1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Virus Warnings In Windows Security Trojans, Worms, Hijack

Discussion in 'Malware and Virus Removal Archive' started by Gideon, 2010/04/15.

Page 1 of 5
  1. 2010/04/15
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    [Active] Virus Warnings In Windows Security Trojans, Worms, Hijack

    I am receiving multiple warnings from windows security saying that I have a multitude of problems such as worms, trojans, and spy ware. (ex) Trojan-psw.win32.coced.219 is a warning I'm getting. The warning also states that I might be under a hijack attack. I don't see a specific file infected with one specific problem and I do not have anti virus software. my computer is running slow but overall it's still workable. I have not scanned with any programs because I was not sure what was the right program to use. This computer is messy and is used by a lot of people. I hope I gave you all the information you need and followed the instructions given in the read this before posting thread correctly. Please inform me if anyting else is need from me. Thank you.

    Here are my logs.




    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Gideon at 15:52:16.75 on 2010-04-15
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1296 [GMT -7:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated)

    {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache

    Group\Apache2\bin\apache.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache

    Group\Apache2\bin\apache.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Saitek\Software\SaiMfd.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Saitek\Software\ProfilerU.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Documents and Settings\Gideon\Local Settings\Application Data\ave.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Gideon\My Documents\Downloads\dds(2).scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.ask.com/?o=101760&l=dis
    uSearchMigratedDefaultURL =

    hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&o

    e=utf8
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

    files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

    files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

    files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program

    files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

    files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

    files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program

    files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

    toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe "
    uRun: [A00F7FA82D0.exe] c:\docume~1\gideon\locals~1\temp\_A00F7FA82D0.exe
    uRun: [A00F7F8FF1E.exe] c:\docume~1\gideon\locals~1\temp\_A00F7F8FF1E.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
    mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

    9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program

    files\logitech\setpoint\SetPoint.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google

    toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

    c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {2eaf5bb1-070f-11d3-9307-00c04fae2d4f} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

    c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2eaf5bb2-070f-11d3-9307-00c04fae2d4f} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

    c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

    c:\progra~1\micros~4\office12\REFIEBAR.DLL
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

    hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitChec

    kControl.cab
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -

    hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

    hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -

    hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} -

    hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -

    hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
    DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} -

    hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -

    hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} -

    hxxp://www.putfile.com/includes/ImageUploader4-5.cab
    DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -

    hxxp://www.ca.com/securityadvisor/virusinfo/webscan.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

    hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    Notify: __c00e4cc6 - c:\windows\system32\__c00E4CC6.dat
    SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

    c:\windows\system32\WPDShServiceObj.dll
    SSODL: MDmXzsQF - {7425B19C-DE8F-1B36-1FB6-E9F883A8DBA0} - c:\windows\system32\nrsq.dll
    mASetup: {b2c3bb6b-e005-4246-b8e5-df0a4d073cdc} - c:\program files\pixiepack codec

    pack\InstallerHelper.exe

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\gideon\applic~1\mozilla\firefox\profiles\6vmax83e.default\
    FF - prefs.js: browser.search.defaulturl -

    hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en
    FF - prefs.js: keyword.URL -

    hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
    FF - component: c:\documents and settings\gideon\application

    data\mozilla\firefox\profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68

    056c}\components\frozen.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant:

    {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

    presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

    firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ",

    false);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ",

    false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ",

    false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ",

    2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ",

    1);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js -

    pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ",

    25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ",

    5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js -

    pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ",

    true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js -

    pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js -

    pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js -

    pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js -

    pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

    pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

    pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

    pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ",

    "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ",

    "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ",

    "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js -

    pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 ABIT-IO;ABIT-IO;c:\windows\system32\drivers\ABIT-IO.sys [2007-6-29 4608]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys

    [2009-12-2 149040]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys

    [2009-9-15 38248]
    R3 SaiH80C0;SaiH80C0;c:\windows\system32\drivers\SaiH80C0.sys [2007-5-6 176384]
    S1 95439c1e;95439c1e;c:\windows\system32\drivers\95439c1e.sys -->

    c:\windows\system32\drivers\95439c1e.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

    [2010-3-25 135664]
    S3 dsaudiodevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys

    [2009-2-8 16640]
    S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\gideon\locals~1\temp\fadpu16e.sys -->

    c:\docume~1\gideon\locals~1\temp\Fadpu16E.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service -->

    c:\windows\system32\GameMon.des -service [?]
    S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys

    [2009-7-8 13504]
    S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2009-7-8

    22304]

    ============== File Associations ===============

    .exe=secfile

    =============== Created Last 30 ================

    2010-04-14 21:15:04 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-14 21:13:22 0 d-----w- c:\program files\Microsoft Security

    Essentials
    2010-04-14 18:33:20 0 d-----w- c:\program files\SlySoft
    2010-04-14 18:20:02 81920 ----a-w- c:\docume~1\gideon\applic~1\ezpinst.exe
    2010-04-14 18:17:30 0 d-----w- c:\program files\DVD Decrypter
    2010-04-14 05:46:41 14 ----a-w- c:\windows\system32\systeminfo3.dll
    2010-04-13 21:09:56 0 d-----w- c:\program files\Avi2Dvd
    2010-04-13 03:54:03 26 ----a-w- c:\windows\dvdSanta.INI
    2010-04-13 03:41:42 0 d-----w- C:\TempDVD
    2010-04-13 03:41:42 0 d-----w- C:\dvdsanta
    2010-04-13 03:41:37 921600 ----a-w- c:\windows\system32\vorbisenc.dll
    2010-04-13 03:41:37 45056 ----a-w- c:\windows\system32\ogg.dll
    2010-04-13 03:41:37 258048 ----a-w- c:\windows\system32\GplMpgDec.ax
    2010-04-13 03:41:37 237568 ----a-w- c:\windows\system32\OggDS.dll
    2010-04-13 03:41:37 188416 ----a-w- c:\windows\system32\vorbis.dll
    2010-04-13 03:41:36 290304 ----a-w- c:\windows\system32\divxdec.ax
    2010-04-13 03:41:36 28672 ----a-w- c:\windows\system32\qtalt.ax
    2010-04-13 03:41:36 116224 ----a-w- c:\windows\system32\rmalt.ax
    2010-04-13 03:41:35 0 d-----w- c:\program files\dvdSanta
    2010-04-10 02:51:40 0 d-----w- c:\program files\DVD Shrink
    2010-04-07 14:28:12 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
    2010-04-06 15:20:36 75 ----a-w- c:\windows\system32\nvUnsupRes.dat
    2010-04-05 22:09:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-04-05 22:09:48 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-05 16:53:06 0 d-----w- c:\docume~1\gideon\applic~1\Ubisoft
    2010-04-05 04:27:50 0 d-----w- c:\program files\Steam
    2010-04-04 17:59:16 0 d-----w- c:\docume~1\gideon\applic~1\BitTorrent
    2010-04-04 17:59:15 0 d-----w- c:\program files\BitTorrent
    2010-03-30 21:02:06 15 ----a-w- c:\windows\system32\nvModes.dat
    2010-03-28 22:30:12 794408 ----a-w- c:\windows\system32\pbsvc.exe
    2010-03-26 22:38:06 45 ----a-w- c:\windows\system32\initdebug.nfo
    2010-03-26 22:38:06 0 d-----w- c:\program files\SpeedFan
    2010-03-25 20:25:10 25695 ----a-w- c:\windows\system32\nvdisp.nvu
    2010-03-25 18:29:33 1024 ----a-w- C:\.rnd
    2010-03-25 18:29:19 22 ----a-w- c:\windows\FileName
    2010-03-25 18:27:33 0 d-----w- c:\windows\NV28762888.TMP
    2010-03-25 18:10:10 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-03-25 18:10:10 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-03-25 18:10:08 4075520 ----a-w- c:\windows\system32\nvcuda.dll
    2010-03-25 18:10:08 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-03-25 18:10:08 2183470 ----a-w- c:\windows\system32\nvdata.bin
    2010-03-25 18:10:08 215656 ----a-w- c:\windows\system32\nvcodins.dll
    2010-03-25 18:10:08 215656 ----a-w- c:\windows\system32\nvcod.dll
    2010-03-25 18:10:08 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-03-25 18:10:08 11640832 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-03-25 18:10:08 1097728 ----a-w- c:\windows\system32\nvapi.dll
    2010-03-24 05:19:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\NVIDIA

    Corporation
    2010-03-24 05:19:41 0 d-----w- c:\program files\NVIDIA Corporation
    2010-03-24 05:19:06 9046 ----a-w- c:\windows\system32\nvinfo.pb
    2010-03-19 13:31:57 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll

    ==================== Find3M ====================

    2010-04-14 21:17:42 505856 ----a-w- c:\windows\system32\winlogon.exe
    2010-04-14 18:20:02 47360 ----a-w- c:\docume~1\gideon\applic~1\pcouffin.sys
    2010-04-07 15:30:25 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-04-07 15:29:44 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-03-31 03:06:23 139152 ----a-w- c:\docume~1\gideon\applic~1\PnkBstrK.sys
    2010-03-31 03:05:57 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-03-30 23:58:45 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-03-16 10:37:50 278120 ----a-w- c:\windows\system32\nvmccs.dll
    2010-03-16 10:37:50 154216 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-03-16 10:37:50 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-03-16 10:37:50 13670504 ----a-w- c:\windows\system32\nvcpl.dll
    2010-03-16 10:37:50 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-03-16 10:37:44 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-03-16 06:51:59 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-03-16 06:51:59 600680 ----a-w- c:\windows\system32\nvudisp.exe
    2010-03-16 06:51:59 10232352 ----a-w-

    c:\windows\system32\drivers\nv4_mini.sys
    2010-03-12 18:26:36 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
    2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-04 17:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-02-04 17:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-02-04 17:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-02-04 17:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2006-07-20 09:41:24 8192 --sha-w- c:\program files\Thumbs.db
    2006-07-20 09:35:30 19270946 ----a-w- c:\program files\Themes.7z
    2006-06-19 08:48:35 251 ----a-w- c:\program files\wt3d.ini
    2009-09-22 17:51:46 88 --sh--r- c:\windows\system32\47F0EAAE47.sys
    2009-09-22 17:51:51 3296 --sha-w- c:\windows\system32\KGyGaAvL.sys

    ============= FINISH: 15:53:29.07 ===============






    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2007-05-06 18:12:40
    System Uptime: 2010-04-15 01:40:38 (14 hours ago)

    Motherboard: http://www.abit.com.tw/ | | KN9(NF-MCP55 series)
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | Socket M2 | 2399/200mhz
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | Socket M2 | 2399/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 224 GiB total, 10.044 GiB free.
    D: is FIXED (FAT32) - 9 GiB total, 0.766 GiB free.
    E: is Removable
    K: is FIXED (NTFS) - 287 GiB total, 135.171 GiB free.
    L: is FIXED (NTFS) - 11 GiB total, 10.488 GiB free.
    U: is CDROM ()
    V: is CDROM ()
    W: is Removable
    X: is Removable
    Y: is Removable
    Z: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP604: 2010-04-05 11:19:59 - Installed Adobe Reader 9.3.
    RP605: 2010-04-05 14:46:56 - Removed Star Wars Empire at War
    RP606: 2010-04-05 15:09:32 - Installed Java(TM) 6 Update 19
    RP607: 2010-04-06 15:11:13 - System Checkpoint
    RP608: 2010-04-07 15:38:52 - System Checkpoint
    RP609: 2010-04-08 16:17:36 - System Checkpoint
    RP610: 2010-04-09 18:44:21 - System Checkpoint
    RP611: 2010-04-09 21:49:54 - Removed Battlefield 2
    RP612: 2010-04-10 22:09:59 - System Checkpoint
    RP613: 2010-04-11 17:00:40 - Removed GameSpy Comrade.
    RP614: 2010-04-11 19:26:25 - Removed Media Manager for PSP 3.0
    RP615: 2010-04-12 19:32:51 - System Checkpoint
    RP616: 2010-04-13 23:24:54 - System Checkpoint
    RP617: 2010-04-14 03:00:28 - Software Distribution Service 3.0
    RP618: 2010-04-14 14:13:16 - Installed Windows XP KB914882.
    RP619: 2010-04-14 14:14:59 - Software Distribution Service 3.0
    RP620: 2010-04-15 14:44:50 - System Checkpoint

    ==== Installed Programs ======================


    ABITEQ V1.0.2.5
    Adobe Acrobat 5.0
    Adobe AIR
    Adobe Audition 1.5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.1
    AMD Processor Driver
    AnyDVD
    ASIO4ALL
    Ask Toolbar
    Avi2Dvd 0.5
    AviSynth 2.5
    AVS Update Manager 1.0
    Battlefield 2142
    BitTorrent
    Bonjour
    Call of Duty(R) - World at War(TM) 1.2 Patch
    Call of Duty(R) - World at War(TM) 1.3 Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
    CDDRV_Installer
    Critical Update for Windows Media Player 11 (KB959772)
    Disc Golf
    Dual-Core Optimizer
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    dvdSanta 4.50
    EA Download Manager
    EA Download Manager UI
    Firewire Family
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    HOTLLAMA Media Player
    ImgBurn
    InterActual Player
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 19
    KhalInstallWrapper
    Lexmark 2300 Series
    Live 8.0.1
    Logitech Gaming Software
    Logitech SetPoint
    M-Audio Enigma
    M-Audio Series II MIDI
    Malwarebytes' Anti-Malware
    MaxBlast 4
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Essentials
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Windows XP Video Decoder Checkup Utility
    Microsoft Xbox 360 Accessories 1.1
    MIKSOFT Mobile AMR converter
    Mozilla Firefox (3.6.3)
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Native Instruments FM8
    Native Instruments Vokator
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    NVIDIA nView Desktop Manager
    NVIDIA Performance
    NVIDIA System Monitor
    NVIDIA System Update
    NVIDIA WDM Drivers
    Pinnacle Game Profiler
    PixiePack Codec Pack
    PunkBuster Services
    QuickTime
    Realtek High Definition Audio Driver
    Reason 4.0
    Saitek SST Programming Software
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Sonic CinePlayer DVD Pack
    SpeedFan (remove only)
    Steam
    System Requirements Lab
    Update for 2007 Microsoft Office System (KB967642)
    Update for 2007 Microsoft Office System (KB981715)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB914882)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Keyboard Device 1.0.1.0
    WebFldrs XP
    WinCustomize Browser
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Mail
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Mobile® Device Handbook
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinRAR archiver
    WordPerfect - MAIL
    WordPerfect Office 2002
    WordPerfect Office X3
    XML Paper Specification Shared Components Pack 1.0
    XviD MPEG4 Video Codec (remove only)
    YouTube Downloader App 1.01

    ==== Event Viewer Messages From Past Week ========

    2010-04-15 09:05:40, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the

    Network Card with network address 00508D946BEA has been denied by the DHCP server

    192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    2010-04-14 14:17:15, information: Windows File Protection [64004] - The protected system

    file spoolsv.exe could not be restored to its original, valid version. The file version of

    the bad file is 5.1.2600.2696 The specific error code is 0x00000426 [The service has not

    been started. ].
    2010-04-14 14:17:15, information: Windows File Protection [64004] - The protected system

    file explorer.exe could not be restored to its original, valid version. The file version

    of the bad file is 6.0.2900.3156 The specific error code is 0x00000426 [The service has

    not been started. ].
    2010-04-14 14:16:47, information: Windows File Protection [64004] - The protected system

    file svchost.exe could not be restored to its original, valid version. The file version of

    the bad file is 5.1.2600.2180 The specific error code is 0x00000426 [The service has not

    been started. ].
    2010-04-14 14:16:47, information: Windows File Protection [64004] - The protected system

    file lsass.exe could not be restored to its original, valid version. The file version of

    the bad file is 5.1.2600.2180 The specific error code is 0x00000426 [The service has not

    been started. ].
    2010-04-14 14:15:43, error: DCOM [10016] - The machine-default permission settings do not

    grant Local Activation permission for the COM Server application with CLSID

    {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1} to the user NT AUTHORITY\NETWORK SERVICE SID

    (S-1-5-20). This security permission can be modified using the Component Services

    administrative tool.
    2010-04-14 12:47:17, error: Service Control Manager [7023] - The Computer Browser service

    terminated with the following error: This operation returned because the timeout period

    expired.
    2010-04-14 03:23:06, error: Service Control Manager [7034] - The PinnacleUpdate Service

    service terminated unexpectedly. It has done this 1 time(s).
    2010-04-14 03:23:06, error: RemoteAccess [20106] - Unable to add the interface

    {E3A0D7F0-7DEC-4297-8ADA-44435ABF1EDB} with the Router Manager for the IP protocol. The

    following error occurred: Cannot complete this function.
    2010-04-14 03:23:05, error: Service Control Manager [7026] - The following boot-start or

    system-start driver(s) failed to load: Beep
    2010-04-14 03:02:25, error: Disk [11] - The driver detected a controller error on

    \Device\Harddisk5\D.
    2010-04-14 03:02:25, error: Disk [11] - The driver detected a controller error on

    \Device\Harddisk4\D.
    2010-04-14 03:02:25, error: Disk [11] - The driver detected a controller error on

    \Device\Harddisk3\D.
    2010-04-13 23:08:45, error: DCOM [10016] - The machine-default permission settings do not

    grant Local Activation permission for the COM Server application with CLSID

    {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1} to the user NT AUTHORITY\LOCAL SERVICE SID

    (S-1-5-19). This security permission can be modified using the Component Services

    administrative tool.
    2010-04-13 21:48:15, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond

    within the timeout period.
    2010-04-11 22:52:52, error: Disk [11] - The driver detected a controller error on

    \Device\Harddisk2\D.
    2010-04-11 19:27:47, error: Service Control Manager [7023] - The Application Management

    service terminated with the following error: The specified module could not be found.

    ==== End Of File ===========================
     
    Gideon,
    #1
  2. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, disable "word wrap" in Notepad, because your logs are hard to read.

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/04/15
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Ok, I am starting the steps.
     
    Gideon,
    #3
  5. 2010/04/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)...
     
    broni,
    #4
  6. 2010/04/16
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Ok here is the log from malware bytes... I tried to scan with gmr but my pc locked up every time I attempted it.

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3997

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    2010-04-16 12:20:01
    mbam-log-2010-04-16 (12-20-01).txt

    Scan type: Quick scan
    Objects scanned: 147813
    Time elapsed: 27 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 9
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e4cc6 (Trojan.Vundo) -> No action taken.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f7fa82d0.exe (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f7f8ff1e.exe (Trojan.Vundo) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ( "C:\Documents and Settings\Gideon\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe ") Good: (firefox.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ( "C:\Documents and Settings\Gideon\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE ") Good: (iexplore.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ( "C:\Documents and Settings\Gideon\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    Gideon,
    #5
  7. 2010/04/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Malwarebytes log shows "No action taken" after each run.
    Please, re-run it and make sure to apply fixes.

    Try to re-run GMER, but this time, UN-check "Devices" in right pane.
    If still no joy, try safe mode.
    Make sure, you don't touch your computer, when GMER is running.
     
    broni,
    #6
  8. 2010/04/17
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    I think I understand why I have been unable to see the options availabe using the terminology you instructed me to. I had previously taken this computer to get worked on by a business and they said they were unable to clean it. I think the person working on this machine must have done a scan with Malware Bytes because I have items in quarantine that showed before I even scanned. I was told that some items couldn't be taken off and had to be left in quarantine, these must be those items. After each scan there is a message saying that no infections were found and the option to press ok and create a log is presented. The scanner does not give me the option to show results, there are no boxes to check, and there is no remove selected button to press. I could delete the items in the quarantine but I figured I should run it by you first.
     
    Gideon,
    #7
  9. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, proceed with GMER, please.
     
    broni,
    #8
  10. 2010/04/28
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Ok I ran GMER and it took from about 11 am to 7 pm and neither I or anyone else touched the computer all day. Like before once finished I tried to save the log file and the computer froze. I gave it about 1 hr but the save never completed. What should I do? I will run the scan again while I sleep tonight and see if I can't get it to save.
     
    Gideon,
    #9
  11. 2010/04/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #10
  12. 2010/04/30
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the comfix log

    ComboFix 10-04-29.05 - Gideon 2010-04-30 10:18:26.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1532 [GMT -7:00]
    Running from: c:\documents and settings\Gideon\My Documents\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Gideon\Local Settings\Temporary Internet Files\rlr5B.jpg
    c:\documents and settings\Gideon\Local Settings\Temporary Internet Files\t3186MjcX.jpg
    c:\documents and settings\Gideon\Local Settings\Temporary Internet Files\W77x52i.jpg
    c:\documents and settings\Gideon\Local Settings\Temporary Internet Files\yQ46R.jpg
    c:\windows\jestertb.dll
    c:\windows\system32\inf
    c:\windows\system32\systeminfo3.dll

    c:\windows\system32\lsass.exe . . . is infected!!

    c:\windows\system32\svchost.exe . . . is infected!!

    Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
    .

    2010-04-28 15:34 . 2010-04-28 15:34 -------- d-----w- c:\program files\MKVtoolnix
    2010-04-28 02:27 . 2010-04-28 02:27 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-04-28 02:19 . 2010-04-28 02:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX
    2010-04-27 21:46 . 2010-04-27 21:59 -------- d-----w- c:\documents and settings\Gideon\Application Data\FileZilla
    2010-04-27 21:43 . 2010-04-27 21:44 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-04-27 21:30 . 2010-04-27 21:44 -------- d-----w- c:\program files\Bullet Proof FTP Server
    2010-04-27 21:15 . 2010-04-27 21:20 -------- d-----w- c:\documents and settings\Gideon\Application Data\Trillian
    2010-04-27 21:14 . 2010-04-27 21:59 -------- d-----w- c:\program files\Trillian
    2010-04-20 03:37 . 2008-12-05 04:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
    2010-04-20 03:37 . 2010-04-20 03:37 -------- d-----w- c:\program files\Xvid
    2010-04-20 03:37 . 2008-12-05 04:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
    2010-04-20 03:30 . 2010-04-09 21:35 73728 ----a-w- c:\windows\system\vdremote.dll
    2010-04-20 03:30 . 2010-04-09 21:34 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
    2010-04-20 02:59 . 2010-04-20 02:59 -------- d-----w- c:\documents and settings\Gideon\Local Settings\Application Data\PackageAware
    2010-04-18 02:21 . 2010-04-18 02:21 -------- d-----r- C:\Sandbox
    2010-04-18 02:20 . 2010-04-18 02:20 -------- d-----w- c:\program files\Sandboxie
    2010-04-17 20:57 . 2010-04-17 20:57 -------- d-----w- c:\program files\AC3Filter
    2010-04-14 21:15 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-14 21:13 . 2010-04-14 21:13 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-04-14 18:41 . 2010-04-14 18:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SlySoft
    2010-04-14 18:33 . 2010-04-19 18:31 -------- d-----w- c:\program files\SlySoft
    2010-04-13 21:09 . 2010-04-19 18:28 -------- d-----w- c:\program files\Avi2Dvd
    2010-04-13 03:41 . 2010-04-18 00:51 -------- d-----w- C:\dvdsanta
    2010-04-13 03:41 . 2010-04-13 03:41 -------- d-----w- C:\TempDVD
    2010-04-13 03:41 . 2010-04-19 18:29 -------- d-----w- c:\program files\dvdSanta
    2010-04-10 03:41 . 2010-04-10 03:41 -------- d-----w- c:\documents and settings\Gideon\Application Data\ImgBurn
    2010-04-10 03:25 . 2010-04-10 03:25 -------- d-----w- c:\program files\ImgBurn
    2010-04-06 15:20 . 2010-04-06 15:20 75 ----a-w- c:\windows\system32\nvUnsupRes.dat
    2010-04-05 22:09 . 2010-04-05 22:09 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-05 18:20 . 2010-04-22 16:42 -------- d-----w- c:\documents and settings\Gideon\Local Settings\Application Data\Adobe
    2010-04-05 16:53 . 2010-04-05 16:53 -------- d-----w- c:\documents and settings\Gideon\Application Data\Ubisoft
    2010-04-05 04:27 . 2010-04-12 00:01 -------- d-----w- c:\program files\Steam
    2010-04-04 17:59 . 2010-04-30 17:00 -------- d-----w- c:\documents and settings\Gideon\Application Data\BitTorrent
    2010-04-04 17:59 . 2010-04-04 17:59 -------- d-----w- c:\program files\BitTorrent

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-30 17:08 . 2010-04-30 17:08 388096 ----a-r- c:\documents and settings\Gideon\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-04-28 02:50 . 2007-06-03 15:39 -------- d-----w- c:\documents and settings\Gideon\Application Data\DivX
    2010-04-28 02:29 . 2010-04-28 02:29 57344 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-04-28 02:29 . 2010-04-28 02:29 56766 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
    2010-04-28 02:29 . 2007-06-03 15:37 -------- d-----w- c:\program files\DivX
    2010-04-28 02:29 . 2010-04-28 02:29 56978 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\WebPlayer\Uninstaller.exe
    2010-04-28 02:29 . 2010-04-28 02:29 53600 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Update\Uninstaller.exe
    2010-04-28 02:29 . 2010-04-28 02:29 57679 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Player\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 84040 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TransferWizard\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 57054 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 54166 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 57532 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSASPDecoder\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 56458 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 54174 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DSAACDecoder\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:28 54153 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\DFXPlugin\Uninstaller.exe
    2010-04-28 02:28 . 2010-04-28 02:27 54128 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Converter\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 54629 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\TranscodeEngine\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 54101 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 57409 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ControlPanel\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 52963 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 54073 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-04-28 02:27 . 2010-04-28 02:27 56969 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-04-28 02:22 . 2007-06-03 15:25 -------- d-----w- c:\program files\Google
    2010-04-28 02:20 . 2010-04-28 02:20 144696 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-04-28 02:19 . 2010-04-28 02:29 754984 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\Resource.dll
    2010-04-28 02:19 . 2010-04-28 02:29 1180952 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Setup\DivXSetup.exe
    2010-04-24 01:13 . 2010-03-26 22:38 -------- d-----w- c:\program files\SpeedFan
    2010-04-19 18:30 . 2009-02-04 20:38 -------- d-----w- c:\program files\Red Kawa
    2010-04-19 18:30 . 2008-07-22 15:42 -------- d-----w- c:\program files\M-Audio
    2010-04-18 23:24 . 2007-08-25 16:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-18 02:06 . 2009-02-10 04:56 -------- d-----w- c:\program files\AVS4YOU
    2010-04-18 02:06 . 2007-06-30 14:37 -------- d-----w- c:\program files\Common Files\AVSMedia
    2010-04-17 23:34 . 2009-09-02 18:58 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-04-17 23:32 . 2007-05-07 03:58 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-04-16 02:39 . 2008-10-08 21:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-14 21:17 . 2004-08-04 12:00 505856 ----a-w- c:\windows\system32\winlogon.exe
    2010-04-14 19:24 . 2007-05-07 01:17 52048 ----a-w- c:\documents and settings\Gideon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-04-14 18:20 . 2010-04-14 18:20 81920 ----a-w- c:\documents and settings\Gideon\Application Data\ezpinst.exe
    2010-04-14 18:20 . 2010-04-14 18:20 81920 ----a-w- c:\documents and settings\Gideon\Application Data\ezpinst.exe
    2010-04-14 18:20 . 2007-06-30 17:25 47360 ----a-w- c:\documents and settings\Gideon\Application Data\pcouffin.sys
    2010-04-14 18:20 . 2007-06-30 17:25 47360 ----a-w- c:\documents and settings\Gideon\Application Data\pcouffin.sys
    2010-04-14 18:20 . 2007-06-30 17:25 -------- d-----w- c:\documents and settings\Gideon\Application Data\Vso
    2010-04-14 10:05 . 2010-01-19 16:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
    2010-04-13 21:10 . 2009-02-04 20:45 -------- d-----w- c:\program files\AviSynth 2.5
    2010-04-12 03:13 . 2007-06-30 13:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
    2010-04-12 02:25 . 2009-02-04 20:25 -------- d-----w- c:\documents and settings\Gideon\Application Data\Sony
    2010-04-12 02:23 . 2006-12-27 05:57 -------- d-----w- c:\program files\Native Instruments
    2010-04-12 02:23 . 2008-08-03 23:53 -------- d-----w- c:\program files\Common Files\Native Instruments
    2010-04-10 04:50 . 2006-09-02 10:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-07 15:18 . 2010-03-30 21:02 15 ----a-w- c:\windows\system32\nvModes.dat
    2010-04-05 22:10 . 2010-04-05 22:10 61440 ----a-w- c:\documents and settings\Gideon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d7c46d2-n\decora-sse.dll
    2010-04-05 22:10 . 2010-04-05 22:10 503808 ----a-w- c:\documents and settings\Gideon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-548934b4-n\msvcp71.dll
    2010-04-05 22:10 . 2010-04-05 22:10 499712 ----a-w- c:\documents and settings\Gideon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-548934b4-n\jmc.dll
    2010-04-05 22:10 . 2010-04-05 22:10 348160 ----a-w- c:\documents and settings\Gideon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-548934b4-n\msvcr71.dll
    2010-04-05 22:10 . 2010-04-05 22:10 12800 ----a-w- c:\documents and settings\Gideon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4d7c46d2-n\decora-d3d.dll
    2010-04-05 22:09 . 2005-11-12 15:48 -------- d-----w- c:\program files\Java
    2010-04-05 21:45 . 2005-11-12 15:48 -------- d-----w- c:\program files\Common Files\Java
    2010-04-05 19:00 . 2007-05-07 02:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NVIDIA
    2010-04-05 18:20 . 2005-11-12 16:21 -------- d-----w- c:\program files\Common Files\Adobe
    2010-03-31 03:06 . 2007-11-07 04:27 139152 ----a-w- c:\documents and settings\Gideon\Application Data\PnkBstrK.sys
    2010-03-31 03:06 . 2007-11-07 04:27 139152 ----a-w- c:\documents and settings\Gideon\Application Data\PnkBstrK.sys
    2010-03-31 03:05 . 2010-03-28 22:30 794408 ----a-w- c:\windows\system32\pbsvc.exe
    2010-03-31 03:05 . 2007-05-07 03:53 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-03-31 01:58 . 2010-04-28 02:28 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-03-31 01:58 . 2010-04-28 02:28 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-03-31 01:58 . 2010-04-28 02:28 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-03-31 01:58 . 2010-04-28 02:28 133616 ------w- c:\windows\system32\pxafs.dll
    2010-03-31 01:58 . 2010-04-28 02:28 125424 ------w- c:\windows\system32\pxinsi64.exe
    2010-03-31 01:58 . 2010-04-28 02:28 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-03-30 23:58 . 2007-05-24 18:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-03-30 18:15 . 2010-03-24 05:19 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-03-30 18:09 . 2010-03-24 05:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NVIDIA Corporation
    2010-03-30 07:46 . 2008-10-08 21:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 07:45 . 2008-10-08 21:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-28 22:06 . 2009-08-27 21:12 -------- d-----w- c:\program files\Electronic Arts
    2010-03-26 17:33 . 2010-04-30 15:40 1496064 ----a-w- c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2010-03-26 17:33 . 2010-04-30 15:40 43008 ----a-w- c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2010-03-26 17:33 . 2010-04-30 15:40 339456 ----a-w- c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2010-03-26 17:32 . 2010-04-30 15:40 346112 ----a-w- c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2010-03-24 05:36 . 2009-03-23 16:48 -------- d-----w- c:\program files\Yahoo!
    2010-03-24 05:35 . 2009-10-15 19:28 -------- d-----w- c:\program files\PokerStars
    2010-03-16 10:37 . 2010-03-16 10:37 278120 ----a-w- c:\windows\system32\nvmccs.dll
    2010-03-16 10:37 . 2010-03-16 10:37 154216 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-03-16 10:37 . 2010-03-16 10:37 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-03-16 10:37 . 2010-03-16 10:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll
    2010-03-16 10:37 . 2010-03-16 10:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-03-16 10:37 . 2010-03-16 10:37 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-03-12 18:26 . 2007-05-07 01:24 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-03-07 17:46 . 2009-09-02 02:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Electronic Arts
    2010-03-07 17:46 . 2010-03-07 17:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-03-07 17:45 . 2010-03-07 17:46 38784 ----a-w- c:\documents and settings\Gideon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-03-07 17:45 . 2010-03-07 17:46 38784 ----a-w- c:\documents and settings\Default User.WINDOWS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
    2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-09-22 17:51 . 2007-11-20 03:35 88 --sh--r- c:\windows\system32\47F0EAAE47.sys
    2009-09-22 17:51 . 2007-11-20 03:35 3296 --sha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ------- Sigcheck -------


    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
    [-] 2004-08-04 . 110FB3121C028E5AAEDF3307223787CD . 14336 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

    [-] 2010-04-14 . 6BDF6B80F3C6C37BEF59637FA8A652F2 . 505856 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

    [-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
    [-] 2004-08-04 . 9491C2135C30B82BB1A6ACF928063A59 . 16896 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

    c:\windows\System32\drivers\beep.sys ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-05 00:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-14 68856]
    "SandboxieControl "= "c:\program files\Sandboxie\SbieCtrl.exe" [2010-04-17 394984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2008-12-19 76304]
    "amd_dc_opt "= "c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "Profiler "= "c:\program files\Saitek\Software\ProfilerU.exe" [2005-08-30 163840]
    "SaiMfd "= "c:\program files\Saitek\Software\SaiMfd.exe" [2005-09-10 126976]
    "nwiz "= "c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-01-07 1657448]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
    "DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-7-6 809488]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-02-19 07:30 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "Midi2 "=ma_cmidn.dll
    "midi7 "=ma_cmidn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 ----a-w- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-12-19 06:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2008-12-19 06:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-03-16 10:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Java\\jre1.5.0_05\\bin\\rmiregistry.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\DNA\\btdna.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe "=
    "c:\\Program Files\\Steam\\Steam.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 ABIT-IO;ABIT-IO;c:\windows\system32\drivers\ABIT-IO.sys [2007-06-29 4608]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-06-16 717296]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-09-15 38248]
    R3 SaiH80C0;SaiH80C0;c:\windows\system32\drivers\SaiH80C0.sys [2007-05-06 176384]
    S1 95439c1e;95439c1e;c:\windows\system32\drivers\95439c1e.sys --> c:\windows\system32\drivers\95439c1e.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 135664]
    S3 dsaudiodevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2009-02-08 16640]
    S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\Gideon\LOCALS~1\Temp\Fadpu16E.sys --> c:\docume~1\Gideon\LOCALS~1\Temp\Fadpu16E.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2009-07-08 13504]
    S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2009-07-08 22304]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{b2c3bb6b-e005-4246-b8e5-df0a4d073cdc}]
    2008-06-18 23:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:40]

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:40]

    2010-04-30 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]

    2010-04-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-02-05 00:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?o=101760&l=dis
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    FF - ProfilePath - c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
    FF - component: c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    SSODL-MDmXzsQF-{7425B19C-DE8F-1B36-1FB6-E9F883A8DBA0} - c:\windows\system32\nrsq.dll
    Notify-navlogon - (no file)
    MSConfigStartUp-nwiz - nwiz.exe
    AddRemove-AviSynth - g:\gk\AviSynth 2.5\Uninstall.exe
    AddRemove-Reason4_is1 - g:\reason\Uninstall Reason\unins000.exe
    AddRemove-WinCustomize Browser - k:\progra~1\Stardock\WINCUS~1\SKINBR~1\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-30 10:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7641F8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xb810cfc3
    \Driver\ACPI -> ACPI.sys @ 0xb7e67cb8
    \Driver\atapi -> 0x8a7641f8
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
    ParseProcedure -> 0x887f41b0
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
    ParseProcedure -> 0x887f41b0
    NDIS: NVIDIA nForce Networking Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cffba0
    PacketIndicateHandler -> NDIS.sys @ 0xb7ceea0b
    SendHandler -> NDIS.sys @ 0xb7d02b31
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath "= "c:\windows\system32\GameMon.des -service "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-823518204-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)

    [HKEY_USERS\S-1-5-21-823518204-838170752-725345543-1004\Software\SecuROM\!caution! never delete or change any key*]
    "?? "=hex:06,6a,34,8c,2c,ee,0c,df,81,f2,44,9c,83,04,9d,b9,ae,11,19,28,ea,cf,84,
    08,4f,c4,9b,d6,da,49,5a,4e,98,bb,65,1b,68,82,00,5f,3f,4e,d9,96,b1,d0,cc,67,\
    "?? "=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

    [HKEY_USERS\S-1-5-21-823518204-838170752-725345543-1004\Software\SecuROM\License information*]
    "datasecu "=hex:b4,7c,02,9a,a8,fd,49,1e,71,20,25,04,4f,b9,9e,8c,9e,74,ad,88,b0,
    ae,93,a0,e7,c7,99,f5,24,5a,47,33,11,15,77,ac,01,d8,43,54,01,6e,7d,7b,af,b0,\
    "rkeysecu "=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(896)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll

    - - - - - - - > 'lsass.exe'(956)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(828)
    c:\windows\system32\WININET.dll
    c:\program files\NVIDIA Corporation\nView\nview.dll
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\nvappfilter.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft Security Essentials\MsMpEng.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\PnkBstrB.exe
    c:\windows\system32\PSIService.exe
    c:\program files\Sandboxie\SbieSvc.exe
    c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\rundll32.exe
    c:\program files\Microsoft ActiveSync\wcescomm.exe
    c:\progra~1\MI3AA1~1\rapimgr.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-04-30 10:54:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-30 17:54
    ComboFix2.txt 2008-10-08 22:13
    ComboFix3.txt 2008-10-08 21:50

    Pre-Run: 10,964,860,928 bytes free
    Post-Run: 23,669,272,576 bytes free

    - - End Of File - - 88449EF16C9C6294F814171E67F1137C
     
    Gideon,
    #11
  13. 2010/04/30
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the hijack log


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:58, on 2010-04-30
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Saitek\Software\ProfilerU.exe
    C:\Program Files\Saitek\Software\SaiMfd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
    C:\WINDOWS\system32\ctfmon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
    O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
    O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe "
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2eaf5bb1-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2eaf5bb2-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2eaf5bb2-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: M-Audio Series II MIDI Installer (ma_cmidi_installerservice) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
    O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

    --
    End of file - 10802 bytes
     
    Gideon,
    #12
  14. 2010/04/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. It doesn't look good.
    You may be infected with polymorphic virus, so let's check...

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.
     
    broni,
    #13
  15. 2010/04/30
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the explorer .exe scan

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.04.18 -
    AhnLab-V3 5.0.0.2 2010.04.18 -
    AntiVir 7.10.6.115 2010.04.16 -
    Antiy-AVL 2.0.3.7 2010.04.16 -
    Authentium 5.2.0.5 2010.04.16 -
    Avast 4.8.1351.0 2010.04.18 -
    Avast5 5.0.332.0 2010.04.18 -
    AVG 9.0.0.787 2010.04.18 -
    BitDefender 7.2 2010.04.18 -
    CAT-QuickHeal 10.00 2010.04.17 -
    ClamAV 0.96.0.3-git 2010.04.18 -
    Comodo 4637 2010.04.18 -
    DrWeb 5.0.2.03300 2010.04.18 -
    eSafe 7.0.17.0 2010.04.18 -
    eTrust-Vet 35.2.7431 2010.04.17 -
    F-Prot 4.5.1.85 2010.04.17 -
    F-Secure 9.0.15370.0 2010.04.18 -
    Fortinet 4.0.14.0 2010.04.18 -
    GData 19 2010.04.18 -
    Ikarus T3.1.1.80.0 2010.04.18 -
    Jiangmin 13.0.900 2010.04.18 -
    Kaspersky 7.0.0.125 2010.04.18 -
    McAfee 5.400.0.1158 2010.04.18 -
    McAfee-GW-Edition 6.8.5 2010.04.18 -
    Microsoft 1.5605 2010.04.18 -
    NOD32 5038 2010.04.18 -
    Norman 6.04.11 2010.04.16 -
    nProtect 2010-04-18.01 2010.04.18 -
    Panda 10.0.2.7 2010.04.18 -
    PCTools 7.0.3.5 2010.04.18 -
    Prevx 3.0 2010.04.18 -
    Rising 22.43.06.03 2010.04.18 -
    Sophos 4.52.0 2010.04.18 -
    Sunbelt 6188 2010.04.17 -
    Symantec 20091.2.0.41 2010.04.18 -
    TheHacker 6.5.2.0.264 2010.04.18 -
    TrendMicro 9.120.0.1004 2010.04.15 -
    VBA32 3.12.12.4 2010.04.15 -
    ViRobot 2010.4.17.2282 2010.04.17 -
    VirusBuster 5.0.27.0 2010.04.17 -
    Additional information
    File size: 1033216 bytes
    MD5 : 7712df0cdde3a5ac89843e61cd5b3658
    SHA1 : c090d1d96b28571cd715d7b371b0217b44494a71
    SHA256: 83da674402a154078a3f9220abcbca614777d07ce62f15e209a3de21f8e66772
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1A55F
    timedatestamp.....: 0x466FD448 (Wed Jun 13 13:26:00 2007)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x44B99 0x44C00 6.37 cc7927eec57bf3bd5184b7fae685f437
    .data 0x46000 0x1DB4 0x1800 1.30 cf446d2894d2d61265a59025c0c0a3af
    .rsrc 0x48000 0xB2278 0xB2400 6.63 4c87125e6706b04278662912805e63c7
    .reloc 0xFB000 0x3734 0x3800 6.77 be96bba8c8d8da82413a562ecfb78357

    ( 13 imports )

    > advapi32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
    > browseui.dll: -, -, -, -
    > gdi32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
    > kernel32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
    > msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
    > ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
    > ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
    > oleaut32.dll: -, -
    > shdocvw.dll: -, -, -
    > shell32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
    > shlwapi.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
    > user32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
    > uxtheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

    ( 0 exports )
    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    ThreatExpert: http://www.threatexpert.com/report.aspx?md5=7712df0cdde3a5ac89843e61cd5b3658
    ssdeep: 24576:I+yKlX8VAAtZp43Fakf8I+skR1/g/J/k:I+MBtZp4akf8VRv
    sigcheck: publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Windows Explorer
    original name: EXPLORER.EXE
    internal name: explorer
    file version.: 6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEiD : -
    RDS : NSRL Reference Data Set
    -
     
    Gideon,
    #14
  16. 2010/04/30
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is userinit.exe

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.04.29 -
    AhnLab-V3 2010.04.29.05 2010.04.29 -
    AntiVir 8.2.1.224 2010.04.29 -
    Antiy-AVL 2.0.3.7 2010.04.29 -
    Authentium 5.2.0.5 2010.04.29 -
    Avast 4.8.1351.0 2010.04.29 -
    Avast5 5.0.332.0 2010.04.29 -
    AVG 9.0.0.787 2010.04.29 -
    BitDefender 7.2 2010.04.29 -
    CAT-QuickHeal 10.00 2010.04.29 -
    ClamAV 0.96.0.3-git 2010.04.29 -
    Comodo 4712 2010.04.29 -
    DrWeb 5.0.2.03300 2010.04.29 -
    eSafe 7.0.17.0 2010.04.29 -
    eTrust-Vet 35.2.7457 2010.04.29 -
    F-Prot 4.5.1.85 2010.04.29 -
    F-Secure 9.0.15370.0 2010.04.29 -
    Fortinet 4.0.14.0 2010.04.27 -
    GData 21 2010.04.29 -
    Ikarus T3.1.1.80.0 2010.04.29 -
    Jiangmin 13.0.900 2010.04.29 -
    Kaspersky 7.0.0.125 2010.04.29 -
    McAfee 5.400.0.1158 2010.04.29 -
    McAfee-GW-Edition 6.8.5 2010.04.29 -
    Microsoft 1.5703 2010.04.29 -
    NOD32 5073 2010.04.29 -
    Norman 6.04.12 2010.04.29 -
    nProtect 2010-04-29.01 2010.04.29 -
    Panda 10.0.2.7 2010.04.29 -
    PCTools 7.0.3.5 2010.04.29 -
    Prevx 3.0 2010.04.29 -
    Rising 22.45.03.03 2010.04.29 -
    Sophos 4.53.0 2010.04.29 -
    Sunbelt 6237 2010.04.29 -
    Symantec 20091.2.0.41 2010.04.29 -
    TheHacker 6.5.2.0.273 2010.04.29 -
    TrendMicro 9.120.0.1004 2010.04.29 -
    VBA32 3.12.12.4 2010.04.29 -
    ViRobot 2010.4.27.2295 2010.04.28 -
    VirusBuster 5.0.27.0 2010.04.29 -
    Additional information
    File size: 24576 bytes
    MD5 : 39b1ffb03c2296323832acbae50d2aff
    SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
    SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x50E5
    timedatestamp.....: 0x41107B78 (Wed Aug 4 08:00:24 2004)
    machinetype.......: 0x14C (Intel I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096
    .data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
    .rsrc 0x7000 0xB60 0xC00 3.27 b388ab1541ccd9727979fb26a23f72e1

    ( 7 imports )

    > advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
    > crypt32.dll: CryptProtectData
    > kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
    > msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
    > ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
    > user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
    > winspool.drv: SpoolerInit

    ( 0 exports )
    TrID : File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    ThreatExpert: http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff
    ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
    sigcheck: publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Userinit Logon Application
    original name: USERINIT.EXE
    internal name: userinit
    file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEiD : -
    RDS : NSRL Reference Data Set

    ( Gateway )

    Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE, userinit.exe
    ( Microsoft )

    MSDN Disc 2428.4: userinit.exeMSDN Disc 2428.5: userinit.exeMSDN Disc 2428.8: userinit.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exeVirtual PC for Mac Windows XP Home Edition: userinit.exeVirtual PC for Mac Windows XP Professional Edition: userinit.exe
     
    Gideon,
    #15
  17. 2010/04/30
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    here is svchost.exe

    Btw, does "it doesn't look good" mean it can't be fixed or does it mean it will be difficult?

    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.02.03 Trojan.Patched.CX.75!IK
    AhnLab-V3 5.0.0.2 2010.02.03 -
    AntiVir 7.9.1.158 2010.02.03 TR/Patched.CX.75
    Antiy-AVL 2.0.3.7 2010.02.03 -
    Authentium 5.2.0.5 2010.02.03 -
    Avast 4.8.1351.0 2010.02.02 -
    AVG 9.0.0.730 2010.02.02 -
    BitDefender 7.2 2010.02.03 -
    CAT-QuickHeal 10.00 2010.02.03 -
    ClamAV 0.96.0.0-git 2010.02.03 -
    Comodo 3804 2010.02.03 -
    DrWeb 5.0.1.12222 2010.02.03 -
    eSafe 7.0.17.0 2010.02.02 -
    eTrust-Vet 35.2.7278 2010.02.03 -
    F-Prot 4.5.1.85 2010.02.01 -
    F-Secure 9.0.15370.0 2010.02.03 -
    Fortinet 4.0.14.0 2010.02.03 -
    GData 19 2010.02.03 -
    Ikarus T3.1.1.80.0 2010.02.03 Trojan.Patched.CX.75
    Jiangmin 13.0.900 2010.02.03 -
    K7AntiVirus 7.10.963 2010.02.02 Trojan.Win32.Patched.cx
    Kaspersky 7.0.0.125 2010.02.03 -
    McAfee 5880 2010.02.02 -
    McAfee+Artemis 5880 2010.02.02 Artemis!9491C2135C30
    McAfee-GW-Edition 6.8.5 2010.02.03 Heuristic.LooksLike.Trojan.Patched.L
    Microsoft 1.5406 2010.02.03 -
    NOD32 4830 2010.02.03 -
    Norman 6.04.03 2010.02.03 -
    nProtect 2009.1.8.0 2010.02.03 -
    Panda 10.0.2.2 2010.02.02 -
    PCTools 7.0.3.5 2010.02.03 -
    Prevx 3.0 2010.02.03 -
    Rising 22.33.02.04 2010.02.03 -
    Sophos 4.50.0 2010.02.03 Mal/Generic-A
    Sunbelt 3.2.1858.2 2010.02.03 -
    TheHacker 6.5.1.0.178 2010.02.03 Trojan/Patched.cx
    TrendMicro 9.120.0.1004 2010.02.03 -
    VBA32 3.12.12.1 2010.02.03 -
    ViRobot 2010.2.3.2170 2010.02.03 -
    VirusBuster 5.0.21.0 2010.02.02 -
    Additional information
    File size: 16896 bytes
    MD5 : 9491c2135c30b82bb1a6acf928063a59
    SHA1 : 9311fb6943c96ba254988e6e02d7419eca6f368f
    SHA256: 7a5dfb41fa1996c7b88e7e8db80939fbdd0c9a6c0678dd22af41fb6a075669ef
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2509
    timedatestamp.....: 0x41107ED6 (Wed Aug 4 08:14:46 2004)
    machinetype.......: 0x14C (Intel I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x2C00 0x2C00 6.29 6fc4d075dfb37185ffae8eacb467b822
    .data 0x4000 0x1F0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
    .rsrc 0x5000 0x2000 0x1000 1.13 0c277f1d169c34cef7c2b672c4e78b97

    ( 4 imports )

    > advapi32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
    > kernel32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
    > ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
    > rpcrt4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

    ( 0 exports )
    TrID : File type identification
    42.3% (.EXE) Win32 Executable Generic (8527/13/3)
    37.6% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
    9.9% (.EXE) Generic Win/DOS Executable (2002/3)
    9.9% (.EXE) DOS Executable Generic (2000/1)
    0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)
    ssdeep: 384:cYiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:WT/3Ska6Lh8C
    PEiD : -
    RDS : NSRL Reference Data Set
    -
     
    Last edited: 2010/04/30
    Gideon,
    #16
  18. 2010/05/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't know, yet. Some major system files has been infected, but those three scans, you ran don't show polymorphic infection.
    We'll need to use some more tools to see what's going on.

    The infection is definitely severe, so we have to take it easy and carefully.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
lsass.exe
svchost.exe
beep.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #17
  19. 2010/05/01
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the system look log

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 09:44 on 01/05/2010 by Gideon (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "lsass.exe "
    C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe --a--- 13312 bytes [10:52 04/09/2008] [00:12 14/04/2008] BF2466B3E18E970D8A976FB95FC1CA85
    C:\WINDOWS\system32\lsass.exe --a--- 14336 bytes [12:00 04/08/2004] [12:00 04/08/2004] 110FB3121C028E5AAEDF3307223787CD

    Searching for "svchost.exe "
    C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe --a--- 14336 bytes [10:52 04/09/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
    C:\WINDOWS\system32\svchost.exe --a--- 16896 bytes [12:00 04/08/2004] [12:00 04/08/2004] 9491C2135C30B82BB1A6ACF928063A59

    Searching for "beep.sys "
    No files found.

    -=End Of File=-
     
    Gideon,
    #18
  20. 2010/05/01
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the system look log.

    I have to say some new symptoms have ocurred. I haven't used this pc to get online much since the infection but I checked my email yesterday and I keep getting rerouted to different sights and kicked from the internet.

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 09:44 on 01/05/2010 by Gideon (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "lsass.exe "
    C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe --a--- 13312 bytes [10:52 04/09/2008] [00:12 14/04/2008] BF2466B3E18E970D8A976FB95FC1CA85
    C:\WINDOWS\system32\lsass.exe --a--- 14336 bytes [12:00 04/08/2004] [12:00 04/08/2004] 110FB3121C028E5AAEDF3307223787CD

    Searching for "svchost.exe "
    C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe --a--- 14336 bytes [10:52 04/09/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
    C:\WINDOWS\system32\svchost.exe --a--- 16896 bytes [12:00 04/08/2004] [12:00 04/08/2004] 9491C2135C30B82BB1A6ACF928063A59

    Searching for "beep.sys "
    No files found.

    -=End Of File=-
     
    Gideon,
    #19
  21. 2010/05/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm not surprised with new symptoms, since we barely took any action yet.
    Attached is zipped beep.sys file. Unzip it and paste it to c:\windows\System32\drivers folder.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\47F0EAAE47.sys
c:\windows\system32\drivers\95439c1e.sys
c:\docume~1\Gideon\LOCALS~1\Temp\Fadpu16E.sys


Folder::

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe | C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe | C:\WINDOWS\system32\svchost.exe


Driver::
95439c1e
Fadpu16E


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=dword:00000000
 "FirewallOverride "=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001
 "DisableNotifications "=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
 "26675:TCP "=-


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     

    Attached Files:

    broni,
    #20
Page 1 of 5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...