

After restarting and scanning again Malewarebytes' Anti-Malware did not find any problems. I then launched ComboFix. Here's the log:


ComboFix 08-04-20.5 - Pablo 2008-04-23 15:07:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT 9.5:30]
Running from: F:\Documents and Settings\Pablo\My Documents\ComboFix.exe
Command switches used :: F:\Documents and Settings\Pablo\My Documents\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\pskt.ini
F:\WINDOWS\rs.txt
F:\WINDOWS\system32\ameyrhpp.dll
F:\WINDOWS\system32\fccyvSKa.dll
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\ntduiqss.dll
F:\WINDOWS\system32\ntkkgxuo.dll
F:\WINDOWS\system32\oryakqen.dll
F:\WINDOWS\system32\vcqkqsen.dll
F:\WINDOWS\system32\xsiotcct.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 14:48 . 2008-04-23 12:01 212,992 --a------ F:\WINDOWS\wdpoefan.dll
2008-04-23 14:48 . 2008-04-23 12:01 212,992 --a------ F:\WINDOWS\qnmargolwdn.dll
2008-04-23 14:48 . 2008-04-23 12:01 167,936 --a------ F:\WINDOWS\vadokmxt.dll
2008-04-23 14:48 . 2008-04-23 12:01 151,552 --a------ F:\WINDOWS\dpevflbg.dll
2008-04-23 14:48 . 2008-04-23 12:01 94,208 --a------ F:\WINDOWS\olgdqarf.exe
2008-04-23 14:48 . 2008-04-23 12:01 81,920 --a------ F:\WINDOWS\wxvgsdbq.exe
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Malwarebytes
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 19:14 . 2008-04-22 18:46 878 ---hs---- F:\WINDOWS\system32\syyyoufw.ini
2008-04-20 15:44 . 2008-04-22 19:12 109,748 --a------ F:\WINDOWS\BMcb8f2231.xml
2008-04-20 15:44 . 2008-04-21 18:58 474 ---hs---- F:\WINDOWS\system32\hhfmcrmu.ini
2008-04-18 22:50 . 2008-04-18 22:50 <DIR> d-------- F:\Program Files\CCleaner
2008-04-18 22:08 . 2008-04-18 22:08 <DIR> d-------- F:\Program Files\VS Revo Group
2008-04-14 23:34 . 2007-11-14 09:02 43,090,956 --a------ F:\nfs.exe
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a------ F:\WINDOWS\system32\drivers\usbser.sys
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a--c--- F:\WINDOWS\system32\dllcache\usbser.sys
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-14 00:57 . 2007-11-29 10:33 1,419,232 --a------ F:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-04-14 00:57 . 2008-02-01 15:17 138,112 --a------ F:\WINDOWS\system32\drivers\nmwcdnsu.sys
2008-04-14 00:57 . 2007-11-29 10:39 95,744 --a------ F:\WINDOWS\system32\nmwcdcocls.dll
2008-04-14 00:57 . 2007-11-29 10:39 19,328 --a------ F:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-04-14 00:57 . 2007-11-29 10:39 16,896 --a------ F:\WINDOWS\system32\drivers\ccdcmb.sys
2008-04-14 00:57 . 2008-02-01 15:17 8,320 --a------ F:\WINDOWS\system32\drivers\nmwcdnsuc.sys
2008-04-14 00:57 . 2007-11-29 10:39 8,064 --a------ F:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-04-14 00:57 . 2007-11-29 10:39 8,064 --a------ F:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-04-14 00:56 . 2008-04-14 00:56 <DIR> d-------- F:\Program Files\Common Files\Nokia
2008-04-14 00:53 . 2008-04-14 00:53 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Installations
2008-04-13 17:21 . 2008-04-13 17:21 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\vlc
2008-04-13 17:20 . 2008-04-13 17:20 <DIR> d-------- F:\Program Files\VideoLAN
2008-04-13 01:48 . 2008-04-13 01:48 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Leadertech
2008-04-12 12:28 . 2008-04-12 12:34 <DIR> d-------- F:\Program Files\Incoming
2008-04-12 02:22 . 2008-04-12 03:13 6,918,048 --a------ F:\NVE2D.tmp
2008-04-12 02:22 . 2008-04-12 02:22 2,928 --a------ F:\NVE2C.tmp
2008-04-10 22:27 . 2008-04-10 22:27 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\THQ
2008-04-10 21:43 . 2008-04-10 21:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-08 22:33 . 2008-04-08 22:33 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\NSeries
2008-04-08 22:16 . 2008-04-08 22:23 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\ROUTE 66 Sync
2008-04-08 19:40 . 2008-04-08 19:45 <DIR> d-------- F:\Program Files\Windows Live
2008-04-08 19:40 . 2008-04-08 19:44 <DIR> d--hsc--- F:\Program Files\Common Files\WindowsLiveInstaller
2008-04-08 19:40 . 2008-04-08 19:40 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-08 00:27 . 2008-04-21 23:47 151,388 --a------ F:\Documents and Settings\Pablo\Application Data\NMM-MetaData.db
2008-04-07 23:59 . 2008-04-07 23:59 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\AdobeAUM
2008-04-07 23:08 . 2008-04-07 23:08 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Nokia
2008-04-07 23:01 . 2008-04-07 23:01 <DIR> d-------- F:\Program Files\SimpleCenter
2008-04-07 23:01 . 2008-04-07 23:01 <DIR> d-------- F:\Program Files\Common Files\i4j_jres
2008-04-07 23:00 . 2008-04-07 23:11 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Nokia
2008-04-07 23:00 . 2008-04-07 23:58 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-07 22:59 . 2008-04-07 22:59 <DIR> d-------- F:\Program Files\Common Files\PCSuite
2008-04-07 22:58 . 2008-04-07 22:58 <DIR> d-------- F:\Program Files\PC Connectivity Solution
2008-04-07 22:58 . 2008-04-14 00:57 <DIR> d-------- F:\Program Files\Nokia
2008-04-07 22:58 . 2008-04-07 22:58 <DIR> d-------- F:\Program Files\DIFX
2008-04-07 22:58 . 2008-04-07 23:01 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\PC Suite
2008-04-07 22:58 . 2008-02-01 15:17 90,624 --a------ F:\WINDOWS\system32\nmwcdcls.dll
2008-04-07 02:58 . 2008-04-07 03:31 4,520,784 --a------ F:\NVE2A.tmp
2008-04-07 01:30 . 2008-04-07 01:55 3,623,232 --a------ F:\NVE27.tmp
2008-04-07 01:30 . 2008-04-07 01:30 2,928 --a------ F:\NVE26.tmp
2008-04-07 01:30 . 2008-04-07 01:30 2,928 --a------ F:\NVE25.tmp
2008-04-04 04:00 . 2008-04-04 04:42 6,157,152 --a------ F:\NVE10.tmp
2008-04-04 02:02 . 2008-04-04 04:00 5,249,664 --a------ F:\NVEC.tmp
2008-04-04 02:02 . 2008-04-04 02:02 2,928 --a------ F:\NVEB.tmp
2008-04-04 02:02 . 2008-04-04 02:02 2,928 --a------ F:\NVEA.tmp
2008-04-02 01:21 . 2008-04-02 02:16 7,293,936 --a------ F:\NVE3E.tmp
2008-04-02 01:21 . 2008-04-02 01:21 2,928 --a------ F:\NVE3D.tmp
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\DivX
2008-04-01 01:33 . 2008-04-01 01:33 <DIR> d-------- F:\Program Files\Trend Micro
2008-03-29 02:42 . 2008-03-29 04:23 4,166,448 --a------ F:\NVE22.tmp
2008-03-29 01:03 . 2008-03-29 02:42 4,092,672 --a------ F:\NVE1E.tmp
2008-03-29 01:03 . 2008-03-29 01:03 2,928 --a------ F:\NVE1D.tmp
2008-03-29 01:03 . 2008-03-29 01:03 2,928 --a------ F:\NVE1C.tmp
2008-03-28 22:21 . 2008-03-28 22:25 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-23 20:20 . 2008-03-23 20:22 <DIR> d-------- F:\Program Files\Spyware Terminator
2008-03-23 20:20 . 2008-03-24 11:52 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Spyware Terminator
2008-03-23 20:20 . 2008-03-23 20:20 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-23 20:20 . 2008-03-23 20:20 138,752 --a------ F:\WINDOWS\system32\drivers\sp_rsdrv2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 05:40 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-04-21 15:00 --------- d-----w F:\Program Files\Incomplete
2008-04-21 13:58 --------- d-----w F:\Program Files\LimeWire
2008-04-21 12:03 --------- d-----w F:\Documents and Settings\Pablo\Application Data\LimeWire
2008-04-20 08:34 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-20 08:34 103,736 ----a-w F:\WINDOWS\system32\PnkBstrB.exe
2008-04-20 07:36 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Azureus
2008-04-17 14:41 --------- d-----w F:\Program Files\Azureus
2008-04-16 13:14 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-16 13:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 12:18 66,872 ----a-w F:\WINDOWS\system32\PnkBstrA.exe
2008-04-12 08:32 --------- d-----w F:\Program Files\Electronic Arts
2008-04-12 04:19 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-04-11 11:06 --------- d-----w F:\Program Files\Common Files\Adobe
2008-04-10 11:53 --------- d-----w F:\Program Files\THQ
2008-04-10 11:53 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-07 14:43 --------- d-----w F:\Documents and Settings\Pablo\Application Data\AdobeUM
2008-03-30 12:51 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Hamachi
2008-03-24 22:44 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec
2008-03-24 04:43 --------- d-----w F:\Program Files\Ubisoft
2008-03-23 10:10 --------- d-----w F:\Program Files\Webteh
2008-03-23 10:10 --------- d-----w F:\Documents and Settings\Pablo\Application Data\BSplayer
2008-03-21 13:30 --------- d-----w F:\Program Files\ASUS
2008-03-13 09:20 --------- d-----w F:\Program Files\Sierra Online
2008-03-13 05:38 --------- d-----w F:\Documents and Settings\Pablo\Application Data\uTorrent
2008-03-06 11:02 706 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 11:02 23,904 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 11:02 10,537 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 15:16 --------- d-----w F:\Program Files\eMule
2008-02-24 06:44 691,545 ----a-w F:\WINDOWS\unins000.exe
2008-02-02 12:48 87,608 ----a-w F:\Documents and Settings\Pablo\Application Data\inst.exe
2008-02-02 12:48 47,360 ----a-w F:\Documents and Settings\Pablo\Application Data\pcouffin.sys
2007-12-13 03:40 6,177,423,528 ----a-w F:\Program Files\Need for speed Prostreet Iso.nrg
2007-11-21 12:51 22,328 ----a-w F:\Documents and Settings\Pablo\Application Data\PnkBstrK.sys
.
<pre>
----a-w		17,529,400 2007-10-04 17:06:45  F:\Documents and Settings\Pablo\My Documents\Downloads\Sony Image Converter 2 .exe
</pre>


------- Sigcheck -------

2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}]
2008-04-23 12:01 212992 --a------ F:\WINDOWS\qnmargolwdn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}"= "F:\WINDOWS\dpevflbg.dll" [2008-04-23 12:01 151552]

[HKEY_CLASSES_ROOT\clsid\{547d68a0-5da7-46a9-af9a-af8e80321f8c}]
[HKEY_CLASSES_ROOT\dpevflbg.1]
[HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}]
[HKEY_CLASSES_ROOT\dpevflbg]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
"DAEMON Tools Lite"="F:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 21:35 486856]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-09 10:38 532480]
"NVRTCLK"="F:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 19:14 24576]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 F:\WINDOWS\system32\nwiz.exe]
"DownloadAccelerator"="F:\Program Files\DAP\DAP.exe" [2006-08-03 16:42 2864276]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:50 77824 F:\WINDOWS\SOUNDMAN.EXE]
"PWRISOVM.EXE"="F:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 09:35 200704]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 03:04 84640]
"osCheck"="F:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22 26248]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Symantec PIF AlertEng"="F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 18:51 583048]
"AsusStartupHelp"="F:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe" [2006-11-14 13:25 363008]
"NSLauncher"="F:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-10-01 19:59 3104768]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"f00473b8"="F:\WINDOWS\system32\rvwxdyot.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:26 15360]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

F:\Documents and Settings\Pablo\Start Menu\Programs\Startup\
MagicDisc.lnk - F:\Program Files\MagicDisc\MagicDisc.exe [2007-09-08 21:32:23 557568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"= {88D064D1-CF7D-48DE-B97E-B43952A1B06C} - F:\WINDOWS\wdpoefan.dll [2008-04-23 12:01 212992]
"vadokmxt"= {4A3E20C0-18A1-4097-8A15-0094056084CB} - F:\WINDOWS\vadokmxt.dll [2008-04-23 12:01 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xsiotcct]
xsiotcct.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-19 11:17 8720384 F:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"F:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"F:\\Program Files\\eMule\\eMule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\DAP\\DAP.exe"=
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\WINDOWS\\system32\\PnkBstrA.exe"=
"F:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Teamspeak2_RC2 Server\\server_windows.exe"=
"C:\\Program Files\\CoH Opposing Fronts\\RelicCOH.exe"=
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"F:\\Program Files\\Sierra Online\\Red Baron Arcade\\Red Baron Arcade.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"F:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"F:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"F:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"F:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;F:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 12:12]
S3 FileObjInfo;STFileDriver;F:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-03-23 20:20]
S3 k600bus;Sony Ericsson 600i driver (WDM);F:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 20:42]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 20:42]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;F:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 20:42]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;F:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 20:42]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;F:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 20:42]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;F:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;F:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 PCASp50;PCASp50 NDIS Protocol Driver;F:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 upperdev;upperdev;F:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;F:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 10:30:11 F:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Pablo.job"
- F:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 15:11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\explorer.exe
-> F:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
F:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-23 15:17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 05:47:01

Pre-Run: 3,853,774,848 bytes free
Post-Run: 5,968,527,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

297 --- E O F --- 2007-08-23 10:21:46

-------------------------------------------------------------------------

After this, I attempted to run VundoFix (from http://www.softpedia.../VundoFix.shtml and http://www.majorgeek...nload4954.html) but scans with VundoFix froze my computer everytime mid-scan. I also tried two full-system scans with Norton-Antivirus 2007. Both scans caused my computer to shut down and restart automatically mid-scan. An anti-spyware scan with Lavasoft Ad-aware also still freezes mid-scan. There's still something nasty in there!
  • 0

#4
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Oh yeah .. and this is my latest HijackThis log which was taken after all the scanning described above:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:43 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\PowerISO\PWRISOVM.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
F:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] F:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "F:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] F:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AsusStartupHelp] F:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
O4 - HKLM\..\Run: [NSLauncher] F:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Image Converter 2 ??? - F:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192940351187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1190990934437
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://leadfootcruis...ad/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0391709E-0C6D-4F3E-924A-C8134E53B332}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFE419BD-CD8F-4910-B2F2-1F471FAC0F9C}: NameServer = 192.168.2.1
O20 - Winlogon Notify: xsiotcct - xsiotcct.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

--
End of file - 10366 bytes
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Do you know what F:\nfs.exe is used for? If not, delete it.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
File::
F:\WINDOWS\wdpoefan.dll
F:\WINDOWS\qnmargolwdn.dll
F:\WINDOWS\vadokmxt.dll
F:\WINDOWS\dpevflbg.dll
F:\WINDOWS\olgdqarf.exe
F:\WINDOWS\wxvgsdbq.exe
F:\WINDOWS\system32\syyyoufw.ini
F:\WINDOWS\BMcb8f2231.xml
F:\WINDOWS\system32\hhfmcrmu.ini
F:\NVE2D.tmp
F:\NVE2C.tmp
F:\NVE2A.tmp
F:\NVE27.tmp
F:\NVE26.tmp
F:\NVE25.tmp
F:\NVE10.tmp
F:\NVEC.tmp
F:\NVEB.tmp
F:\NVEA.tmp
F:\NVE3E.tmp
F:\NVE3D.tmp
F:\NVE22.tmp
F:\NVE1E.tmp
F:\NVE1D.tmp
F:\NVE1C.tmp
F:\WINDOWS\qnmargolwdn.dll
F:\WINDOWS\dpevflbg.dll
F:\WINDOWS\vadokmxt.dll
F:\WINDOWS\wdpoefan.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}"=-
[-HKEY_CLASSES_ROOT\clsid\{547d68a0-5da7-46a9-af9a-af8e80321f8c}]
[-HKEY_CLASSES_ROOT\dpevflbg.1]
[-HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}]
[-HKEY_CLASSES_ROOT\dpevflbg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f00473b8"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"=-
"vadokmxt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xsiotcct]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running now?
  • 0

#6
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK. I am getting less random error messages now but my spyware and anti-virus scans are still freezing.

First I ran the HijackThis scan.

nfs.exe belongs to the game Need For Speed and is harmless.

The following entry was no longer present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2

This entry was present and was deleted using fix checked:
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Dragging CFScript over ComboFix produced the following log:

ComboFix 08-04-20.5 - Pablo 2008-04-26 16:14:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.572 [GMT 9.5:30]
Running from: F:\Documents and Settings\Pablo\My Documents\ComboFix.exe
Command switches used :: F:\Documents and Settings\Pablo\My Documents\CFScript.txt
* Created a new restore point

FILE ::
F:\NVE10.tmp
F:\NVE1C.tmp
F:\NVE1D.tmp
F:\NVE1E.tmp
F:\NVE22.tmp
F:\NVE25.tmp
F:\NVE26.tmp
F:\NVE27.tmp
F:\NVE2A.tmp
F:\NVE2C.tmp
F:\NVE2D.tmp
F:\NVE3D.tmp
F:\NVE3E.tmp
F:\NVEA.tmp
F:\NVEB.tmp
F:\NVEC.tmp
F:\WINDOWS\BMcb8f2231.xml
F:\WINDOWS\dpevflbg.dll
F:\WINDOWS\olgdqarf.exe
F:\WINDOWS\qnmargolwdn.dll
F:\WINDOWS\system32\hhfmcrmu.ini
F:\WINDOWS\system32\syyyoufw.ini
F:\WINDOWS\vadokmxt.dll
F:\WINDOWS\wdpoefan.dll
F:\WINDOWS\wxvgsdbq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Pablo\Application Data\inst.exe
F:\NVE10.tmp
F:\NVE1C.tmp
F:\NVE1D.tmp
F:\NVE1E.tmp
F:\NVE22.tmp
F:\NVE25.tmp
F:\NVE26.tmp
F:\NVE27.tmp
F:\NVE2A.tmp
F:\NVE2C.tmp
F:\NVE2D.tmp
F:\NVE3D.tmp
F:\NVE3E.tmp
F:\NVEA.tmp
F:\NVEB.tmp
F:\NVEC.tmp
F:\WINDOWS\BMcb8f2231.xml
F:\WINDOWS\system32\hhfmcrmu.ini
F:\WINDOWS\system32\syyyoufw.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-23 17:22 . 2008-04-23 17:22 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Malwarebytes
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 22:50 . 2008-04-18 22:50 <DIR> d-------- F:\Program Files\CCleaner
2008-04-18 22:08 . 2008-04-18 22:08 <DIR> d-------- F:\Program Files\VS Revo Group
2008-04-14 23:34 . 2007-11-14 09:02 43,090,956 --a------ F:\nfs.exe
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a------ F:\WINDOWS\system32\drivers\usbser.sys
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a--c--- F:\WINDOWS\system32\dllcache\usbser.sys
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-14 00:57 . 2007-11-29 10:33 1,419,232 --a------ F:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-04-14 00:57 . 2008-02-01 15:17 138,112 --a------ F:\WINDOWS\system32\drivers\nmwcdnsu.sys
2008-04-14 00:57 . 2007-11-29 10:39 95,744 --a------ F:\WINDOWS\system32\nmwcdcocls.dll
2008-04-14 00:57 . 2007-11-29 10:39 19,328 --a------ F:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-04-14 00:57 . 2007-11-29 10:39 16,896 --a------ F:\WINDOWS\system32\drivers\ccdcmb.sys
2008-04-14 00:57 . 2008-02-01 15:17 8,320 --a------ F:\WINDOWS\system32\drivers\nmwcdnsuc.sys
2008-04-14 00:57 . 2007-11-29 10:39 8,064 --a------ F:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-04-14 00:57 . 2007-11-29 10:39 8,064 --a------ F:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-04-14 00:56 . 2008-04-14 00:56 <DIR> d-------- F:\Program Files\Common Files\Nokia
2008-04-14 00:53 . 2008-04-14 00:53 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Installations
2008-04-13 17:21 . 2008-04-13 17:21 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\vlc
2008-04-13 17:20 . 2008-04-13 17:20 <DIR> d-------- F:\Program Files\VideoLAN
2008-04-13 01:48 . 2008-04-13 01:48 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Leadertech
2008-04-12 12:28 . 2008-04-12 12:34 <DIR> d-------- F:\Program Files\Incoming
2008-04-10 22:27 . 2008-04-10 22:27 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\THQ
2008-04-10 21:43 . 2008-04-10 21:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-08 22:33 . 2008-04-08 22:33 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\NSeries
2008-04-08 22:16 . 2008-04-08 22:23 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\ROUTE 66 Sync
2008-04-08 19:40 . 2008-04-08 19:45 <DIR> d-------- F:\Program Files\Windows Live
2008-04-08 19:40 . 2008-04-08 19:44 <DIR> d--hsc--- F:\Program Files\Common Files\WindowsLiveInstaller
2008-04-08 19:40 . 2008-04-08 19:40 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-08 00:27 . 2008-04-21 23:47 151,388 --a------ F:\Documents and Settings\Pablo\Application Data\NMM-MetaData.db
2008-04-07 23:59 . 2008-04-07 23:59 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\AdobeAUM
2008-04-07 23:08 . 2008-04-07 23:08 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Nokia
2008-04-07 23:01 . 2008-04-07 23:01 <DIR> d-------- F:\Program Files\SimpleCenter
2008-04-07 23:01 . 2008-04-07 23:01 <DIR> d-------- F:\Program Files\Common Files\i4j_jres
2008-04-07 23:00 . 2008-04-07 23:11 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Nokia
2008-04-07 23:00 . 2008-04-07 23:58 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-07 22:59 . 2008-04-07 22:59 <DIR> d-------- F:\Program Files\Common Files\PCSuite
2008-04-07 22:58 . 2008-04-07 22:58 <DIR> d-------- F:\Program Files\PC Connectivity Solution
2008-04-07 22:58 . 2008-04-14 00:57 <DIR> d-------- F:\Program Files\Nokia
2008-04-07 22:58 . 2008-04-07 22:58 <DIR> d-------- F:\Program Files\DIFX
2008-04-07 22:58 . 2008-04-07 23:01 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\PC Suite
2008-04-07 22:58 . 2008-02-01 15:17 90,624 --a------ F:\WINDOWS\system32\nmwcdcls.dll
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\DivX
2008-04-01 01:33 . 2008-04-01 01:33 <DIR> d-------- F:\Program Files\Trend Micro
2008-03-28 22:21 . 2008-03-28 22:25 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SecTaskMan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 06:48 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-04-26 02:25 --------- d-----w F:\Program Files\Java
2008-04-24 14:57 --------- d-----w F:\Program Files\LimeWire
2008-04-23 14:32 --------- d-----w F:\Program Files\Incomplete
2008-04-23 13:58 --------- d-----w F:\Documents and Settings\Pablo\Application Data\LimeWire
2008-04-20 08:34 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-20 08:34 103,736 ----a-w F:\WINDOWS\system32\PnkBstrB.exe
2008-04-20 07:36 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Azureus
2008-04-17 14:41 --------- d-----w F:\Program Files\Azureus
2008-04-16 13:14 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-16 13:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 12:18 66,872 ----a-w F:\WINDOWS\system32\PnkBstrA.exe
2008-04-12 08:32 --------- d-----w F:\Program Files\Electronic Arts
2008-04-12 04:19 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-04-11 11:06 --------- d-----w F:\Program Files\Common Files\Adobe
2008-04-10 11:53 --------- d-----w F:\Program Files\THQ
2008-04-10 11:53 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-07 14:43 --------- d-----w F:\Documents and Settings\Pablo\Application Data\AdobeUM
2008-03-30 12:51 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Hamachi
2008-03-24 22:44 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec
2008-03-24 04:43 --------- d-----w F:\Program Files\Ubisoft
2008-03-24 02:22 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Spyware Terminator
2008-03-23 10:52 --------- d-----w F:\Program Files\Spyware Terminator
2008-03-23 10:50 138,752 ----a-w F:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-23 10:50 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-23 10:10 --------- d-----w F:\Program Files\Webteh
2008-03-23 10:10 --------- d-----w F:\Documents and Settings\Pablo\Application Data\BSplayer
2008-03-21 13:30 --------- d-----w F:\Program Files\ASUS
2008-03-13 09:20 --------- d-----w F:\Program Files\Sierra Online
2008-03-13 05:38 --------- d-----w F:\Documents and Settings\Pablo\Application Data\uTorrent
2008-03-06 11:02 706 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 11:02 23,904 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 11:02 10,537 ----a-w F:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 15:16 --------- d-----w F:\Program Files\eMule
2008-02-24 06:44 691,545 ----a-w F:\WINDOWS\unins000.exe
2008-02-02 12:48 47,360 ----a-w F:\Documents and Settings\Pablo\Application Data\pcouffin.sys
2007-12-13 03:40 6,177,423,528 ----a-w F:\Program Files\Need for speed Prostreet Iso.nrg
2007-11-21 12:51 22,328 ----a-w F:\Documents and Settings\Pablo\Application Data\PnkBstrK.sys
.
<pre>
----a-w		17,529,400 2007-10-04 17:06:45  F:\Documents and Settings\Pablo\My Documents\Downloads\Sony Image Converter 2 .exe
</pre>


------- Sigcheck -------

2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
"DAEMON Tools Lite"="F:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 21:35 486856]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-09 10:38 532480]
"NVRTCLK"="F:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 19:14 24576]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 F:\WINDOWS\system32\nwiz.exe]
"DownloadAccelerator"="F:\Program Files\DAP\DAP.exe" [2006-08-03 16:42 2864276]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:50 77824 F:\WINDOWS\SOUNDMAN.EXE]
"PWRISOVM.EXE"="F:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 09:35 200704]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 03:04 84640]
"osCheck"="F:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22 26248]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Symantec PIF AlertEng"="F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 18:51 583048]
"AsusStartupHelp"="F:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe" [2006-11-14 13:25 363008]
"NSLauncher"="F:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-10-01 19:59 3104768]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:26 15360]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

F:\Documents and Settings\Pablo\Start Menu\Programs\Startup\
MagicDisc.lnk - F:\Program Files\MagicDisc\MagicDisc.exe [2007-09-08 21:32:23 557568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-19 11:17 8720384 F:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"F:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"F:\\Program Files\\eMule\\eMule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\DAP\\DAP.exe"=
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\WINDOWS\\system32\\PnkBstrA.exe"=
"F:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Teamspeak2_RC2 Server\\server_windows.exe"=
"C:\\Program Files\\CoH Opposing Fronts\\RelicCOH.exe"=
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"F:\\Program Files\\Sierra Online\\Red Baron Arcade\\Red Baron Arcade.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"F:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"F:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"F:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"F:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;F:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 12:12]
S3 FileObjInfo;STFileDriver;F:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-03-23 20:20]
S3 k600bus;Sony Ericsson 600i driver (WDM);F:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 20:42]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 20:42]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;F:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 20:42]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;F:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 20:42]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;F:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 20:42]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;F:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;F:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 PCASp50;PCASp50 NDIS Protocol Driver;F:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 upperdev;upperdev;F:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;F:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 10:30:11 F:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Pablo.job"
- F:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 16:19:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
F:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
F:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
F:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-26 16:25:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 06:54:54
ComboFix2.txt 2008-04-23 05:47:12

Pre-Run: 5,441,556,480 bytes free
Post-Run: 5,694,492,672 bytes free

281 --- E O F --- 2007-08-23 10:21:46
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try reinstalling the applications you are having problems with....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Folder::
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons
RenV::
F:\Documents and Settings\Pablo\My Documents\Downloads\Sony Image Converter 2 .exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Any problems remaining now?
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Topic re-opened per user's request.
  • 0

#10
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for reopening the topic.

Spyware and Virus Scans still freeze my computer.

I uninstalled a few programs and then ran combofix with the new script and received the following log:

Command switches used :: F:\Documents and Settings\Pablo\My Documents\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\µTorrent.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Acoustica CD Label Maker.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Alive Video Converter.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Call of Duty 4 Free Multiplayer.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\CCleaner.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\COD4 Private Dedicated Server.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\ConvertXtoDvd.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\DivX Movies.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Download Accelerator Plus (DAP).lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\DVD Shrink 3.2.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\File Shredder.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\HijackThis.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\LimeWire 4.16.6.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\MagicDisc.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\My Completed Downloads.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Revo Uninstaller.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut (2) to BF2142.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to Civ4Warlords.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to Civilization4.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to CoD2MP_s.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to Empire Earth.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to eMule.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to iw3mpHAMACHI 1.4.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to iw3sp.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to nfs.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Shortcut to Red Baron Arcade.exe.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Teamspeak 2 RC2.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\TeamSpeak 2 Server.lnk
F:\Documents and Settings\Pablo\Application Data\TmpRecentIcons\Titan Lite II.lnk

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 21:09 . 2008-05-12 21:09 <DIR> d-------- F:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-05 23:16 . 2008-05-05 23:16 <DIR> d-------- F:\Program Files\Red Kawa
2008-04-27 18:10 . 2001-08-17 14:02 9,600 --a------ F:\WINDOWS\system32\drivers\hidusb.sys
2008-04-27 18:10 . 2001-08-17 14:02 9,600 --a--c--- F:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-27 18:05 . 2003-12-03 11:19 778,240 --a------ F:\WINDOWS\system32\xboxCpl.dll
2008-04-27 18:05 . 2003-12-02 15:10 65,536 --a------ F:\WINDOWS\system32\xboxFFDrv.dll
2008-04-27 18:05 . 2003-12-03 11:10 25,528 --a------ F:\WINDOWS\system32\drivers\atxboxfl.sys
2008-04-27 16:55 . 2004-09-07 11:41 5,120 --a------ F:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-04-27 16:55 . 2004-03-10 14:31 3,328 --a------ F:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Malwarebytes
2008-04-22 19:39 . 2008-04-22 19:39 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 22:50 . 2008-04-18 22:50 <DIR> d-------- F:\Program Files\CCleaner
2008-04-18 22:08 . 2008-04-18 22:08 <DIR> d-------- F:\Program Files\VS Revo Group
2008-04-14 23:34 . 2007-11-14 09:02 43,090,956 --a------ F:\nfs.exe
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a------ F:\WINDOWS\system32\drivers\usbser.sys
2008-04-14 01:06 . 2004-08-03 23:08 25,600 --a--c--- F:\WINDOWS\system32\dllcache\usbser.sys
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-14 01:06 . 2008-04-14 01:06 0 --ah----- F:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-14 00:53 . 2008-05-12 22:15 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Installations
2008-04-13 17:21 . 2008-04-13 17:21 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\vlc
2008-04-13 17:20 . 2008-04-13 17:20 <DIR> d-------- F:\Program Files\VideoLAN
2008-04-13 01:48 . 2008-04-13 01:48 <DIR> d-------- F:\Documents and Settings\Pablo\Application Data\Leadertech
2008-04-12 12:28 . 2008-04-12 12:34 <DIR> d-------- F:\Program Files\Incoming

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 14:55 --------- d-----w F:\Program Files\Nokia
2008-05-12 14:43 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-05-12 11:51 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2008-05-12 11:50 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 11:48 --------- d-----w F:\Program Files\Norton AntiVirus
2008-05-11 23:45 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Azureus
2008-05-11 13:32 --------- d-----w F:\Program Files\Incomplete
2008-05-11 13:28 --------- d-----w F:\Program Files\LimeWire
2008-05-11 13:17 --------- d-----w F:\Documents and Settings\Pablo\Application Data\LimeWire
2008-05-11 02:42 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-11 02:42 103,736 ----a-w F:\WINDOWS\system32\PnkBstrB.exe
2008-05-10 04:03 66,872 ----a-w F:\WINDOWS\system32\PnkBstrA.exe
2008-04-27 08:35 --------- d-----w F:\Program Files\LandRouse steering wheel
2008-04-27 07:25 --------- d-----w F:\Program Files\ASUS
2008-04-27 07:18 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Hamachi
2008-04-26 02:25 --------- d-----w F:\Program Files\Java
2008-04-17 14:41 --------- d-----w F:\Program Files\Azureus
2008-04-16 13:14 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-16 13:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 08:32 --------- d-----w F:\Program Files\Electronic Arts
2008-04-11 11:06 --------- d-----w F:\Program Files\Common Files\Adobe
2008-04-10 12:57 --------- d-----w F:\Documents and Settings\Pablo\Application Data\THQ
2008-04-10 12:13 --------- d-----w F:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-10 11:53 --------- d-----w F:\Program Files\THQ
2008-04-10 11:53 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-08 13:03 --------- d-----w F:\Documents and Settings\Pablo\Application Data\NSeries
2008-04-08 12:53 --------- d-----w F:\Documents and Settings\Pablo\Application Data\ROUTE 66 Sync
2008-04-08 10:15 --------- d-----w F:\Program Files\Windows Live
2008-04-08 10:14 --------- dcsh--w F:\Program Files\Common Files\WindowsLiveInstaller
2008-04-08 10:10 --------- d-----w F:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-07 14:43 --------- d-----w F:\Documents and Settings\Pablo\Application Data\AdobeUM
2008-04-07 14:29 --------- d-----w F:\Documents and Settings\Pablo\Application Data\AdobeAUM
2008-04-07 14:28 --------- d-----w F:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-07 13:41 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Nokia
2008-04-07 13:38 --------- d-----w F:\Documents and Settings\All Users\Application Data\Nokia
2008-04-07 13:31 --------- d-----w F:\Program Files\SimpleCenter
2008-04-07 13:31 --------- d-----w F:\Program Files\Common Files\i4j_jres
2008-04-07 13:31 --------- d-----w F:\Documents and Settings\Pablo\Application Data\PC Suite
2008-04-07 13:28 --------- d-----w F:\Program Files\DIFX
2008-04-01 15:50 --------- d-----w F:\Documents and Settings\Pablo\Application Data\DivX
2008-03-31 16:03 --------- d-----w F:\Program Files\Trend Micro
2008-03-28 12:55 --------- d-----w F:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-24 04:43 --------- d-----w F:\Program Files\Ubisoft
2008-03-24 02:22 --------- d-----w F:\Documents and Settings\Pablo\Application Data\Spyware Terminator
2008-03-23 10:52 --------- d-----w F:\Program Files\Spyware Terminator
2008-03-23 10:50 138,752 ----a-w F:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-23 10:50 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-23 10:10 --------- d-----w F:\Program Files\Webteh
2008-03-23 10:10 --------- d-----w F:\Documents and Settings\Pablo\Application Data\BSplayer
2008-03-13 09:20 --------- d-----w F:\Program Files\Sierra Online
2008-03-13 05:38 --------- d-----w F:\Documents and Settings\Pablo\Application Data\uTorrent
2008-02-24 06:44 691,545 ----a-w F:\WINDOWS\unins000.exe
2008-02-02 12:48 47,360 ----a-w F:\Documents and Settings\Pablo\Application Data\pcouffin.sys
2007-12-13 03:40 6,177,423,528 ----a-w F:\Program Files\Need for speed Prostreet Iso.nrg
2007-11-21 12:51 22,328 ----a-w F:\Documents and Settings\Pablo\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-12-04 22:36 360576 e7dfcffa380749b8626ad71e8f367dcb F:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26 15360]
"DAEMON Tools Lite"="F:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 21:35 486856]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-09 10:38 532480]
"NVRTCLK"="F:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 19:14 24576]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 F:\WINDOWS\system32\nwiz.exe]
"DownloadAccelerator"="F:\Program Files\DAP\DAP.exe" [2006-08-03 16:42 2864276]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 19:50 77824 F:\WINDOWS\SOUNDMAN.EXE]
"PWRISOVM.EXE"="F:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 09:35 200704]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Symantec PIF AlertEng"="F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 18:51 583048]
"AsusStartupHelp"="F:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe" [2006-11-14 13:25 363008]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Launch Ai Booster"="F:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-19 17:31 3503616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:26 15360]
"MySpaceIM"="F:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-19 11:17 8720384]

F:\Documents and Settings\Pablo\Start Menu\Programs\Startup\
MagicDisc.lnk - F:\Program Files\MagicDisc\MagicDisc.exe [2007-09-08 21:32:23 557568]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-19 11:17 8720384 F:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"F:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"F:\\Program Files\\eMule\\eMule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\DAP\\DAP.exe"=
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\WINDOWS\\system32\\PnkBstrA.exe"=
"F:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\CoH Opposing Fronts\\RelicCOH.exe"=
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"F:\\Program Files\\Sierra Online\\Red Baron Arcade\\Red Baron Arcade.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"F:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"F:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 atxboxfl;atxboxfl Filter Service;F:\WINDOWS\system32\DRIVERS\atxboxfl.sys [2003-12-03 11:10]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;F:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 12:12]
S3 FileObjInfo;STFileDriver;F:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-03-23 20:20]
S3 k600bus;Sony Ericsson 600i driver (WDM);F:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 20:42]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 20:42]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;F:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 20:42]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;F:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 20:42]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;F:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 20:42]
S3 PCASp50;PCASp50 NDIS Protocol Driver;F:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 upperdev;upperdev;F:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 00:57:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 0:58:04
ComboFix-quarantined-files.txt 2008-05-12 15:27:52
ComboFix2.txt 2008-04-26 06:55:01
ComboFix3.txt 2008-04-23 05:47:12

Pre-Run: 4,474,576,896 bytes free
Post-Run: 5,065,064,448 bytes free

226 --- E O F --- 2007-08-23 10:21:46
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did it freeze even if you ran VundoFix?

See if you can run this scan:
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#12
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Yes. VundoFix scans still freeze during the scan.

I was able to begin scanning using Panda Active Scan.
Unfortunately the scan would only ever get to 50% complete or there abouts by which time it detected 51 threats. I am unable to post a log because the scan always froze before completion.

A registry scan using Registry Booster always runs to completion and I am unable to remove problems. But I cannot seem to run any Antivirus or spyware scans to completion. They all freeze my computer.

ComboFix and Registry Booster scans are about the only scans that I can seem to run to completion at all!

I don't know what has got in exactly, but whatever it is, it's like AIDS. Just like AIDS attacks the cells responsible for defending the body against infection, I have something in my computer that seems to be attacking the systems responsible for defending my system against infection. My computer has AIDS! A little dramatic? Perhaps. But I like the analogy.
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you remember roughly what Panda found during the scan? If not, try running it again. Try to capture a screenshot of what it found using your PrtScrn button on your keyboard. Then paste that screenshot into a program like Microsoft Paint and make sure you save it as a JPEG format so the filesize is small. Attach the screenshot here. Try to capture it every 10% of the progress and save it as a new file. So if it bombs out on you, just give me the latest one you have :)

Download SDFix at http://downloads.and...Tools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum.
  • 0

#14
HackedCactus

HackedCactus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I scanned with Panda a few times. The furthest I got without freezing was 51% complete. It found 40 threats in total and 51 vulnerabilities. I've copied screenshots of the results into MS Paint (attached). The result list is quite long so I copied them as 4 separate JPEGs.

I also ran SDFix and got the following log:


SDFix: Version 1.182
Run by Pablo on Sun 05/18/2008 at 05:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 18:39:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:a0147396
"s2"=dword:ae3b535b
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="F:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:68,77,dd,e0,6a,1f,24,82,f6,6c,6a,44,bd,3a,7a,24,0f,1f,08,5e,d5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="F:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:69,8f,1f,60,f9,12,37,fc,2e,d9,c7,9d,cb,e4,db,8e,bf,5f,db,84,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,39,b3,e2,29,96,79,89,31,59,b7,df,db,c7,66,36,ca,0f,..
"khjeh"=hex:fb,2b,46,2e,2c,4a,17,84,ba,e6,b4,11,b5,66,95,74,65,39,d2,6a,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:3d,f2,25,8c,3f,dd,cd,46,ac,06,39,6d,66,fa,7d,f2,5a,b7,5d,ed,27,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="F:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0c,19,a6,d8,8e,ae,23,7f,33,61,5c,8d,a2,3e,74,8d,d3,23,54,01,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="F:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0c,19,a6,d8,8e,ae,23,7f,33,61,5c,8d,a2,3e,74,8d,d3,23,54,01,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="F:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:68,77,dd,e0,6a,1f,24,82,f6,6c,6a,44,bd,3a,7a,24,0f,1f,08,5e,d5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="F:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:69,8f,1f,60,f9,12,37,fc,2e,d9,c7,9d,cb,e4,db,8e,bf,5f,db,84,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,39,b3,e2,29,96,79,89,31,59,b7,df,db,c7,66,36,ca,0f,..
"khjeh"=hex:fb,2b,46,2e,2c,4a,17,84,ba,e6,b4,11,b5,66,95,74,65,39,d2,6a,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:3d,f2,25,8c,3f,dd,cd,46,ac,06,39,6d,66,fa,7d,f2,5a,b7,5d,ed,27,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"F:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="F:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"F:\\Program Files\\eMule\\eMule.exe"="F:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\DAP\\DAP.exe"="F:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"F:\\Program Files\\uTorrent\\uTorrent.exe"="F:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"F:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="F:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Program Files\\Azureus\\Azureus.exe"="F:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"F:\\WINDOWS\\system32\\PnkBstrA.exe"="F:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"F:\\WINDOWS\\system32\\PnkBstrB.exe"="F:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"="C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe:*:Enabled:Empire Earth III"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\CoH Opposing Fronts\\RelicCOH.exe"="C:\\Program Files\\CoH Opposing Fronts\\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"F:\\Program Files\\Sierra Online\\Red Baron Arcade\\Red Baron Arcade.exe"="F:\\Program Files\\Sierra Online\\Red Baron Arcade\\Red Baron Arcade.exe:*:Enabled:Red Baron Arcade"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"F:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="F:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"F:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="F:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"F:\\Program Files\\TmUnitedForever\\TmForever.exe"="F:\\Program Files\\TmUnitedForever\\TmForever.exe:*:Enabled:TmForever"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - F:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 27 Feb 2008 4,348 A.SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 20 Feb 2005 70,656 A.SH. --- "F:\Program Files\Makayama Software\Mobile Media Maker (Smartphone)\Setup.exe"
Sun 3 Feb 2008 0 A.SH. --- "F:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 23 Aug 2007 0 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\0bf48c56e2f3f29bfbf4f4fd00ad98dd\BITAF.tmp"
Wed 22 Aug 2007 512,392 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\0e6ee542bb81cc5c1fbb79d198834044\BITAA.tmp"
Wed 22 Aug 2007 558,984 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\0f66ac0b7ccd71faf6da904f29228240\BIT5E.tmp"
Sun 21 Oct 2007 1,123,200 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\1f75a8ad2ee20cedf33dd46d709f2f0e\BIT3E.tmp"
Wed 22 Aug 2007 806,792 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\218766960d1465c026412385b0d1d978\BIT60.tmp"
Thu 23 Aug 2007 0 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\2a2715f6180c3bfa2a58178525f24c67\BITAD.tmp"
Wed 22 Aug 2007 1,600,392 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\BITA5.tmp"
Wed 22 Aug 2007 2,391,944 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\40c2135ce9cffcf3bdfeed14e0704266\BIT34.tmp"
Wed 22 Aug 2007 5,652,328 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT32.tmp"
Thu 23 Aug 2007 1,002,296 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\4ce0edaf0becf811dda5cbccda731ad4\BITAC.tmp"
Thu 23 Aug 2007 0 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\4f4012d60daff369f73873817164328b\BITB7.tmp"
Wed 22 Aug 2007 4,704,136 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\5253da9aa0f5d8d6386ba525e94a3d8b\BIT5C.tmp"
Wed 22 Aug 2007 617,272 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\5cc724b3995f72ef3222dddf08658056\BIT66.tmp"
Wed 22 Aug 2007 1,823,624 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\6e49db26b225c64ffbbd852b587ab944\BITA6.tmp"
Wed 22 Aug 2007 685,368 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\70a4fbe7217488f673cf5d20367dabc9\BIT5F.tmp"
Wed 22 Aug 2007 896,312 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\a0d45ac61d8a7a5b7faa78852c46bf15\BIT63.tmp"
Wed 22 Aug 2007 795,528 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\b5330da089196b346d1ee0676e21afcc\BIT5D.tmp"
Wed 22 Aug 2007 739,640 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\c810b29b22044bd72df654fd63ee0af2\BIT61.tmp"
Thu 23 Aug 2007 2,562,464 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\cb6d6db73a919cea4356201489a54a71\BIT30.tmp"
Wed 22 Aug 2007 7,939,032 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\d9d5f5f1045bf2fb02a62b63d583b7d1\BIT40.tmp"
Thu 23 Aug 2007 0 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\e21fd56f1f5bfc33771c50bc8a68808a\BITB1.tmp"
Thu 23 Aug 2007 802,696 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\e995acae9f2591ac009a4ad305efa874\BIT97.tmp"
Wed 22 Aug 2007 622,984 A..H. --- "F:\WINDOWS\SoftwareDistribution\Download\f54d9f16cafb3a043d81262b001f62f8\BITA8.tmp"
Sat 29 Mar 2008 1,776 ...HR --- "F:\Documents and Settings\Pablo\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

Attached Thumbnails

  • Pandascanresults1.JPG
  • Pandascanresults2.JPG
  • Pandascanresults3.JPG
  • Pandascanresults4.JPG

  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to http://windowsupdate.microsoft.com and get all the latest critical security updates. You seem to have a lot of unpatched vulnerabilities there.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download VirtumundoBeGone at http://secured2k.hom...mundoBeGone.exe and save it on your desktop. Then boot into Safe Mode and run VirtumundoBeGone. When it's done, boot back to Normal Mode and post the log created here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP