Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown infection, would appreciate any help

Started by SpecialA20 , Jan 29 2010 04:05 PM

  • Please log in to reply

#1
SpecialA20
Posted 29 January 2010 - 04:05 PM

SpecialA20

    New Member

  • Member
  • Pip
  • 6 posts
Hello everyone,

My brother's been using this site on the family computer to get it cleaned up, and I'm having some trouble on my computer as well, so I thought I'd give you guys a try. Since two days ago, my computer has been having some issue with some kind of malware. I'll just be browsing the Internet, on safe sites I've been visiting for years, and all of a sudden I'll get a prompt from Firefox to download something called "catalog.pdf" from "car-trade.net" or something of that sort. And occasionally while reading a longer webpage, I'll get a "Popup Blocked" from Firefox, and notice at the bottom of my status bar that it's cycling through dozens upon dozens of adsites (doubleclick, google, etc). When it's done, I end up at a random adsite... but I only have to go Back once to get back to the page I was viewing. It's strange.

Another weird thing to report on this is that my "Hide extensions for known file types" keeps checking itself, even though I want it off.
Anyway, here's the information as requested by the sticky topic.

MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3654
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/28/2010 2:37:19 PM
mbam-log-2010-01-28 (14-37-19).txt

Scan type: Quick Scan
Objects scanned: 104782
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-29 14:52:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Alex\LOCALS~1\Temp\axncykog.sys


---- System - GMER 1.0.15 ----

SSDT spup.sys ZwCreateKey [0xB7EB50E0]
SSDT spup.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spup.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spup.sys ZwOpenKey [0xB7EB50C0]
SSDT spup.sys ZwQueryKey [0xB7ECE20A]
SSDT spup.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spup.sys ZwSetValueKey [0xB7ECE29C]

INT 0x63 ? 8A3A3BF8
INT 0x63 ? 8A3A3BF8
INT 0x63 ? 8A10EBF8
INT 0x63 ? 8A3A3BF8
INT 0x83 ? 8A3A3BF8
INT 0x83 ? 8A3A3BF8
INT 0x83 ? 8A10EBF8
INT 0x83 ? 8A3A3BF8
INT 0x84 ? 8A10EBF8
INT 0xA4 ? 8A10EBF8
INT 0xA4 ? 8A10EBF8
INT 0xA4 ? 8A10EBF8
INT 0xA4 ? 8A10EBF8
INT 0xB4 ? 8A10EBF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A3A21F8
Device \FileSystem\Udfs \UdfsCdRom 8A2E84D8
Device \FileSystem\Udfs \UdfsDisk 8A2E84D8
Device \Driver\usbuhci \Device\USBPDO-0 8A2001F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A4141F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A4141F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A4141F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A4141F8
Device \Driver\usbuhci \Device\USBPDO-1 8A2001F8
Device \Driver\usbuhci \Device\USBPDO-2 8A2001F8
Device \Driver\usbehci \Device\USBPDO-3 8A0FF500
Device \Driver\usbuhci \Device\USBPDO-4 8A2001F8
Device \Driver\usbuhci \Device\USBPDO-5 8A2001F8
Device \Driver\usbuhci \Device\USBPDO-6 8A2001F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A3A41F8
Device \Driver\usbehci \Device\USBPDO-7 8A0FF500
Device \Driver\Cdrom \Device\CdRom0 8A1E3500
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort5 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8960E1F8
Device \Driver\NetBT \Device\NetbiosSmb 8960E1F8
Device \Driver\usbuhci \Device\USBFDO-0 8A2001F8
Device \Driver\usbuhci \Device\USBFDO-1 8A2001F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8960A1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A2001F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8960A1F8
Device \Driver\usbehci \Device\USBFDO-3 8A0FF500
Device \Driver\usbuhci \Device\USBFDO-4 8A2001F8
Device \Driver\Ftdisk \Device\FtControl 8A3A41F8
Device \Driver\usbuhci \Device\USBFDO-5 8A2001F8
Device \Driver\usbuhci \Device\USBFDO-6 8A2001F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F5EA13CB-CEFB-4855-B7A7-9664AD852B8E} 8960E1F8
Device \Driver\usbehci \Device\USBFDO-7 8A0FF500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x16 0x09 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x16 0x09 0x24 ...

---- EOF - GMER 1.0.15 ----

And finally, OTL:

OTL logfile created on: 1/29/2010 2:53:34 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\Alex\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 102.16 Gb Free Space | 43.87% Space Free | Partition Type: NTFS
Drive D: | 6.95 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: A-CBBA345A89204
Current User Name: Alex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/29 14:53:11 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
PRC - [2010/01/15 16:03:44 | 00,075,064 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2010/01/05 00:25:33 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/08 03:29:24 | 18,789,920 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/29 19:08:50 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/12/18 14:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/18 13:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2008/04/14 05:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/01/29 14:53:11 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/15 16:03:44 | 00,075,064 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/29 21:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2009/09/29 19:08:50 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/06/07 12:53:00 | 02,837,852 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/03/12 11:53:46 | 00,254,036 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe -- (STacSV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.egameaddi...rums/index.php"
FF - prefs.js..extensions.enabledItems: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1}:0.7.4
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20091209.4
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2a}:1.3.7
FF - prefs.js..extensions.enabledItems: {8620c15f-30dc-4dba-a131-7c5d20cf4a29}:2.0.3
FF - prefs.js..extensions.enabledItems: {210249CE-F888-11DD-B868-4CB456D89593}:2.1.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/21 00:02:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/21 00:02:21 | 00,000,000 | ---D | M]

[2009/10/25 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Mozilla\Extensions
[2010/01/29 13:06:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions
[2009/10/25 19:55:54 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{210249CE-F888-11DD-B868-4CB456D89593}
[2009/12/08 18:23:54 | 00,000,000 | ---D | M] (Linkification) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
[2009/11/15 19:13:07 | 00,000,000 | ---D | M] (GameFOX) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
[2009/12/08 18:23:54 | 00,000,000 | ---D | M] (Nightly Tester Tools) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29}
[2009/12/26 19:13:54 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{CF21B02D-E72F-4f3e-B001-261398A484FE}
[2009/12/18 12:12:00 | 00,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/26 19:25:51 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\{f304555a-4dfb-4c0b-bdf2-a4e3cb57215f}
[2009/10/25 19:56:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\q3lhpt7b.default\extensions\[email protected]
[2010/01/27 12:40:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/02 23:34:44 | 00,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
[2009/08/17 06:42:14 | 00,073,728 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

O1 HOSTS File: ([2008/04/14 05:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AntiLogger] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKCU..\Run: [DisplayFusion] C:\Program Files\DisplayFusion\DisplayFusion.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1256521897081 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Alex\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Alex\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/25 19:42:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/07/15 17:53:55 | 00,000,142 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{d2932826-b837-11dc-a05b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{d2932826-b837-11dc-a05b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d2932826-b837-11dc-a05b-806d6172696f}\Shell\AutoRun\command - "" = D:\Setup\rsrc\AUTORUN.EXE -- [2007/08/15 18:55:00 | 00,051,048 | R--- | M] (Activision)
O33 - MountPoints2\{d2932826-b837-11dc-a05b-806d6172696f}\Shell\dinstall\command - "" = D:\DirectX\DXSETUP.exe -- [2008/05/30 15:34:50 | 00,528,392 | R--- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/28 05:10:31 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/29 14:53:11 | 00,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
[2010/01/29 13:38:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Desktop\gmer
[2010/01/29 13:34:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/29 13:34:04 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/29 13:33:52 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Alex\Desktop\erunt_setup.exe
[2010/01/29 13:32:01 | 00,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\TFC.exe
[2010/01/28 14:21:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Application Data\Malwarebytes
[2010/01/28 14:21:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/28 14:21:42 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/28 14:21:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/28 14:21:41 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/28 14:21:16 | 05,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Alex\Desktop\mbam-setup.exe
[2010/01/25 16:35:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Application Data\Mumble
[2010/01/25 16:34:49 | 00,000,000 | ---D | C] -- C:\Program Files\Mumble
[2010/01/21 00:01:50 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/01/21 00:01:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/01/21 00:01:30 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/01/21 00:01:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Local Settings\Application Data\Apple
[2010/01/21 00:01:23 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/01/21 00:01:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/01/21 00:01:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Local Settings\Application Data\Apple Computer
[2010/01/15 16:03:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Local Settings\Application Data\PunkBuster
[2009/11/01 12:04:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/30 20:17:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
[2009/10/25 20:34:52 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Alex\Application Data\pcouffin.sys
[2009/10/25 19:46:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/10/25 19:42:04 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/10/25 19:42:04 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/29 14:53:11 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
[2010/01/29 13:38:46 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\gmer.zip
[2010/01/29 13:34:59 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Alex\NTUSER.DAT
[2010/01/29 13:34:05 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\NTREGOPT.lnk
[2010/01/29 13:34:05 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\ERUNT.lnk
[2010/01/29 13:33:54 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Alex\Desktop\erunt_setup.exe
[2010/01/29 13:33:36 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/29 13:33:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/29 13:33:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/29 13:32:31 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Alex\ntuser.ini
[2010/01/29 13:32:01 | 00,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\TFC.exe
[2010/01/29 01:05:08 | 00,081,091 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\012800_2205[00].jpg
[2010/01/29 01:04:50 | 00,110,692 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\012800_2200[01].jpg
[2010/01/28 14:21:19 | 05,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Alex\Desktop\mbam-setup.exe
[2010/01/25 16:36:23 | 00,002,377 | ---- | M] () -- C:\Documents and Settings\Alex\My Documents\MumbleAutomaticCertificateBackup.p12
[2010/01/25 16:34:26 | 13,091,216 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\Mumble-1.2.1.exe
[2010/01/23 21:06:36 | 00,006,656 | ---- | M] () -- C:\Documents and Settings\Alex\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/21 02:55:11 | 04,839,436 | -H-- | M] () -- C:\Documents and Settings\Alex\Local Settings\Application Data\IconCache.db
[2010/01/19 21:14:56 | 00,083,977 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\Noboost.PNG
[2010/01/19 21:13:17 | 00,002,205 | ---- | M] () -- C:\Documents and Settings\Alex\.recently-used.xbel
[2010/01/15 16:10:19 | 00,189,184 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2010/01/15 16:03:44 | 00,138,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/01/15 16:03:44 | 00,075,064 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2010/01/15 16:03:20 | 00,189,184 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe

========== Files Created - No Company Name ==========

[2010/01/29 13:38:45 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\gmer.zip
[2010/01/29 13:34:05 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\NTREGOPT.lnk
[2010/01/29 13:34:05 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\ERUNT.lnk
[2010/01/29 01:05:07 | 00,081,091 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\012800_2205[00].jpg
[2010/01/29 01:04:49 | 00,110,692 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\012800_2200[01].jpg
[2010/01/25 16:36:23 | 00,002,377 | ---- | C] () -- C:\Documents and Settings\Alex\My Documents\MumbleAutomaticCertificateBackup.p12
[2010/01/25 16:34:15 | 13,091,216 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\Mumble-1.2.1.exe
[2010/01/19 21:13:17 | 00,002,205 | ---- | C] () -- C:\Documents and Settings\Alex\.recently-used.xbel
[2010/01/19 21:13:04 | 00,083,977 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\Noboost.PNG
[2010/01/15 16:03:54 | 00,189,184 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2010/01/14 22:19:41 | 00,138,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/01/14 22:19:41 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Alex\Application Data\PnkBstrK.sys
[2010/01/14 21:19:16 | 00,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/01/08 22:37:20 | 00,006,656 | ---- | C] () -- C:\Documents and Settings\Alex\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/06 23:36:10 | 00,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/10/29 17:06:04 | 00,069,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/10/25 20:35:04 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Alex\Application Data\pcouffin.log
[2009/10/25 20:34:52 | 00,087,608 | ---- | C] () -- C:\Documents and Settings\Alex\Application Data\inst.exe
[2009/10/25 20:34:52 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Alex\Application Data\pcouffin.cat
[2009/10/25 20:34:52 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Alex\Application Data\pcouffin.inf
[2009/10/14 17:01:24 | 00,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2008/02/05 12:28:20 | 00,000,051 | ---- | C] () -- C:\Documents and Settings\Alex\Local Settings\Application Data\setup.txt
[2008/01/01 02:51:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

========== LOP Check ==========

[2009/10/25 20:11:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Any Video Converter
[2010/01/14 21:23:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\DAEMON Tools Lite
[2009/10/25 21:00:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\DisplayFusion
[2009/10/30 20:34:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\foobar2000
[2009/10/26 17:46:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\ijjigame
[2010/01/14 21:13:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\ImgBurn
[2010/01/25 16:44:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Mumble
[2009/11/01 17:53:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\MusicBrainz
[2009/11/01 22:47:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Publish Providers
[2009/11/01 22:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Sony
[2009/10/27 18:41:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\SumatraPDF
[2009/11/05 22:11:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Synthesia
[2009/12/20 15:22:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\TeamViewer
[2009/11/01 17:50:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
[2010/01/14 22:53:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\VitySoft
[2009/10/25 20:35:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Vso
[2010/01/14 21:18:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/10/26 19:52:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ijjigame
[2009/10/29 17:14:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2009/11/26 10:58:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/29 00:03:43 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{E8DD7A4A-3EE8-4019-898E-952A32C3B613}

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/04/14 05:00:00 | 00,514,560 | ---- | M] (Microsoft Corporation) -- C:\logonui.exe


< MD5 for: AGP440.SYS >
[2008/04/14 05:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:00:00 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 05:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/09/29 19:20:58 | 00,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

Thanks for any help!
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP