-
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
Code:
Folder::
c:\programdata\Viewpoint
c:\program files\Viewpoint
Driver::
XDva011;XDva011
XDva020;XDva020
XDva136;XDva136
XDva281;XDva281
XDva295;XDva295
XDva326;XDva326
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
http://img.photobucket.com/albums/v6...FScriptB-4.gif
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
-
Scan went by much faster this time around. Computer is running exactly the same as last time. My last Spybot scan came up clean once again. So far so good.
ComboFix 10-09-14.01 - Moratu 09/14/2010 20:39:45.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1906 [GMT -4:00]
Running from: c:\users\Moratu\Desktop\ComboFix.exe
Command switches used :: c:\users\Moratu\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\programdata\Viewpoint
c:\programdata\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-15 00:47 . 2010-09-15 00:50 -------- d-----w- c:\users\Moratu\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Application Data\AppData\Local\temp
2010-09-14 00:01 . 2010-09-14 00:01 -------- d-----w- c:\users\Moratu\AppData\Local\Apple
2010-09-13 02:29 . 2010-09-14 16:49 -------- d-----w- c:\users\Moratu\AppData\Local\PMB Files
2010-09-13 02:29 . 2010-09-13 02:30 -------- d-----w- c:\programdata\PMB Files
2010-09-13 02:29 . 2010-09-13 02:29 -------- d-----w- c:\program files\Pando Networks
2010-09-13 02:10 . 2010-09-13 02:10 -------- d-----w- c:\users\Moratu\AppData\Local\The Lord of the Rings Online
2010-09-13 00:06 . 2010-09-13 00:20 -------- d-----w- c:\users\Moratu\AppData\Local\Apple Computer
2010-09-13 00:01 . 2010-09-13 01:56 -------- d-----w- c:\users\Moratu\AppData\Local\Adobe
2010-09-12 22:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 22:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 22:04 . 2010-09-12 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:29 . 2010-09-05 17:29 -------- d-----w- c:\program files\Safer Networking
2010-09-03 23:48 . 2010-09-03 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 23:48 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:37 . 2010-09-03 23:37 -------- d-----w- c:\program files\iPod
2010-09-03 23:37 . 2010-09-03 23:38 -------- d-----w- c:\program files\iTunes
2010-09-03 23:32 . 2010-09-03 23:32 -------- d-----w- c:\program files\Bonjour
2010-09-03 22:00 . 2010-09-03 22:00 -------- d-----w- c:\program files\Secunia
2010-09-03 19:11 . 2010-09-03 19:11 -------- d--h--w- c:\windows\PIF
2010-09-03 19:03 . 2010-09-03 19:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-02 01:34 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-09-02 01:34 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-09-02 01:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-02 01:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-02 01:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-09-02 01:34 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-02 01:34 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-02 01:34 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-31 04:43 . 2010-08-31 04:43 -------- d-----w- c:\users\Moratu\AppData\Roaming\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\programdata\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\program files\Avira
2010-08-31 04:38 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-31 04:38 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-31 04:38 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-31 04:38 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-30 02:07 . 2010-09-12 23:41 -------- d-----w- c:\users\Moratu\Tracing
2010-08-24 03:36 . 2010-08-24 03:36 -------- d-----w- c:\program files\Atari
2010-08-24 00:40 . 2010-08-24 19:21 -------- d-----w- c:\users\Moratu\AppData\Local\The Witcher
2010-08-24 00:28 . 2010-08-24 01:59 -------- d-----w- c:\program files\The Witcher
2010-08-22 21:43 . 2010-08-22 21:45 -------- d-----w- c:\program files\Jnes
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\program files\Free Fire Screensaver
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\users\Moratu\AppData\Roaming\Laconic Software
2010-08-22 15:52 . 2010-08-22 15:52 -------- d-----w- c:\program files\RocketDock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 00:51 . 2009-12-09 06:37 37773 ----a-w- c:\programdata\nvModes.dat
2010-09-13 11:02 . 2009-11-05 16:31 -------- d-----w- c:\program files\Turbine
2010-09-13 01:08 . 2010-02-01 22:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\HpUpdate
2010-09-13 01:02 . 2008-07-13 04:01 -------- d-----w- c:\programdata\Lavasoft
2010-09-13 00:21 . 2009-01-27 07:15 -------- d-----w- c:\programdata\Apple Computer
2010-09-12 23:10 . 2007-03-15 01:52 -------- d-----w- c:\program files\Common Files\AOL
2010-09-07 18:38 . 2007-02-10 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-07 06:18 . 2010-09-05 18:19 63488 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 06:18 . 2010-09-05 18:19 117760 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-07 05:44 . 2010-06-24 01:24 -------- d-----w- c:\users\Moratu\AppData\Roaming\DisplayFusion
2010-09-05 18:26 . 2007-11-02 02:56 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 18:19 . 2010-09-05 18:19 52224 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 17:24 . 2009-08-10 05:56 -------- d-----r- c:\program files\Skype
2010-09-05 17:21 . 2007-06-06 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-05 17:15 . 2007-02-10 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-05 17:11 . 2008-12-09 07:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-09-05 17:08 . 2010-02-09 23:01 -------- d-----w- c:\program files\Workspace Macro Pro 6.5
2010-09-05 17:07 . 2010-02-04 06:26 -------- d-----w- c:\programdata\ijjigame
2010-09-05 17:05 . 2007-05-21 04:09 -------- d-----w- c:\program files\RealMedia
2010-09-04 13:00 . 2009-09-11 21:44 -------- d-----w- c:\program files\City of Heroes
2010-09-03 23:48 . 2007-10-31 05:35 -------- d-----w- c:\program files\Java
2010-09-03 23:37 . 2009-01-27 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 23:35 . 2007-03-29 01:16 -------- d-----w- c:\program files\QuickTime
2010-09-03 23:31 . 2010-09-03 23:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 23:28 . 2007-03-29 01:25 -------- d-----w- c:\users\Moratu\AppData\Roaming\Apple Computer
2010-09-03 23:27 . 2008-12-09 10:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-03 23:27 . 2010-09-03 23:27 53632 ----a-w- c:\users\Moratu\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-09-03 23:27 . 2009-11-16 02:54 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-09-03 19:17 . 2007-02-10 17:20 1356 ----a-w- c:\users\Moratu\AppData\Local\d3d9caps.dat
2010-09-03 19:08 . 2008-06-18 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 19:04 . 2009-02-14 09:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 06:04 . 2008-12-11 03:31 -------- d-----w- c:\program files\SpywareBlaster
2010-09-02 02:40 . 2007-04-28 02:15 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 02:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 01:18 . 2007-01-06 01:59 35920 ----a-w- c:\windows\system32\drivers\nvstor.sys
2010-09-02 00:28 . 2010-09-02 00:28 388096 ----a-r- c:\users\Moratu\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 23:49 . 2009-04-28 05:07 -------- d-----w- c:\users\Moratu\AppData\Roaming\Skype
2010-08-31 23:48 . 2009-04-28 05:13 -------- d-----w- c:\users\Moratu\AppData\Roaming\skypePM
2010-08-31 04:30 . 2008-07-13 03:19 -------- d-----w- c:\programdata\avg8
2010-08-23 23:09 . 2008-06-18 03:43 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-23 23:09 . 2010-08-23 23:09 92280 ----a-w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-23 23:09 . 2009-01-31 06:39 -------- d-----w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab
2010-08-22 19:22 . 2008-05-12 19:37 -------- d-----w- c:\program files\Emulator
2010-08-18 20:22 . 2007-02-10 17:02 70864 ----a-w- c:\users\Moratu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-08 03:41 . 2010-08-08 03:41 -------- d-----w- c:\users\Moratu\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-08-08 03:40 . 2010-08-08 03:40 -------- d-----w- c:\program files\Picaboo X
2010-08-03 22:10 . 2010-02-10 00:49 -------- d-----w- c:\program files\Google
2010-07-31 14:35 . 2010-07-31 14:35 -------- d-----w- c:\users\Moratu\AppData\Roaming\Flickr
2010-07-31 14:34 . 2010-07-31 14:34 -------- d-----w- c:\program files\Flickr Uploadr
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\program files\Enterbrain
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-07-28 00:49 . 2009-10-29 17:56 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 01:33 . 2010-07-24 01:33 120 ----a-w- c:\users\Moratu\AppData\Local\Pfaweqixiwuhuq.dat
2010-07-22 18:24 . 2010-07-22 18:24 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-26 06:05 . 2010-09-02 01:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-02 01:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-02 01:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-02 01:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-07-08 1082088]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-13 2969496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13939816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-29 10664]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
R3 npkycryp;npkycryp;c:\nexon\MapleStory\npkycryp.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva011;XDva011;c:\windows\system32\XDva011.sys [x]
R3 XDva020;XDva020;c:\windows\system32\XDva020.sys [x]
R3 XDva136;XDva136;c:\windows\system32\XDva136.sys [x]
R3 XDva281;XDva281;c:\windows\system32\XDva281.sys [x]
R3 XDva295;XDva295;c:\windows\system32\XDva295.sys [x]
R3 XDva326;XDva326;c:\windows\system32\XDva326.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-13 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-14 c:\windows\Tasks\User_Feed_Synchronization-{47F3090E-BE59-4670-B66F-0AF53CDB1D56}.job
- c:\windows\system32\msfeedssync.exe [2010-09-02 04:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://157.238.137.246/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Moratu\AppData\Roaming\Mozilla\Firefox\Profiles\bbq685r0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.sparkpeople.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:2f,f6,9d,35,33,7f,45,78,66,9e,14,8a,31,d0,74,8e,f4,52,e9,b0,c4,7c,d5,
2a,a0,da,7c,72,55,78,6c,e2,6f,f7,0d,cb,a0,a5,61,bb,d5,e8,64,2a,77,24,0a,c7,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\License information*]
"datasecu"=hex:e2,48,17,61,5f,fd,77,85,69,1a,de,64,a2,2f,e4,97,8d,fd,c9,8f,85,
ee,3e,68,b9,58,34,3b,9b,8e,95,6e,40,f1,72,5e,5d,dc,ec,a4,e8,d2,4f,2c,d0,c7,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(8852)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxczcoms.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\users\Moratu\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-09-14 20:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 00:58
ComboFix2.txt 2010-09-14 17:14
Pre-Run: 127,555,866,624 bytes free
Post-Run: 127,515,795,456 bytes free
- - End Of File - - 07BB053C83D8F769E230A241BB24172E
-
Sorry, I didn't do the last one correctly.
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
Code:
File::
c:\windows\system32\XDva011.sys
c:\windows\system32\XDva020.sys
c:\windows\system32\XDva136.sys
c:\windows\system32\XDva281.sys
c:\windows\system32\XDva295.sys
c:\windows\system32\XDva326.sys
Driver::
XDva011
XDva020
XDva136
XDva281
XDva295
XDva326
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
http://img.photobucket.com/albums/v6...FScriptB-4.gif
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
-
Here you go. Ran it again with the new code. Nothing has changed as far as I can tell.
ComboFix 10-09-14.05 - Moratu 09/15/2010 14:54:38.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1751 [GMT -4:00]
Running from: c:\users\Moratu\Desktop\ComboFix.exe
Command switches used :: c:\users\Moratu\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\windows\system32\XDva011.sys"
"c:\windows\system32\XDva020.sys"
"c:\windows\system32\XDva136.sys"
"c:\windows\system32\XDva281.sys"
"c:\windows\system32\XDva295.sys"
"c:\windows\system32\XDva326.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XDVA011
-------\Legacy_XDVA020
-------\Legacy_XDVA136
-------\Legacy_XDVA281
-------\Legacy_XDVA295
-------\Legacy_XDVA326
-------\Service_XDva011
-------\Service_XDva020
-------\Service_XDva136
-------\Service_XDva281
-------\Service_XDva295
-------\Service_XDva326
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-13 02:29 . 2010-09-13 02:30 -------- d-----w- c:\programdata\PMB Files
2010-09-13 02:29 . 2010-09-13 02:29 -------- d-----w- c:\program files\Pando Networks
2010-09-13 02:10 . 2010-09-13 02:10 -------- d-----w- c:\users\Moratu\AppData\Local\The Lord of the Rings Online
2010-09-13 00:06 . 2010-09-13 00:20 -------- d-----w- c:\users\Moratu\AppData\Local\Apple Computer
2010-09-13 00:01 . 2010-09-13 01:56 -------- d-----w- c:\users\Moratu\AppData\Local\Adobe
2010-09-12 22:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 22:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 22:04 . 2010-09-12 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:29 . 2010-09-05 17:29 -------- d-----w- c:\program files\Safer Networking
2010-09-03 23:48 . 2010-09-03 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 23:48 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:37 . 2010-09-03 23:37 -------- d-----w- c:\program files\iPod
2010-09-03 23:37 . 2010-09-03 23:38 -------- d-----w- c:\program files\iTunes
2010-09-03 23:32 . 2010-09-03 23:32 -------- d-----w- c:\program files\Bonjour
2010-09-03 22:00 . 2010-09-03 22:00 -------- d-----w- c:\program files\Secunia
2010-09-03 19:11 . 2010-09-03 19:11 -------- d--h--w- c:\windows\PIF
2010-09-03 19:03 . 2010-09-03 19:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-02 01:34 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-09-02 01:34 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-09-02 01:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-02 01:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-02 01:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-09-02 01:34 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-02 01:34 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-02 01:34 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-31 04:43 . 2010-08-31 04:43 -------- d-----w- c:\users\Moratu\AppData\Roaming\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\programdata\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\program files\Avira
2010-08-31 04:38 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-31 04:38 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-31 04:38 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-31 04:38 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-30 02:07 . 2010-09-12 23:41 -------- d-----w- c:\users\Moratu\Tracing
2010-08-24 03:36 . 2010-08-24 03:36 -------- d-----w- c:\program files\Atari
2010-08-24 00:40 . 2010-08-24 19:21 -------- d-----w- c:\users\Moratu\AppData\Local\The Witcher
2010-08-24 00:28 . 2010-08-24 01:59 -------- d-----w- c:\program files\The Witcher
2010-08-22 21:43 . 2010-08-22 21:45 -------- d-----w- c:\program files\Jnes
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\program files\Free Fire Screensaver
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\users\Moratu\AppData\Roaming\Laconic Software
2010-08-22 15:52 . 2010-08-22 15:52 -------- d-----w- c:\program files\RocketDock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 19:18 . 2009-12-09 06:37 37773 ----a-w- c:\programdata\nvModes.dat
2010-09-15 02:38 . 2010-06-24 01:24 -------- d-----w- c:\users\Moratu\AppData\Roaming\DisplayFusion
2010-09-15 02:37 . 2010-09-15 02:37 60152 ----a-w- c:\users\Moratu\AppData\Roaming\DisplayFusion\DisplayFusionHookx64_8af9d6b0-f589-47a3-9d37-b1cdccb9e6cc.dll
2010-09-15 02:37 . 2010-09-15 02:37 47864 ----a-w- c:\users\Moratu\AppData\Roaming\DisplayFusion\DisplayFusionHookx86_34ad846b-45a4-4c03-9499-3ecc532292da.dll
2010-09-15 02:37 . 2010-06-24 01:23 -------- d-----w- c:\program files\DisplayFusion
2010-09-13 11:02 . 2009-11-05 16:31 -------- d-----w- c:\program files\Turbine
2010-09-13 01:08 . 2010-02-01 22:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\HpUpdate
2010-09-13 01:02 . 2008-07-13 04:01 -------- d-----w- c:\programdata\Lavasoft
2010-09-13 00:21 . 2009-01-27 07:15 -------- d-----w- c:\programdata\Apple Computer
2010-09-12 23:10 . 2007-03-15 01:52 -------- d-----w- c:\program files\Common Files\AOL
2010-09-07 18:38 . 2007-02-10 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-07 06:18 . 2010-09-05 18:19 63488 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 06:18 . 2010-09-05 18:19 117760 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-05 18:26 . 2007-11-02 02:56 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 18:19 . 2010-09-05 18:19 52224 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 17:24 . 2009-08-10 05:56 -------- d-----r- c:\program files\Skype
2010-09-05 17:21 . 2007-06-06 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-05 17:15 . 2007-02-10 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-05 17:11 . 2008-12-09 07:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-09-05 17:08 . 2010-02-09 23:01 -------- d-----w- c:\program files\Workspace Macro Pro 6.5
2010-09-05 17:07 . 2010-02-04 06:26 -------- d-----w- c:\programdata\ijjigame
2010-09-05 17:05 . 2007-05-21 04:09 -------- d-----w- c:\program files\RealMedia
2010-09-04 13:00 . 2009-09-11 21:44 -------- d-----w- c:\program files\City of Heroes
2010-09-03 23:48 . 2007-10-31 05:35 -------- d-----w- c:\program files\Java
2010-09-03 23:37 . 2009-01-27 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 23:35 . 2007-03-29 01:16 -------- d-----w- c:\program files\QuickTime
2010-09-03 23:31 . 2010-09-03 23:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 23:28 . 2007-03-29 01:25 -------- d-----w- c:\users\Moratu\AppData\Roaming\Apple Computer
2010-09-03 23:27 . 2008-12-09 10:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-03 23:27 . 2010-09-03 23:27 53632 ----a-w- c:\users\Moratu\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-09-03 23:27 . 2009-11-16 02:54 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-09-03 19:17 . 2007-02-10 17:20 1356 ----a-w- c:\users\Moratu\AppData\Local\d3d9caps.dat
2010-09-03 19:08 . 2008-06-18 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 19:04 . 2009-02-14 09:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 06:04 . 2008-12-11 03:31 -------- d-----w- c:\program files\SpywareBlaster
2010-09-02 02:40 . 2007-04-28 02:15 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 02:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 01:18 . 2007-01-06 01:59 35920 ----a-w- c:\windows\system32\drivers\nvstor.sys
2010-09-02 00:28 . 2010-09-02 00:28 388096 ----a-r- c:\users\Moratu\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 23:49 . 2009-04-28 05:07 -------- d-----w- c:\users\Moratu\AppData\Roaming\Skype
2010-08-31 23:48 . 2009-04-28 05:13 -------- d-----w- c:\users\Moratu\AppData\Roaming\skypePM
2010-08-31 04:30 . 2008-07-13 03:19 -------- d-----w- c:\programdata\avg8
2010-08-23 23:09 . 2008-06-18 03:43 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-23 23:09 . 2010-08-23 23:09 92280 ----a-w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-23 23:09 . 2009-01-31 06:39 -------- d-----w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab
2010-08-22 19:22 . 2008-05-12 19:37 -------- d-----w- c:\program files\Emulator
2010-08-18 20:22 . 2007-02-10 17:02 70864 ----a-w- c:\users\Moratu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-08 03:41 . 2010-08-08 03:41 -------- d-----w- c:\users\Moratu\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-08-08 03:40 . 2010-08-08 03:40 -------- d-----w- c:\program files\Picaboo X
2010-08-03 22:10 . 2010-02-10 00:49 -------- d-----w- c:\program files\Google
2010-07-31 14:35 . 2010-07-31 14:35 -------- d-----w- c:\users\Moratu\AppData\Roaming\Flickr
2010-07-31 14:34 . 2010-07-31 14:34 -------- d-----w- c:\program files\Flickr Uploadr
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\program files\Enterbrain
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-07-28 00:49 . 2009-10-29 17:56 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 01:33 . 2010-07-24 01:33 120 ----a-w- c:\users\Moratu\AppData\Local\Pfaweqixiwuhuq.dat
2010-07-22 18:24 . 2010-07-22 18:24 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-26 06:05 . 2010-09-02 01:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-02 01:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-02 01:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-02 01:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-09-14 1275624]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-13 2969496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13939816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-29 10664]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
R3 npkycryp;npkycryp;c:\nexon\MapleStory\npkycryp.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-13 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-15 c:\windows\Tasks\User_Feed_Synchronization-{47F3090E-BE59-4670-B66F-0AF53CDB1D56}.job
- c:\windows\system32\msfeedssync.exe [2010-09-02 04:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://157.238.137.246/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Moratu\AppData\Roaming\Mozilla\Firefox\Profiles\bbq685r0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.sparkpeople.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 15:18
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:2f,f6,9d,35,33,7f,45,78,66,9e,14,8a,31,d0,74,8e,f4,52,e9,b0,c4,7c,d5,
2a,a0,da,7c,72,55,78,6c,e2,6f,f7,0d,cb,a0,a5,61,bb,d5,e8,64,2a,77,24,0a,c7,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\License information*]
"datasecu"=hex:e2,48,17,61,5f,fd,77,85,69,1a,de,64,a2,2f,e4,97,8d,fd,c9,8f,85,
ee,3e,68,b9,58,34,3b,9b,8e,95,6e,40,f1,72,5e,5d,dc,ec,a4,e8,d2,4f,2c,d0,c7,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(9996)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxczcoms.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\users\Moratu\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-09-15 15:23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 19:23
ComboFix2.txt 2010-09-15 00:58
ComboFix3.txt 2010-09-14 17:14
Pre-Run: 127,502,372,864 bytes free
Post-Run: 127,019,933,696 bytes free
- - End Of File - - 43FF0C402F16248F70835DB483A776CD
-
Good job
- Click START Search
- Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Here's my usual all clean post
To be on the safe side, I would also change all my passwords.
This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.
Log looks good
This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Only run one Anti-Virus and Firewall program.
I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:
Only run one Anti-Virus and Firewall program.
I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:
-
Thanks so much. It is such a relief to have a clean, smooth running computer. I do have a question for you pertaining to my recovery point. The recovery point I have is from before all your wonderful help. Is it now safe to delete that and make a clean one? I feel that is the only thing I have left to do. Thanks again.
-
Combofix created a new Restore Point.
To remove all the older ones:
http://www.mydigitallife.info/2007/0...shadow-copies/
-
Wonderful. If anything changes, I will be sure to let you know. Thank you very much.