Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Operating memory - Win32/Olmarik trojan - unable to clean [Solved]


  • This topic is locked This topic is locked

#1
kev seal

kev seal

    Member

  • Member
  • PipPip
  • 17 posts
Eset Smartsecurity reports 1 infection when scan is requested.
Operating memory - Win32/Olmarik trojan - unable to clean

Also at boot get red circle with cross and text balloon saying
'Your machine has been infected,click this link to download'

Read Geeks to go Malware removal faq and guide, then downloaded and run the following

Run TFC (Temp File Cleaner),all ok

Download and run System Restore (Windows Vista, XP and ME)
Got succesful restore point created message.

Ran ERUNT
saved as todays date and timestamp as filename ok

Download free version 'Malwarebytes' Anti-Malware and installed
First time i tried to run it it just shut down immediatly,any further attempts to run ends in error message saying

'Windows cannot access the specified device,path,or file,You may not have appropriate permisions'

I take it that the infection i have is responsible for terminating MB antimalware

Please advise next step.

ty in advance

Kev Seal
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. RSIT log.txt
2. RSIT info.txt
3. Attach GAMERS result..
  • 0

#3
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Downloaded RSIT and saved it to Desktop.

* Double clicked on RSIT.exe to run RSIT
* Changed the List files/folders created or modified to the last 3 months
* Clicked Continue at the disclaimer screen.
* Program finished immediatly and did not generate any files
Rsit still on desktop,double clicked to run again and recieved following message

'Windows cannot access the specified device,path,or file,You may not have appropriate permisions to open this item`


Downloaded and renamed gmer to gamer,chose rootkit tab,and run scan,logfile attached.
You didnt specify if i had to select all my drives or just the default choice of C:
so ran scan on all drives also and attached to this post

Attached Files


Edited by kev seal, 10 September 2009 - 11:46 AM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  • 0

#5
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
seemed to run ok heres the log file

Attached Files


  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Make sure you save Win32kDiag on your Desktop BEFORE doing below fix..

Go to Start >> Run >> copy/paste below >> Enter. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r
  • 0

#7
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
opened win32diag.txt with notepad copied and pasted to this post

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\$hf_mig$\KB971633\KB971633

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971633\KB971633

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Found mount point : C:\WINDOWS\$hf_mig$\KB972260\KB972260

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB972260\KB972260

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP106.tmp\ZAP106.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP106.tmp\ZAP106.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4.tmp\ZAP4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4.tmp\ZAP4.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP482.tmp\ZAP482.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP482.tmp\ZAP482.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C3.tmp\ZAP4C3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C3.tmp\ZAP4C3.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54.tmp\ZAP54.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54.tmp\ZAP54.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56.tmp\ZAP56.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56.tmp\ZAP56.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D9.tmp\ZAP5D9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D9.tmp\ZAP5D9.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F8.tmp\ZAP5F8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F8.tmp\ZAP5F8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP611.tmp\ZAP611.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP611.tmp\ZAP611.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6.tmp\ZAPC6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6.tmp\ZAPC6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\ZAPFB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\ZAPFB.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2008-04-14 13:00:00 744448 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe (Microsoft Corporation)

[1] 2008-04-14 13:00:00 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB971961\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\$hf_mig$\KB973874-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 10:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\06c06c7b51bc17c7102b0619a1cb08c2\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\update\update.exe (Microsoft Corporation)

[1] 2007-10-27 16:39:46 716000 C:\WINDOWS\SoftwareDistribution\Download\0eee9353a41e1ffb7bc4207f5acf499f\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 09:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\0f4651f0d7e6cb55f0a983df3c4744d0\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 10:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\122ece420ea2cadf18cdf04c90b6d8f1\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\678162639e69c808c1768ab6340eae25\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 12:18:51 755576 C:\WINDOWS\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\8aff2c132bea63255d1cab83ef37c507\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 10:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\b581bf18b76e57fbe9a3a9b9e82155ff\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 13:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\c2605fe2baba03346e8868859fbe2ead\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 12:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 14:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1960408961-1677128483-1177238915-500\S-1-5-21-1960408961-1677128483-1177238915-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1960408961-1677128483-1177238915-500\S-1-5-21-1960408961-1677128483-1177238915-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Cookies\Cookies

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 13:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 13:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 13:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Run Win32kDiag once again (just double-click it) and then post the log here :)
  • 0

#9
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 13:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 13:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 13:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

Advertisements


#11
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Avenger log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "a1yklt0g" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


combofix reported it was unable to download recovery console,so continued with scan anyway.
combofix asked me to write down names of some files in case they were needed later,combofix never asked for them do you require the file names?

Combofix seems to have finished ok,produced the following log

ComboFix 09-09-09.09 - Administrator 10/09/2009 20:14.1.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\braviax.exe
c:\windows\Installer\5ed5b.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\braviax.exe
c:\windows\system32\drivers\vsfocesauufyqr.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\vsfocehsvngejl.dll
c:\windows\system32\vsfocenybhiwsj.dll
c:\windows\system32\vsfocepixnmwru.dat
c:\windows\system32\vsfocerwkuvjld.dat
c:\windows\system32\vsfoceymawktev.dll

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfocentuamrah
-------\Legacy_vsfocentuamrah
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 18:06 . 2009-09-10 18:06 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-10 18:06 . 2009-09-10 18:06 -------- d-----w- c:\windows\system32\xlive
2009-09-10 17:05 . 2009-09-10 17:05 -------- d-----w- c:\program files\trend micro
2009-09-10 17:05 . 2009-09-10 17:05 -------- d-----w- C:\rsit
2009-09-10 16:45 . 2009-09-10 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-09-10 03:44 . 2009-09-10 03:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AaaaaRecklessDisregard
2009-09-10 03:43 . 2009-09-10 03:44 -------- d-----w- c:\program files\AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity
2009-09-08 18:34 . 2009-09-08 18:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-08 18:34 . 2009-09-08 18:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-08 18:30 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-08 18:30 . 2009-09-08 18:30 -------- d-----w- c:\windows\ie8updates
2009-09-08 18:30 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-08 18:30 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-08 18:30 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-08 18:30 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-08 18:30 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-08 18:30 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-08 18:29 . 2009-09-08 18:29 -------- dc-h--w- c:\windows\ie8
2009-09-08 18:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-09-08 18:21 . 2009-09-08 18:21 -------- d-----w- c:\program files\MSXML 4.0
2009-09-08 18:15 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-08 18:10 . 2009-09-08 18:10 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-08 17:54 . 2009-09-08 17:59 15 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-09-08 17:47 . 2009-09-10 18:32 -------- d--h--w- c:\windows\PIF
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-08 17:39 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 17:39 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:37 . 2009-09-09 16:47 -------- d-----w- c:\program files\ERUNT
2009-09-07 23:19 . 2009-09-07 23:19 -------- d-----w- c:\program files\Sophos
2009-09-07 22:20 . 2009-09-07 22:20 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-09-07 22:20 . 2009-09-07 22:20 16 ----a-w- c:\windows\system32\asdict.dat
2009-09-07 22:11 . 2009-09-07 22:31 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2009-09-07 21:48 . 2009-09-07 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-07 21:47 . 2009-09-07 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2009-09-07 16:31 . 2009-09-07 16:31 -------- d-----w- c:\program files\ESET
2009-09-06 16:11 . 2009-09-06 16:11 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-06 12:47 . 2009-09-06 12:56 -------- d-----w- c:\program files\Total Video Converter
2009-09-06 12:42 . 2009-09-06 12:42 -------- d-----w- c:\program files\Common Files\Common Share
2009-09-06 12:42 . 2008-12-18 12:38 719872 ----a-w- c:\windows\system32\devil.dll
2009-09-06 12:42 . 2008-12-18 12:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2009-09-06 12:42 . 2009-09-06 12:42 -------- d-----w- c:\program files\OJOsoft
2009-09-06 12:25 . 2009-09-06 12:25 -------- d-----w- c:\program files\Common Files\NSV
2009-09-06 11:21 . 2009-09-06 11:21 -------- d-----w- c:\program files\Common Files\DirectX
2009-09-06 11:17 . 1999-12-13 00:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2009-09-06 11:17 . 1999-11-18 00:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2009-09-06 11:17 . 2009-09-06 11:17 -------- d--h--w- c:\program files\Creative Installation Information
2009-09-06 11:17 . 2009-09-06 11:17 -------- d-----w- c:\program files\Common Files\Creative
2009-09-06 10:02 . 2009-09-06 10:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files
2009-09-06 07:16 . 2009-09-06 07:16 -------- d-----w- c:\program files\Common Files\Doblon
2009-09-06 07:14 . 2009-09-06 07:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-09-06 07:11 . 2007-07-26 23:06 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-06 07:11 . 2007-07-26 23:06 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-06 07:11 . 2009-09-06 07:11 -------- d-----w- c:\program files\DivX
2009-09-06 06:20 . 2009-09-06 06:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\fofix
2009-09-06 04:42 . 2009-09-06 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-09-06 04:41 . 2009-09-06 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2009-09-06 01:58 . 2009-09-06 01:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-09-06 01:51 . 2009-09-06 01:51 -------- d-----w- c:\program files\Ventrilo
2009-09-05 19:31 . 2009-09-05 19:31 -------- d-----w- c:\program files\Logitech
2009-09-05 11:50 . 2009-09-05 11:50 -------- d-----w- c:\program files\JoyTechEurope
2009-09-05 08:56 . 2009-09-05 08:56 -------- d-----w- c:\program files\Atari
2009-09-05 08:46 . 2009-09-05 08:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 08:46 . 2009-09-05 08:46 -------- d-----w- c:\program files\Java
2009-09-05 05:39 . 2009-09-06 16:38 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-09-05 05:38 . 2009-09-05 05:38 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-05 05:36 . 2009-09-05 05:36 -------- d-----w- c:\program files\Microsoft
2009-09-05 05:36 . 2009-09-05 05:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-05 05:36 . 2009-09-05 05:38 -------- d-----w- c:\program files\Windows Live
2009-09-05 05:32 . 2009-09-05 05:32 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-05 05:05 . 2009-09-05 08:04 -------- d-----w- c:\program files\A Handful Of Audiosurf Addons
2009-09-04 22:15 . 2009-03-09 14:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-09-04 22:15 . 2009-03-09 14:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-09-04 22:15 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-09-04 22:15 . 2009-03-16 13:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 22:15 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-09-04 22:15 . 2009-03-16 13:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-09-04 22:15 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-09-04 21:05 . 2009-06-03 23:55 25600 ----a-w- c:\windows\system32\Ctxfihlp.exe
2009-09-04 18:21 . 2009-09-04 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin
2009-09-04 18:21 . 2009-09-04 18:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\iWin
2009-09-04 12:38 . 2009-09-07 22:26 -------- d-----w- c:\program files\Spyware Terminator
2009-09-04 01:02 . 2009-09-04 01:02 -------- d-----w- c:\program files\MP3+G Toolz .NET 4
2009-09-04 00:53 . 1999-03-25 23:00 101888 ----a-w- c:\windows\system32\vb6stkit.dll
2009-09-04 00:34 . 2009-09-04 00:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2009-09-04 00:34 . 2009-09-04 00:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Power_Karaoke
2009-09-03 23:13 . 2009-09-04 01:08 -------- d-----w- C:\pebuilder3110a
2009-09-03 06:07 . 2009-09-03 06:07 -------- d-----w- c:\program files\Conduit
2009-09-03 06:06 . 2009-09-03 06:07 -------- d-----w- c:\program files\Power_Karaoke
2009-09-03 06:06 . 2009-09-06 07:06 -------- d-----w- c:\program files\DOBLON
2009-09-02 17:44 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-09-02 17:44 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-09-02 17:43 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-09-02 17:43 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-09-02 17:43 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-09-02 17:43 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-09-02 17:43 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-09-02 17:43 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-09-02 17:42 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-09-02 17:42 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-09-02 17:42 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-09-02 17:42 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-09-02 17:41 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-09-02 17:41 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-09-02 17:40 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-09-02 17:40 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-09-02 17:40 . 2008-04-13 21:16 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2009-09-02 17:40 . 2008-04-13 21:16 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2009-09-02 17:32 . 2009-09-02 17:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-09-02 17:29 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\LeverageService
2009-09-02 17:29 . 2009-09-02 17:29 -------- d-----w- c:\program files\Pragmatic Solutions Inc
2009-09-01 20:05 . 2009-09-01 20:06 11789 ----a-w- c:\windows\unins000.dat
2009-09-01 20:05 . 2009-09-01 20:05 684313 ----a-w- c:\windows\unins000.exe
2009-09-01 20:00 . 2009-09-02 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Deckadance
2009-09-01 19:59 . 2009-09-01 19:59 -------- d-----w- c:\program files\Common Files\DigiDesign
2009-09-01 19:59 . 2009-09-01 19:59 -------- d-----w- c:\program files\XLN Audio
2009-09-01 19:40 . 2009-09-01 19:40 -------- d-----w- c:\program files\ASIO4ALL v2
2009-09-01 19:40 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-09-01 19:39 . 2009-09-01 19:39 -------- d-----w- c:\program files\Outsim
2009-09-01 19:38 . 2009-09-07 22:47 -------- d-----w- c:\program files\Image-Line
2009-09-01 18:56 . 2009-09-01 18:56 -------- d-----w- C:\drumit
2009-09-01 16:36 . 2009-09-01 18:13 -------- d-----w- c:\program files\EndItAll
2009-09-01 04:57 . 2009-09-01 04:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 13:08 . 2009-08-28 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-06 12:23 . 2009-08-30 08:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-09-06 11:17 . 2009-08-28 22:50 -------- d-----w- c:\program files\Creative
2009-09-06 06:39 . 2009-08-28 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-09-04 21:16 . 2009-08-28 22:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-04 21:16 . 2009-08-28 22:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-30 08:56 . 2009-08-30 08:53 -------- d-----w- c:\program files\Winamp
2009-08-29 10:57 . 2009-08-29 10:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-08-29 10:56 . 2009-08-29 10:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-08-28 22:50 . 2009-08-28 22:50 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-08-28 22:49 . 2009-08-28 22:49 -------- d-----w- c:\program files\OpenAL
2009-08-28 21:03 . 2009-08-28 21:03 -------- d-----w- c:\program files\Driver-Soft
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\microsoft frontpage
2009-08-28 20:38 . 2009-08-28 20:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-17 02:04 . 2009-08-17 02:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 02:04 . 2009-08-17 02:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 02:03 . 2009-08-17 02:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 02:03 . 2009-08-17 02:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 02:03 . 2009-08-17 02:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 02:03 . 2009-08-17 02:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 02:03 . 2009-08-17 02:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 02:03 . 2009-08-17 02:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 02:03 . 2009-08-17 02:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 02:03 . 2009-08-17 02:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 02:03 . 2009-08-17 02:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 02:03 . 2009-08-17 02:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 02:02 . 2009-08-17 02:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-16 23:57 . 2009-08-16 23:57 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-16 23:57 . 2009-08-16 23:57 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-16 23:57 . 2009-08-16 23:57 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-16 23:57 . 2009-08-16 23:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-16 23:57 . 2009-08-16 23:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-16 23:57 . 2009-08-16 23:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-16 23:57 . 2009-08-16 23:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-16 23:57 . 2009-08-16 23:57 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-16 23:57 . 2009-08-16 23:57 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-16 23:57 . 2009-08-16 23:57 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-06 17:48 . 2009-08-06 17:48 16384 ----a-w- c:\windows\system32\Msdirectx.exe
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 16:17 . 2009-07-14 16:17 15308440 ----a-w- c:\windows\system32\xlive.dll
2009-07-14 16:17 . 2009-07-14 16:17 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-07-12 11:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2009-06-09 18:12 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 14:11 . 2009-06-09 18:11 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:41 . 2009-06-09 18:11 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:41 . 2009-06-09 18:10 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:41 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:41 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:41 . 2008-04-14 12:00 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 10:28 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 16:06 . 2009-06-17 16:06 65544 ----a-w- c:\windows\system32\drivers\WmXlCore.sys
2009-06-17 16:06 . 2009-06-17 16:06 14984 ----a-w- c:\windows\system32\drivers\WmVirHid.sys
2009-06-17 16:05 . 2009-06-17 16:05 31752 ----a-w- c:\windows\system32\drivers\WmHidLo.sys
2009-06-17 16:05 . 2009-06-17 16:05 35208 ----a-w- c:\windows\system32\drivers\WmFilter.sys
2009-06-17 16:05 . 2009-06-17 16:05 22792 ----a-w- c:\windows\system32\drivers\WmBEnum.sys
2009-06-17 16:05 . 2009-06-17 16:05 255496 ----a-w- c:\windows\system32\WmJoyFrc.dll
2009-08-07 09:38 . 2009-09-07 22:14 44544 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LeverageService"=2 (0x2)
"idsvc"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"Delete Duplicate Files Scan on Schedule Service"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NeroMediaHomeService.4"=2 (0x2)
"SeaPort"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Audio Engine Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\newsbin pro\\nbpro.exe"=
"c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"h:\\arca 08\\ARCA.exe"=
"h:\\guitar hero\\ghaero\\Guitar Hero Aerosmith.exe"=
"h:\\guitar hero\\gh3\\GH3.exe"=
"h:\\Program Files\\Codemasters\\Ashes Cricket 2009\\Cricket2009.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"h:\\MotoGP URT 3\\motogp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11217:TCP"= 11217:TCP:BitComet 11217 TCP
"11217:UDP"= 11217:UDP:BitComet 11217 UDP

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\fsdbvrkmst.exe service --> c:\windows\TEMP\fsdbvrkmst.exe service [?]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\574.tmp --> c:\windows\system32\574.tmp [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [28/08/2009 23:50 79360]
S4 LeverageService;LeverageService;c:\program files\Pragmatic Solutions Inc\LeverageService\LeverageService.exe [31/08/2009 10:57 40960]
S4 NeroMediaHomeService.4;Nero MediaHome 4 Service;c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe [29/08/2008 21:43 427304]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.driver-soft.com/html/110862.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0is16g9a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newzbin.com/
FF - prefs.js: keyword.enabled - false
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{3303e956-2a3a-48e0-be39-2e0ef11a2f44} - (no file)
WebBrowser-{3303E956-2A3A-48E0-BE39-2E0EF11A2F44} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\574.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-10 20:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 19:26

Pre-Run: 132,666,449,920 bytes free
Post-Run: 132,584,411,136 bytes free

345 --- E O F --- 2009-09-10 16:42
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Run ComboFix once again.. Then post the fresh log here.. This time please observe whether Recovery Console wants to install or not.. If yes, please install it.. If not, please tell me :)
  • 0

#13
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
On original run of combofix, it wanted to install recovery console,and i replied yes to download,but download failed,so i continued with scan anyway.
I disabled eset smartsecurity (antivirus and antispyware) as per combofix instructions ,but combofix rebooted,would eset have stopped combofix from accessing internet by default.

so do you still want me to continue with second run of combofix,following your instructions about recovery console?
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

so do you still want me to continue with second run of combofix,following your instructions about recovery console?


Yes :)
  • 0

#15
kev seal

kev seal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok combofix succesfully downloaded recovery console and continued with scan,my PC is not protected as far as i can see but dare not reboot or activate anything just in case please advise next step.

heres log

ComboFix 09-09-09.09 - Administrator 10/09/2009 21:27.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1629 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 18:06 . 2009-09-10 18:06 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-10 18:06 . 2009-09-10 18:06 -------- d-----w- c:\windows\system32\xlive
2009-09-10 17:05 . 2009-09-10 17:05 -------- d-----w- c:\program files\trend micro
2009-09-10 17:05 . 2009-09-10 17:05 -------- d-----w- C:\rsit
2009-09-10 16:45 . 2009-09-10 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-09-10 03:44 . 2009-09-10 03:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AaaaaRecklessDisregard
2009-09-10 03:43 . 2009-09-10 03:44 -------- d-----w- c:\program files\AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity
2009-09-08 18:34 . 2009-09-08 18:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-08 18:34 . 2009-09-08 18:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-08 18:30 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-08 18:30 . 2009-09-08 18:30 -------- d-----w- c:\windows\ie8updates
2009-09-08 18:30 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-08 18:30 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-08 18:30 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-08 18:30 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-08 18:30 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-08 18:30 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-08 18:29 . 2009-09-08 18:29 -------- dc-h--w- c:\windows\ie8
2009-09-08 18:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-09-08 18:21 . 2009-09-08 18:21 -------- d-----w- c:\program files\MSXML 4.0
2009-09-08 18:15 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-08 18:10 . 2009-09-08 18:10 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-08 17:54 . 2009-09-08 17:59 15 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-09-08 17:47 . 2009-09-10 18:32 -------- d--h--w- c:\windows\PIF
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-08 17:39 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:39 . 2009-09-08 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 17:39 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:37 . 2009-09-09 16:47 -------- d-----w- c:\program files\ERUNT
2009-09-07 23:19 . 2009-09-07 23:19 -------- d-----w- c:\program files\Sophos
2009-09-07 22:20 . 2009-09-07 22:20 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-09-07 22:20 . 2009-09-07 22:20 16 ----a-w- c:\windows\system32\asdict.dat
2009-09-07 22:11 . 2009-09-07 22:31 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2009-09-07 21:48 . 2009-09-07 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-07 21:47 . 2009-09-07 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2009-09-07 16:31 . 2009-09-07 16:31 -------- d-----w- c:\program files\ESET
2009-09-06 16:11 . 2009-09-06 16:11 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-06 12:47 . 2009-09-06 12:56 -------- d-----w- c:\program files\Total Video Converter
2009-09-06 12:42 . 2009-09-06 12:42 -------- d-----w- c:\program files\Common Files\Common Share
2009-09-06 12:42 . 2008-12-18 12:38 719872 ----a-w- c:\windows\system32\devil.dll
2009-09-06 12:42 . 2008-12-18 12:38 351744 ----a-w- c:\windows\system32\avisynth.dll
2009-09-06 12:42 . 2009-09-06 12:42 -------- d-----w- c:\program files\OJOsoft
2009-09-06 12:25 . 2009-09-06 12:25 -------- d-----w- c:\program files\Common Files\NSV
2009-09-06 11:21 . 2009-09-06 11:21 -------- d-----w- c:\program files\Common Files\DirectX
2009-09-06 11:17 . 1999-12-13 00:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2009-09-06 11:17 . 1999-11-18 00:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2009-09-06 11:17 . 2009-09-06 11:17 -------- d--h--w- c:\program files\Creative Installation Information
2009-09-06 11:17 . 2009-09-06 11:17 -------- d-----w- c:\program files\Common Files\Creative
2009-09-06 10:02 . 2009-09-06 10:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files
2009-09-06 07:16 . 2009-09-06 07:16 -------- d-----w- c:\program files\Common Files\Doblon
2009-09-06 07:14 . 2009-09-06 07:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-09-06 07:11 . 2007-07-26 23:06 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-06 07:11 . 2007-07-26 23:06 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-06 07:11 . 2009-09-06 07:11 -------- d-----w- c:\program files\DivX
2009-09-06 06:20 . 2009-09-06 06:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\fofix
2009-09-06 04:42 . 2009-09-06 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-09-06 04:41 . 2009-09-06 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2009-09-06 01:58 . 2009-09-06 01:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-09-06 01:51 . 2009-09-06 01:51 -------- d-----w- c:\program files\Ventrilo
2009-09-05 19:31 . 2009-09-05 19:31 -------- d-----w- c:\program files\Logitech
2009-09-05 11:50 . 2009-09-05 11:50 -------- d-----w- c:\program files\JoyTechEurope
2009-09-05 08:56 . 2009-09-05 08:56 -------- d-----w- c:\program files\Atari
2009-09-05 08:46 . 2009-09-05 08:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-05 08:46 . 2009-09-05 08:46 -------- d-----w- c:\program files\Java
2009-09-05 05:39 . 2009-09-06 16:38 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-09-05 05:38 . 2009-09-05 05:38 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-05 05:36 . 2009-09-05 05:36 -------- d-----w- c:\program files\Microsoft
2009-09-05 05:36 . 2009-09-05 05:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-05 05:36 . 2009-09-05 05:38 -------- d-----w- c:\program files\Windows Live
2009-09-05 05:32 . 2009-09-05 05:32 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-05 05:05 . 2009-09-05 08:04 -------- d-----w- c:\program files\A Handful Of Audiosurf Addons
2009-09-04 22:15 . 2009-03-09 14:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-09-04 22:15 . 2009-03-09 14:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-09-04 22:15 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-09-04 22:15 . 2009-03-16 13:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 22:15 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-09-04 22:15 . 2009-03-16 13:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-09-04 22:15 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-09-04 21:05 . 2009-06-03 23:55 25600 ----a-w- c:\windows\system32\Ctxfihlp.exe
2009-09-04 18:21 . 2009-09-04 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin
2009-09-04 18:21 . 2009-09-04 18:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\iWin
2009-09-04 12:38 . 2009-09-07 22:26 -------- d-----w- c:\program files\Spyware Terminator
2009-09-04 01:02 . 2009-09-04 01:02 -------- d-----w- c:\program files\MP3+G Toolz .NET 4
2009-09-04 00:53 . 1999-03-25 23:00 101888 ----a-w- c:\windows\system32\vb6stkit.dll
2009-09-04 00:34 . 2009-09-04 00:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2009-09-04 00:34 . 2009-09-04 00:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Power_Karaoke
2009-09-03 23:13 . 2009-09-04 01:08 -------- d-----w- C:\pebuilder3110a
2009-09-03 06:07 . 2009-09-03 06:07 -------- d-----w- c:\program files\Conduit
2009-09-03 06:06 . 2009-09-03 06:07 -------- d-----w- c:\program files\Power_Karaoke
2009-09-03 06:06 . 2009-09-06 07:06 -------- d-----w- c:\program files\DOBLON
2009-09-02 17:44 . 2008-04-13 21:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-09-02 17:44 . 2008-04-13 21:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-09-02 17:43 . 2008-04-13 21:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-09-02 17:43 . 2008-04-13 21:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-09-02 17:43 . 2008-04-13 21:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-09-02 17:43 . 2008-04-13 21:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-09-02 17:43 . 2008-04-13 21:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-09-02 17:43 . 2008-04-13 21:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-09-02 17:42 . 2008-04-13 21:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-09-02 17:42 . 2008-04-13 21:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-09-02 17:42 . 2008-04-13 21:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-09-02 17:42 . 2008-04-13 21:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-09-02 17:41 . 2008-04-13 21:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-09-02 17:41 . 2008-04-13 21:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-09-02 17:40 . 2008-04-14 02:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-09-02 17:40 . 2008-04-14 02:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-09-02 17:40 . 2008-04-13 21:16 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2009-09-02 17:40 . 2008-04-13 21:16 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2009-09-02 17:32 . 2009-09-02 17:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-09-02 17:29 . 2009-09-02 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\LeverageService
2009-09-02 17:29 . 2009-09-02 17:29 -------- d-----w- c:\program files\Pragmatic Solutions Inc
2009-09-01 20:05 . 2009-09-01 20:06 11789 ----a-w- c:\windows\unins000.dat
2009-09-01 20:05 . 2009-09-01 20:05 684313 ----a-w- c:\windows\unins000.exe
2009-09-01 20:00 . 2009-09-02 17:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Deckadance
2009-09-01 19:59 . 2009-09-01 19:59 -------- d-----w- c:\program files\Common Files\DigiDesign
2009-09-01 19:59 . 2009-09-01 19:59 -------- d-----w- c:\program files\XLN Audio
2009-09-01 19:40 . 2009-09-01 19:40 -------- d-----w- c:\program files\ASIO4ALL v2
2009-09-01 19:40 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-09-01 19:39 . 2009-09-01 19:39 -------- d-----w- c:\program files\Outsim
2009-09-01 19:38 . 2009-09-07 22:47 -------- d-----w- c:\program files\Image-Line
2009-09-01 18:56 . 2009-09-01 18:56 -------- d-----w- C:\drumit
2009-09-01 16:36 . 2009-09-01 18:13 -------- d-----w- c:\program files\EndItAll
2009-09-01 04:57 . 2009-09-01 04:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 13:08 . 2009-08-28 21:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-06 12:23 . 2009-08-30 08:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-09-06 11:17 . 2009-08-28 22:50 -------- d-----w- c:\program files\Creative
2009-09-06 06:39 . 2009-08-28 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-09-04 21:16 . 2009-08-28 22:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-04 21:16 . 2009-08-28 22:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-30 08:56 . 2009-08-30 08:53 -------- d-----w- c:\program files\Winamp
2009-08-29 10:57 . 2009-08-29 10:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-08-29 10:56 . 2009-08-29 10:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-08-28 22:50 . 2009-08-28 22:50 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-08-28 22:49 . 2009-08-28 22:49 -------- d-----w- c:\program files\OpenAL
2009-08-28 21:03 . 2009-08-28 21:03 -------- d-----w- c:\program files\Driver-Soft
2009-08-28 20:41 . 2009-08-28 20:41 -------- d-----w- c:\program files\microsoft frontpage
2009-08-28 20:38 . 2009-08-28 20:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-17 02:04 . 2009-08-17 02:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 02:04 . 2009-08-17 02:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 02:03 . 2009-08-17 02:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 02:03 . 2009-08-17 02:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 02:03 . 2009-08-17 02:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 02:03 . 2009-08-17 02:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 02:03 . 2009-08-17 02:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 02:03 . 2009-08-17 02:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 02:03 . 2009-08-17 02:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 02:03 . 2009-08-17 02:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 02:03 . 2009-08-17 02:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 02:03 . 2009-08-17 02:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 02:02 . 2009-08-17 02:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-16 23:57 . 2009-08-16 23:57 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-16 23:57 . 2009-08-16 23:57 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-16 23:57 . 2009-08-16 23:57 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-16 23:57 . 2009-08-16 23:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-16 23:57 . 2009-08-16 23:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-16 23:57 . 2009-08-16 23:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-16 23:57 . 2009-08-16 23:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-16 23:57 . 2009-08-16 23:57 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-16 23:57 . 2009-08-16 23:57 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-16 23:57 . 2009-08-16 23:57 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-06 17:48 . 2009-08-06 17:48 16384 ----a-w- c:\windows\system32\Msdirectx.exe
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 16:17 . 2009-07-14 16:17 15308440 ----a-w- c:\windows\system32\xlive.dll
2009-07-14 16:17 . 2009-07-14 16:17 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-07-12 11:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2009-06-09 18:12 915456 ------w- c:\windows\system32\wininet.dll
2009-06-26 14:11 . 2009-06-09 18:11 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:41 . 2009-06-09 18:11 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:41 . 2009-06-09 18:10 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:41 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:41 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:41 . 2008-04-14 12:00 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 10:28 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 16:06 . 2009-06-17 16:06 65544 ----a-w- c:\windows\system32\drivers\WmXlCore.sys
2009-06-17 16:06 . 2009-06-17 16:06 14984 ----a-w- c:\windows\system32\drivers\WmVirHid.sys
2009-06-17 16:05 . 2009-06-17 16:05 31752 ----a-w- c:\windows\system32\drivers\WmHidLo.sys
2009-06-17 16:05 . 2009-06-17 16:05 35208 ----a-w- c:\windows\system32\drivers\WmFilter.sys
2009-06-17 16:05 . 2009-06-17 16:05 22792 ----a-w- c:\windows\system32\drivers\WmBEnum.sys
2009-06-17 16:05 . 2009-06-17 16:05 255496 ----a-w- c:\windows\system32\WmJoyFrc.dll
2009-08-07 09:38 . 2009-09-07 22:14 44544 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LeverageService"=2 (0x2)
"idsvc"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"Delete Duplicate Files Scan on Schedule Service"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"NeroMediaHomeService.4"=2 (0x2)
"SeaPort"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Audio Engine Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\newsbin pro\\nbpro.exe"=
"c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"h:\\arca 08\\ARCA.exe"=
"h:\\guitar hero\\ghaero\\Guitar Hero Aerosmith.exe"=
"h:\\guitar hero\\gh3\\GH3.exe"=
"h:\\Program Files\\Codemasters\\Ashes Cricket 2009\\Cricket2009.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"h:\\MotoGP URT 3\\motogp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11217:TCP"= 11217:TCP:BitComet 11217 TCP
"11217:UDP"= 11217:UDP:BitComet 11217 UDP

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\fsdbvrkmst.exe service --> c:\windows\TEMP\fsdbvrkmst.exe service [?]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [04/06/2009 02:46 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [04/06/2009 02:46 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [04/06/2009 02:46 72728]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\574.tmp --> c:\windows\system32\574.tmp [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [28/08/2009 23:50 79360]
S4 LeverageService;LeverageService;c:\program files\Pragmatic Solutions Inc\LeverageService\LeverageService.exe [31/08/2009 10:57 40960]
S4 NeroMediaHomeService.4;Nero MediaHome 4 Service;c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe [29/08/2008 21:43 427304]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.driver-soft.com/html/110862.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0is16g9a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newzbin.com/
FF - prefs.js: keyword.enabled - false
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 21:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\574.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-10 21:34
ComboFix-quarantined-files.txt 2009-09-10 20:34
ComboFix2.txt 2009-09-10 19:26

Pre-Run: 132,561,027,072 bytes free
Post-Run: 132,525,764,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

318 --- E O F --- 2009-09-10 16:42
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP