Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown infection

Started by NightWalker , Nov 24 2009 07:05 PM

  • Please log in to reply

#1
NightWalker
Posted 24 November 2009 - 07:05 PM

NightWalker

    New Member

  • Member
  • Pip
  • 8 posts
I contracted some form of virus of some sort from browsing recently and have no idea what it is or how to clean it.

I had AVG installed previously and it won't allow me to update it saying forbidden access to server, with the nov 11 defination it did not detect anything.

Tried a few other Antivirus after that and it did't fix it either.
Antivir that have tried and results are as below:-
1) AVG that was installed and also ran rmagent_en but didnt fix.
2) TrendMicro HouseCall - Clean a few files and ran it a few times again but didnt solve problem.
3) Avira couldnt even install.
4) Avira removal tool couldnt start.
5) Malwarebyte - starts and auto close few seconds later
6) Eset Nod 32 - Installed, couldnt update and couldnt scan either.
7) Avast - Couldnt install
8) PandaSecurity cloud Antivir - installed but it doesnt allow me to confirm my login and password. says no internet connection.

Ran ComboFix and didnt fix either.

Even the game launcher World of Warcraft i play that have built in detector to combat keylogger couldnt be started.

It disables my access to a few antivirus website too, had to find other alternatives other then official sites to download em and results are as above.

Some sneaky bug i have caught and its biting my butt.

Please guide me on how to cure my pc.
  • 0

Advertisements

#2
kahdah
Posted 24 November 2009 - 07:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello NightWalker

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#3
NightWalker
Posted 24 November 2009 - 11:57 PM

NightWalker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi kahdah,

Below is the 3 scans requested.


DDS (Ver_09-11-24.02) - NTFSx86
Run by Erubus at 13:32:18.50 on Wed 11/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2744 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Proxifier\Proxifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\procexp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Erubus\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Proxifier] "c:\program files\proxifier\Proxifier.exe" aut
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Google Update] "c:\documents and settings\erubus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Hard Disk Sentinel] "c:\program files\hard disk sentinel\HDSentinel.exe" /AUTORUN
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
StartupFolder: c:\docume~1\erubus\startm~1\programs\startup\shortc~1.lnk - c:\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SystemRoot%\system32\PrxerDrv.dll
LSP: w2pxdrv.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://192.168.2.5/Ctl/WinWebPush.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {5A2C8AF3-3029-4C67-AF2A-1367C4586ECB} = 192.168.2.1
TCP: {AE4B078F-960D-4B02-9202-DDEBD650EC45} = 192.168.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-8-10 40496]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-11-20 89600]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp2\RpcAgentSrv.exe [2009-4-16 98488]

=============== Created Last 30 ================

2009-11-25 04:48:14 292352 ----a-w- C:\bdptuur5.exe
2009-11-23 16:33:52 0 d-----w- C:\CFx
2009-11-23 16:19:22 0 d-sha-r- C:\cmdcons
2009-11-23 16:17:26 98816 ----a-w- c:\windows\sed.exe
2009-11-23 16:17:26 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 16:17:26 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 16:17:26 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 00:36:09 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-20 20:18:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-20 14:30:23 195 ----a-w- C:\hosts.xml
2009-11-20 14:30:22 128 ----a-w- C:\settings.xml
2009-11-20 12:06:52 0 d-----w- C:\AVGTemp
2009-11-19 18:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Protexis
2009-11-10 13:11:46 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2009-10-26 10:52:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-26 10:52:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-10 20:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 13:32:35.25 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Professional
Boot Device: \Device\Harddisk1\DP(2)0xafca65200-0xc8c373000+4
Install Date: 11/19/2008 11:57:59 PM
System Uptime: 11/25/2009 1:30:16 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | EP43-DS3
Processor: Intel Pentium III Xeon processor | Socket 775 | 2666/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 50 GiB total, 4.957 GiB free.
D: is FIXED (NTFS) - 488 GiB total, 173.199 GiB free.
E: is FIXED (NTFS) - 811 GiB total, 227.086 GiB free.
G: is FIXED (NTFS) - 44 GiB total, 36.076 GiB free.
H: is FIXED (NTFS) - 466 GiB total, 419.883 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek PCIe GBE Family Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&2182FE78&0&00E5
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek PCIe GBE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&2182FE78&0&00E5
Service: RTLE8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\0FEAFFFFFA
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\0FEAFFFFFA
Service: NIC1394

==== System Restore Points ===================

RP54: 9/4/2009 11:21:19 PM - Installed AVG Free 8.5
RP55: 9/5/2009 9:24:33 AM - Avg8 Update
RP56: 9/6/2009 10:12:49 AM - System Checkpoint
RP57: 9/7/2009 10:35:43 AM - System Checkpoint
RP58: 9/7/2009 5:28:12 PM - Installed DirectX
RP59: 9/8/2009 6:24:13 PM - System Checkpoint
RP60: 9/9/2009 10:03:13 PM - System Checkpoint
RP61: 9/10/2009 5:32:04 PM - Removed Opera 9.64
RP62: 9/10/2009 5:32:13 PM - Installed Opera 10.00.
RP63: 9/11/2009 6:18:42 PM - System Checkpoint
RP64: 9/11/2009 9:02:55 PM - Software Distribution Service 3.0
RP65: 9/13/2009 4:14:49 AM - System Checkpoint
RP66: 9/14/2009 5:23:09 AM - System Checkpoint
RP67: 9/15/2009 9:18:46 AM - System Checkpoint
RP68: 9/16/2009 10:09:30 AM - System Checkpoint
RP69: 9/17/2009 10:31:14 AM - System Checkpoint
RP70: 9/17/2009 9:56:41 PM - Installed Java™ 6 Update 16
RP71: 9/19/2009 12:36:32 AM - System Checkpoint
RP72: 9/20/2009 1:31:21 AM - System Checkpoint
RP73: 9/21/2009 1:39:30 AM - System Checkpoint
RP74: 9/22/2009 3:56:20 AM - Software Distribution Service 3.0
RP75: 9/22/2009 4:30:23 AM - Printer Driver Microsoft XPS Document Writer Installed
RP76: 9/23/2009 9:55:40 AM - Software Distribution Service 3.0
RP77: 9/25/2009 8:23:22 AM - System Checkpoint
RP78: 9/26/2009 3:44:35 AM - Removed Java™ 6 Update 15
RP79: 9/26/2009 3:55:44 AM - Installed Java™ 6 Update 16
RP80: 10/1/2009 9:00:55 AM - System Checkpoint
RP81: 10/5/2009 10:18:30 AM - System Checkpoint
RP82: 10/8/2009 8:13:00 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP83: 10/8/2009 8:35:10 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP84: 10/8/2009 8:35:41 PM - Removed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP85: 10/8/2009 8:37:08 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP86: 10/11/2009 1:39:28 PM - System Checkpoint
RP87: 10/13/2009 11:44:19 AM - System Checkpoint
RP88: 10/16/2009 2:51:33 AM - System Checkpoint
RP89: 10/16/2009 9:36:26 AM - Avg8 Update
RP90: 10/16/2009 11:33:52 PM - Avg8 Update
RP91: 10/17/2009 8:39:02 AM - Avg8 Update
RP92: 10/24/2009 7:09:15 PM - System Checkpoint
RP93: 10/26/2009 5:20:09 AM - System Checkpoint
RP94: 10/27/2009 8:51:30 AM - Avg8 Update
RP95: 10/29/2009 2:04:58 PM - System Checkpoint
RP96: 10/31/2009 6:32:30 PM - System Checkpoint
RP97: 11/3/2009 1:59:38 AM - System Checkpoint
RP98: 11/4/2009 11:20:59 AM - Avg8 Update
RP99: 11/4/2009 11:26:45 AM - Installed Java™ 6 Update 17
RP100: 11/6/2009 8:46:32 PM - Avg8 Update
RP101: 11/8/2009 5:48:26 AM - Removed Opera 10.00.
RP102: 11/8/2009 5:48:37 AM - Installed Opera 10.01.
RP103: 11/9/2009 6:10:07 AM - System Checkpoint
RP104: 11/13/2009 11:47:53 PM - System Checkpoint
RP105: 11/15/2009 5:17:36 AM - System Checkpoint
RP106: 11/20/2009 2:06:52 AM - Installed Easy Inbox Mailer
RP107: 11/20/2009 2:36:54 AM - Installed Bulk Email Sender
RP108: 11/20/2009 10:38:46 PM - Removed Bulk Email Sender
RP109: 11/20/2009 10:39:05 PM - Removed Easy Inbox Mailer
RP110: 11/21/2009 4:01:51 AM - Removed AVG Free 8.5
RP111: 11/21/2009 4:03:11 AM - Installed AVG Free 8.5
RP112: 11/21/2009 5:35:10 AM - Installed AVG Free 9.0
RP113: 11/23/2009 10:30:26 PM - Removed AVG Free 9.0
RP114: 11/23/2009 10:35:37 PM - Installed AVG Free 9.0
RP115: 11/24/2009 12:49:31 AM - Installed Kaspersky Anti-Virus 2010.
RP116: 11/24/2009 1:06:58 AM - Removed Kaspersky Anti-Virus 2010.
RP117: 11/24/2009 1:22:31 AM - Installed ESET NOD32 Antivirus
RP118: 11/24/2009 2:22:09 AM - Removed ESET NOD32 Antivirus

==== Installed Programs ======================

AAC Decoder
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Alarm Clock v1.0
Anno 1404
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
autoscan-network
AutoUpdate
Browser Configuration Utility
Burnout™ Paradise The Ultimate Box
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Command & Conquer 3
D-Link AirPlus
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DMIView B06.1227.01
Driver Sweeper 1.5.5
Easy Tune 6 B08.1030.1
EVEREST Ultimate Edition v5.02
ffdshow [rev 2447] [2008-12-08]
Google Chrome
Google Earth
H.264 Decoder
Hard Disk Sentinel PRO
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Java™ 6 Update 17
Junk Mail filter update
LightScribe 1.6.43.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MKV Splitter
MSVCRT
Nero 7 Essentials
NetLimiter 2 Pro (remove only)
OpenOffice.org 2.4
Opera 10.01
Paragon Hard Disk Manager™ 2009 Professional Edition
PC Wizard 2008.1.871
Ping Plotter Freeware
Proxifier version 2.8
ProxyCap
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RegistryFix v7.1
SeaTools for Windows
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
SiSoftware Sandra Lite 2009.SP2
Skins
Skype™ 3.8
Smart Defrag 1.11
Uniblue RegistryBooster 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Manager B08.0515.1
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
VNC Enterprise Edition E4.5.1
VNC Mirror Driver 1.8.0
VNC Printer Driver 1.6.0
Vuze
WebFldrs XP
Winamp
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
WinZip
World of Warcraft

==== Event Viewer Messages From Past Week ========

11/24/2009 3:29:27 AM, error: Service Control Manager [7034] - The NanoServiceMain service terminated unexpectedly. It has done this 3 time(s).
11/24/2009 3:29:18 AM, error: Service Control Manager [7031] - The NanoServiceMain service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
11/24/2009 3:28:41 AM, error: Service Control Manager [7031] - The NanoServiceMain service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
11/24/2009 12:48:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
11/24/2009 12:24:39 AM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
11/24/2009 12:09:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
11/24/2009 12:05:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/24/2009 12:05:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/24/2009 12:05:29 AM, error: sfsync02 [12] -
11/24/2009 12:05:28 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT nltdi RasAcd Rdbss Tcpip UimBus Uim_IM WS2IFSL
11/24/2009 12:05:28 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2009 12:05:28 AM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
11/24/2009 12:05:28 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2009 12:05:28 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2009 12:05:28 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/23/2009 10:49:02 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/23/2009 10:46:43 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
11/23/2009 10:46:43 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the NT LM Security Support Provider service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/23/2009 10:43:00 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
11/22/2009 8:36:10 AM, error: Service Control Manager [7000] - The tmcomm service failed to start due to the following error: A device attached to the system is not functioning.
11/20/2009 2:03:10 AM, error: Service Control Manager [7034] - The XobniService service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================





GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 13:50:20
Windows 5.1.2600 Service Pack 3
Running: bdptuur5.exe; Driver: C:\DOCUME~1\Erubus\LOCALS~1\Temp\pwtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6D97000, 0x1C5D58, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xAB432300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF77AF300, 0x1BEE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\msdtc.exe[212] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\msdtc.exe[212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\msdtc.exe[212] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\msdtc.exe[212] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\msdtc.exe[212] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\msdtc.exe[212] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\msdtc.exe[212] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\msdtc.exe[212] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[516] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Java\jre6\bin\jusched.exe[524] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Proxifier\Proxifier.exe[648] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10023D80
.text C:\Program Files\Proxifier\Proxifier.exe[648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10023BF0
.text C:\Program Files\Proxifier\Proxifier.exe[648] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10023DF0
.text C:\Program Files\Proxifier\Proxifier.exe[648] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10023AA4
.text C:\Program Files\Proxifier\Proxifier.exe[648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10023218
.text C:\Program Files\Proxifier\Proxifier.exe[648] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100227E8
.text C:\Program Files\Proxifier\Proxifier.exe[648] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1002277C
.text C:\Program Files\Proxifier\Proxifier.exe[648] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10023A50
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[692] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\ctfmon.exe[720] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\ctfmon.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\ctfmon.exe[720] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\ctfmon.exe[720] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\ctfmon.exe[720] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\ctfmon.exe[720] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\ctfmon.exe[720] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\ctfmon.exe[720] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10053D80
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10053BF0
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10053DF0
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10053AA4
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10053218
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100527E8
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1005277C
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[868] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10053A50
.text C:\WINDOWS\system32\winlogon.exe[916] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\winlogon.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\winlogon.exe[916] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\winlogon.exe[916] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\winlogon.exe[916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\winlogon.exe[916] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\winlogon.exe[916] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\winlogon.exe[916] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\services.exe[968] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\services.exe[968] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\services.exe[968] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\services.exe[968] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\services.exe[968] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\Ati2evxx.exe[1164] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1188] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1188] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1188] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1188] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1188] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1260] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1260] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1260] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1260] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1260] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[1360] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[1360] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[1360] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[1360] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[1360] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1384] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1468] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1468] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1468] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1468] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1468] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1524] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1524] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1524] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1524] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1524] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\spoolsv.exe[1800] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\spoolsv.exe[1800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\spoolsv.exe[1800] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\spoolsv.exe[1800] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\spoolsv.exe[1800] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\spoolsv.exe[1800] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\spoolsv.exe[1800] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\spoolsv.exe[1800] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1996] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1996] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1996] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1996] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1996] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\Explorer.EXE[2040] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\Explorer.EXE[2040] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\Explorer.EXE[2040] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\Explorer.EXE[2040] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\Explorer.EXE[2040] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[2104] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\wdfmgr.exe[2212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\wdfmgr.exe[2212] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\wdfmgr.exe[2212] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wuauclt.exe[2432] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\wuauclt.exe[2432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\wuauclt.exe[2432] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\wuauclt.exe[2432] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\wuauclt.exe[2432] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\wuauclt.exe[2432] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\wuauclt.exe[2432] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\wuauclt.exe[2432] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\svchost.exe[2544] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[2544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[2544] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[2544] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[2544] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[2544] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[2544] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[2544] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2932] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3396] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software)

---- EOF - GMER 1.0.15 ----
  • 0

#4
kahdah
Posted 25 November 2009 - 06:21 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi try to run mba,m once more but update it before running it.
Let me know what happens.
If it runs let it remove what it finds.
Then post the log here.
  • 0

#5
NightWalker
Posted 25 November 2009 - 11:51 AM

NightWalker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
MBAM doesnt work for me.
Downloaded a new copy and installed it.
A few seconds into updating the update progress page vanished.
Mbam main page comes up and a few seconds later it too vanished.
Same results if manually starts Mbam. Doesnt last for more then 15 seconds.
  • 0

#6
kahdah
Posted 25 November 2009 - 05:39 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok please post the Combofix log that you have from the previous run.
It can be found here:
C:\Combofix.txt.
  • 0

#7
NightWalker
Posted 26 November 2009 - 12:20 AM

NightWalker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Combifix from the previous run as requested.

ComboFix 09-11-22.08 - Erubus 11/24/2009 0:34:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2625 [GMT 8:00]
Running from: C:\Documents and Settings\Erubus\My Documents\Downloads\CFx.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 16:09:15 . 2009-11-23 16:09:15 0 d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead
2009-11-23 16:08:14 . 2009-11-23 16:08:14 0 d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-11-22 00:36:09 . 2009-05-07 07:04:50 157712 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
2009-11-20 23:16:44 . 2009-11-20 20:18:42 15880 ----a-w- C:\WINDOWS\system32\lsdelete.exe
2009-11-20 21:41:53 . 2009-09-10 06:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-11-20 21:41:51 . 2009-11-20 21:41:56 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-20 21:41:51 . 2009-09-10 06:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-11-20 20:16:56 . 2009-11-20 20:17:04 5908024 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-20 20:16:52 . 2009-11-20 20:16:53 327000 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-20 20:16:50 . 2009-11-20 20:16:50 87496 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-20 20:16:22 . 2009-11-20 20:16:25 933120 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-20 20:16:18 . 2009-11-20 20:16:20 641632 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-20 20:15:42 . 2009-11-20 20:15:45 816272 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-20 20:15:38 . 2009-11-20 20:15:41 822904 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-20 20:15:32 . 2009-11-20 20:15:37 1638640 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-20 20:15:27 . 2009-11-20 20:15:29 788880 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-20 20:15:22 . 2009-11-20 20:15:26 1184912 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-20 20:11:05 . 2009-10-03 08:15:32 2924848 -c--a-w- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-20 20:10:43 . 2009-11-20 20:10:43 0 d-----w- C:\Program Files\Lavasoft
2009-11-20 20:01:26 . 2009-11-20 20:11:06 0 dc-h--w- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-20 14:30:21 . 2009-11-20 14:30:21 18240 ----a-w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-20 12:06:52 . 2009-11-20 12:06:52 0 d-----w- C:\AVGTemp
2009-11-19 18:37:28 . 2009-11-19 18:37:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\Protexis
2009-11-10 13:11:46 . 2009-11-10 13:11:46 0 d-----w- C:\Program Files\Microsoft
2009-11-10 03:12:08 . 2009-11-10 03:12:08 0 d-----w- C:\Documents and Settings\Erubus\Local Settings\Application Data\Identities
2009-11-04 03:22:23 . 2009-11-04 03:22:23 152576 ----a-w- C:\Documents and Settings\Erubus\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 16:38:36 . 2009-01-28 15:26:45 0 d-----w- C:\Documents and Settings\Erubus\Application Data\Skype
2009-11-23 16:27:56 . 2008-11-25 13:17:33 0 d-----w- C:\Documents and Settings\Erubus\Application Data\Azureus
2009-11-23 16:10:55 . 2009-01-28 15:29:59 0 d-----w- C:\Documents and Settings\Erubus\Application Data\skypePM
2009-11-23 15:50:44 . 2009-04-27 03:27:20 1 ----a-w- C:\Documents and Settings\Erubus\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-23 15:50:42 . 2009-04-27 03:26:44 0 d-----w- C:\Documents and Settings\Erubus\Application Data\OpenOffice.org2
2009-11-23 11:36:53 . 2009-02-08 19:18:55 0 d-----w- C:\Program Files\World of Warcraft
2009-11-20 21:35:11 . 2009-07-15 12:46:28 0 d-----w- C:\Program Files\AVG
2009-11-20 21:25:12 . 2009-01-21 07:28:35 0 d-----w- C:\Program Files\Google
2009-11-20 20:10:43 . 2009-02-04 00:52:16 0 d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-11-20 14:41:21 . 2008-11-22 18:31:28 0 d-----w- C:\Program Files\TRELLIAN
2009-11-20 10:48:48 . 2008-11-25 13:16:45 0 d-----w- C:\Program Files\Vuze
2009-11-11 16:51:32 . 2009-07-29 12:10:27 0 d-----w- C:\Program Files\Hard Disk Sentinel
2009-11-07 21:48:39 . 2008-11-20 11:51:56 0 d-----w- C:\Program Files\Opera
2009-11-04 03:27:06 . 2008-11-22 15:44:20 0 d-----w- C:\Program Files\Java
2009-10-26 10:52:43 . 2009-02-05 18:47:48 0 d-----w- C:\Program Files\Common Files\Real
2009-10-26 10:52:13 . 2008-11-22 20:58:28 499712 ----a-w- C:\WINDOWS\system32\msvcp71.dll
2009-10-26 10:52:13 . 2008-11-22 20:58:28 348160 ----a-w- C:\WINDOWS\system32\msvcr71.dll
2009-10-16 09:23:24 . 2009-07-31 04:31:53 0 d-----w- C:\Program Files\RegistryFix7
2009-10-15 19:17:22 . 2009-08-31 12:10:37 0 d-----w- C:\Program Files\Panda Security
2009-10-11 18:48:53 . 2009-10-11 18:48:53 7154255 ----a-w- C:\Documents and Settings\Erubus\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-10-10 20:17:27 . 2008-11-22 18:55:16 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-10-08 12:37:08 . 2008-11-19 16:21:06 0 d-----w- C:\Program Files\Realtek
2009-10-08 12:37:08 . 2008-11-19 16:07:30 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-09-25 19:55:36 . 2009-09-17 13:54:58 152576 ----a-w- C:\Documents and Settings\Erubus\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-23 12:55:23 . 2009-11-20 20:18:59 64288 ----a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-09-21 20:06:10 . 2008-11-19 18:53:04 18240 ----a-w- C:\Documents and Settings\Erubus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 18:43:37 . 2009-09-09 18:42:38 1962544 ----a-w- C:\Documents and Settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-09-07 09:29:32 . 2009-09-07 09:29:32 281760 ----a-w- C:\WINDOWS\system32\drivers\atksgt.sys
2009-09-07 09:29:31 . 2009-09-07 09:29:31 25888 ----a-w- C:\WINDOWS\system32\drivers\lirsgt.sys
2009-08-26 06:45:20 . 2009-07-15 09:36:33 120 ----a-w- C:\drmHeader.bin
2009-05-01 21:02:48 . 2009-05-01 21:02:48 1044480 ----a-w- C:\Program Files\opera\program\plugins\libdivx.dll
2009-05-01 21:02:48 . 2009-05-01 21:02:48 200704 ----a-w- C:\Program Files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 08:44:34 3883856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-11-18 08:31:04 21633320]
"Proxifier"="C:\Program Files\Proxifier\Proxifier.exe" [2009-01-21 05:19:36 622592]
"SmartRAM"="C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 06:23:24 202064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 02:39:12 149040]
"Google Update"="C:\Documents and Settings\Erubus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-17 14:06:40 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hard Disk Sentinel"="C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" [2009-06-26 03:26:22 3383296]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 02:59:18 161328]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 06:53:56 1312080]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2009-10-26 10:52:10 198160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-10 20:17:36 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 21:42:18 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 05:26:52 484904]

C:\Documents and Settings\Erubus\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - C:\procexp.exe [2009-9-22 3550592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2008-11-20 262144]
Vuze.lnk - C:\Program Files\Vuze\Azureus.exe [2008-11-25 199616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\RpcAgentSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"E:\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"E:\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"E:\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;Hotcore helper;C:\WINDOWS\system32\drivers\hotcore3.sys [8/10/2009 5:06:06 PM 40496]
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [11/21/2009 4:18:59 AM 64288]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [4/23/2007 7:03:04 PM 82200]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17:32 PM 1184912]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [11/7/2007 4:22:06 AM 34064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe [4/16/2009 10:24:37 AM 98488]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06:13 . 2009-11-20 20:15:41]

2009-11-23 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-616249376-725345543-1003Core.job
- C:\Documents and Settings\Erubus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 14:06:41 . 2009-09-17 14:06:40]

2009-11-23 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-616249376-725345543-1003UA.job
- C:\Documents and Settings\Erubus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-17 14:06:41 . 2009-09-17 14:06:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
LSP: %SystemRoot%\system32\PrxerDrv.dll
LSP: w2pxdrv.dll
TCP: {5A2C8AF3-3029-4C67-AF2A-1367C4586ECB} = 192.168.2.1
TCP: {AE4B078F-960D-4B02-9202-DDEBD650EC45} = 192.168.2.1
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://192.168.2.5/Ctl/WinWebPush.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
.
  • 0

#8
kahdah
Posted 26 November 2009 - 07:14 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I see no signs of infection but that doesn't mean you aren't infected.

I would like to give the following a shot.
Let me know how it goes.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP