View Full Version : Unknown Infection, Whole Network Infected
linkman2004
2008-11-21, 04:13
Hello. I recently got infected with an unknown trojan and it has spread to the other computers on my network. It replaces the ads on most sites with "Vimax" ads, and I can't download anything from Microsoft, nor can I download definition file updates for AdAware. I thought it might have been Zlob due to other people I found having the same same problems with that one, but no programs I've used have shown me anything that could have been doing this. Here's a HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:28 PM, on 11/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=my&.done=http://att.my.yahoo.com&.intl=us&.partner=sbc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 65.54.81.199 download.microsoft.com
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 5674 bytes
Also, one question. If I get it cleaned off my computer, is there anyway to be sure it won't come back from the other computers other than treating them, as well? One of them is constantly connected to the network as well. I'll appreciate any help I can get. :)
If I get it cleaned off my computer, is there anyway to be sure it won't come back from the other computers other than treating them, as well? One of them is constantly connected to the network as well. I'll appreciate any help I can get.
Hi
If the infection is spreading through network then clean system will quite likely get infected. Keep this system separated from other systems. We won't deal any other systems in this thread. If you want some other to be checked then you have to create own thread for it.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
linkman2004
2008-11-22, 21:41
Okay, I did everything you asked. ComboFix log:
ComboFix 08-11-22.01 - The Dudes 2008-11-22 14:23:50.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.686 [GMT -6:00]
Running from: c:\users\The Dudes\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\The Dudes\AppData\Local\Microsoft\Windows\Temporary Internet Files\bestwiner.stt
c:\users\The Dudes\AppData\Local\Microsoft\Windows\Temporary Internet Files\CPV.stt
c:\users\The Dudes\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
D:\resycled
.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.
2008-11-20 20:46 . 2008-11-20 20:46 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 21:26 . 2008-11-18 21:29 1,714,304 --a------ C:\TerribleSingerOHolyNight.mp3
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 17:37 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-18 17:37 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-18 11:43 . 2008-11-18 12:06 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-18 11:43 . 2008-11-18 12:06 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-18 11:43 . 2008-11-20 21:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-18 00:16 . 2005-03-23 11:57 147,328 --a------ c:\windows\System32\drivers\rt2500usb.sys
2008-11-16 15:00 . 2008-11-16 15:00 98 --a------ C:\coolstuff.html
2008-11-14 14:49 . 2008-11-14 14:49 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\Nexon
2008-11-14 14:49 . 2003-07-20 12:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2008-11-14 14:49 . 2005-01-04 03:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2008-11-14 14:48 . 2008-11-14 14:48 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 14:16 . 2008-11-14 14:16 <DIR> d-------- C:\Nexon
2008-11-13 22:53 . 2008-11-13 22:53 <DIR> d-------- c:\program files\EPSON
2008-11-13 11:15 . 2008-11-13 11:15 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-11-13 11:15 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\System32\D3DX9_37.dll
2008-11-13 11:15 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\System32\D3DCompiler_37.dll
2008-11-13 11:15 . 2008-02-05 23:07 462,864 --a------ c:\windows\System32\d3dx10_37.dll
2008-11-13 11:15 . 2007-04-04 18:53 81,768 --a------ c:\windows\System32\xinput1_3.dll
2008-11-12 00:41 . 2008-11-12 00:41 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\PC Tools
2008-11-12 00:41 . 2008-11-12 00:41 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-12 00:41 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2008-11-12 00:41 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2008-11-12 00:41 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2008-11-12 00:41 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2008-11-10 17:11 . 2008-11-14 10:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-10 16:50 . 2008-11-20 21:10 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\users\All Users\avg8
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\programdata\avg8
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\program files\AVG
2008-11-10 16:50 . 2008-11-10 16:50 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-11-10 16:50 . 2008-11-10 16:50 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-11-10 16:50 . 2008-11-10 16:50 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-11-10 16:15 . 2008-11-10 16:15 0 --a------ c:\windows\nsreg.dat
2008-11-10 13:59 . 2008-11-10 13:59 <DIR> d-------- c:\program files\Privoxy
2008-11-09 23:35 . 2008-11-09 23:36 <DIR> d-------- c:\users\All Users\Lavasoft
2008-11-09 23:35 . 2008-11-09 23:36 <DIR> d-------- c:\programdata\Lavasoft
2008-11-09 23:35 . 2008-11-16 15:11 <DIR> d-------- c:\program files\Lavasoft
2008-11-09 22:34 . 2008-11-09 22:34 2 --a------ C:\-1669319825
2008-11-09 22:33 . 2008-11-09 22:34 <DIR> d-------- c:\program files\Easy Decrypter
2008-11-08 17:04 . 2008-11-08 17:09 <DIR> d-------- c:\program files\Leadwerks Engine Evaluation Kit
2008-11-06 21:53 . 2008-11-06 21:53 <DIR> d-------- c:\program files\CAPCOM
2008-11-05 10:42 . 2008-11-05 10:45 <DIR> d-------- C:\scaler
2008-11-02 20:14 . 2008-11-02 20:15 <DIR> d-------- C:\MGE
2008-11-01 21:04 . 2008-11-01 21:05 53,761 --a------ C:\bar.png
2008-11-01 21:00 . 2008-11-01 21:01 1,440,054 --a------ C:\bar.bmp
2008-11-01 20:59 . 2007-02-08 21:48 1,440,054 --a------ C:\ar.bmp
2008-11-01 15:49 . 2008-11-02 18:11 <DIR> d-------- c:\program files\Bethesda Softworks
2008-10-31 20:38 . 2008-10-31 20:38 <DIR> d-------- C:\NewFonts
2008-10-31 08:53 . 2008-10-31 08:54 <DIR> d-------- c:\users\All Users\WindowsSearch
2008-10-31 08:53 . 2008-10-31 08:54 <DIR> d-------- c:\programdata\WindowsSearch
2008-10-29 00:26 . 2008-10-29 00:26 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\DivX
2008-10-29 00:24 . 2008-10-29 00:25 <DIR> d-------- c:\program files\DivX
2008-10-29 00:01 . 2008-10-29 00:01 1,044,992 --a------ C:\awesomefire.exe
2008-10-28 22:41 . 2008-10-28 22:41 <DIR> d-------- c:\program files\Foxit Software
2008-10-28 22:31 . 2008-10-28 22:31 682,280 --a------ c:\windows\System32\pbsvc.exe
2008-10-28 22:31 . 2008-11-11 20:14 182,640 --a------ c:\windows\System32\PnkBstrB.exe
2008-10-28 22:31 . 2008-11-11 19:42 139,344 --a------ c:\windows\System32\drivers\PnkBstrK.sys
2008-10-28 17:32 . 2008-08-11 21:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-27 11:23 . 2008-10-27 11:23 <DIR> dr-h----- c:\users\The Dudes\AppData\Roaming\SecuROM
2008-10-27 11:15 . 2008-10-27 11:15 <DIR> d-------- c:\program files\Telltale Games
2008-10-26 21:58 . 2008-10-26 21:58 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-25 09:17 . 2008-10-25 09:17 87,888 --a------ C:\z-ordering.cap
2008-10-25 09:17 . 2008-10-25 09:17 76,603 --a------ C:\z-ordering.bak1.cap
2008-10-24 22:22 . 2008-10-24 22:22 11,855 --a------ C:\stuff.cap
2008-10-24 19:43 . 2008-10-24 19:43 17,393 --a------ C:\wireframe.zip
2008-10-24 19:39 . 2008-10-24 19:40 18,196 --a------ C:\np.vtx
2008-10-24 19:34 . 2008-10-24 19:39 11,548 --a------ C:\nuclearplant.an8
2008-10-24 19:28 . 2008-10-24 19:29 123,633 --a------ C:\wf.vtx
2008-10-24 07:21 . 2008-10-24 07:21 40,582 --a------ C:\raptor.vtx
2008-10-23 21:27 . 2008-10-23 21:27 44,120 --a------ C:\wirexwing.zip
2008-10-23 21:26 . 2008-10-23 21:26 87,546 --a------ C:\wirexwing.cap
2008-10-23 19:47 . 2008-10-23 20:33 89,296 --a------ C:\moreperspective.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak5.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak4.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak3.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak2.cap
2008-10-23 19:47 . 2008-10-23 20:30 89,296 --a------ C:\moreperspective.bak1.cap
2008-10-23 18:17 . 2008-10-23 18:17 87,950 --a------ C:\wirerts.bak5.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak4.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak3.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak2.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak1.cap
2008-10-23 18:15 . 2008-10-23 19:44 87,950 --a------ C:\wirerts.cap
2008-10-23 18:12 . 2008-10-23 18:12 5,027 --a------ C:\tank.vtx
2008-10-23 18:12 . 2008-10-23 18:12 2,907 --a------ C:\tank.an8
2008-10-23 10:07 . 2008-10-23 10:07 510 --a------ c:\windows\WORDPAD.INI
2008-10-23 10:03 . 2008-10-23 10:07 7,253 --a------ C:\grid.vtx
2008-10-23 09:51 . 2008-10-23 09:43 82,305 --a------ C:\filleddemo.bak1.cap
2008-10-23 09:43 . 2008-10-23 09:51 85,052 --a------ C:\filleddemo.cap
2008-10-23 09:42 . 2008-10-24 19:42 87,884 --a------ C:\ffdemo.bak2.cap
2008-10-23 09:42 . 2008-10-24 19:43 87,884 --a------ C:\ffdemo.bak1.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak5.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak4.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak3.cap
2008-10-23 09:41 . 2008-10-24 19:43 87,884 --a------ C:\wiredemo.cap
2008-10-23 07:56 . 2008-10-23 07:56 5,679 --a------ C:\box.lwo
2008-10-23 07:18 . 2008-10-23 07:18 96,794 --a------ C:\ar.vtx
2008-10-23 00:01 . 2008-10-23 00:05 82,335 --a------ C:\crud.bak3.cap
2008-10-23 00:01 . 2008-10-23 00:05 82,335 --a------ C:\crud.bak2.cap
2008-10-23 00:01 . 2008-10-23 07:19 82,331 --a------ C:\crud.bak1.cap
2008-10-23 00:01 . 2008-10-23 00:05 82,317 --a------ C:\crud.bak4.cap
2008-10-23 00:01 . 2008-10-23 00:04 82,315 --a------ C:\crud.bak5.cap
2008-10-23 00:00 . 2008-10-23 07:21 82,339 --a------ C:\crud.cap
2008-10-22 23:42 . 2008-10-22 23:42 67,187 --a------ C:\ring.vtx
2008-10-22 23:38 . 2008-10-22 23:57 77,238 --a------ C:\realtimewire.bak4.cap
2008-10-22 23:38 . 2008-10-22 23:57 77,128 --a------ C:\realtimewire.bak5.cap
2008-10-22 23:38 . 2008-10-22 23:58 77,088 --a------ C:\realtimewire.bak2.cap
2008-10-22 23:38 . 2008-10-23 00:00 77,073 --a------ C:\realtimewire.bak1.cap
2008-10-22 23:38 . 2008-10-22 23:58 77,033 --a------ C:\realtimewire.bak3.cap
2008-10-22 23:36 . 2008-10-23 00:00 77,802 --a------ C:\realtimewire.cap
2008-10-22 21:40 . 2008-10-22 21:40 3,198,136 --a------ c:\users\The Dudes\Me.zip
2008-10-22 18:36 . 2008-10-22 18:37 71,809 --a------ C:\perspective.bak5.cap
2008-10-22 18:36 . 2008-10-22 18:37 71,809 --a------ C:\perspective.bak4.cap
2008-10-22 18:36 . 2008-10-22 18:39 71,809 --a------ C:\perspective.bak3.cap
2008-10-22 18:36 . 2008-10-22 18:40 71,135 --a------ C:\perspective.bak2.cap
2008-10-22 18:36 . 2008-10-22 18:40 71,135 --a------ C:\perspective.bak1.cap
2008-10-22 18:35 . 2008-10-22 18:38 6,996 --a------ C:\box.an8
2008-10-22 18:34 . 2008-10-22 18:38 6,453 --a------ C:\box.vtx
2008-10-22 18:31 . 2008-10-22 18:42 71,135 --a------ C:\perspective.cap
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 20:11 --------- d-----w c:\users\The Dudes\AppData\Roaming\Skype
2008-11-22 15:30 --------- d-----w c:\users\The Dudes\AppData\Roaming\skypePM
2008-11-21 14:52 --------- d-----w c:\users\The Dudes\AppData\Roaming\Scirra
2008-11-21 14:28 --------- d-----w c:\users\The Dudes\AppData\Roaming\gtk-2.0
2008-11-21 03:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 03:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-21 03:04 --------- d-----w c:\program files\Activision
2008-11-16 20:49 --------- d-----w c:\program files\Scirra
2008-11-12 06:46 --------- d---a-w c:\programdata\TEMP
2008-11-10 17:24 --------- d-----w c:\users\The Dudes\AppData\Roaming\vlc
2008-11-10 17:24 --------- d-----w c:\program files\ConsoleClassix.com
2008-11-10 05:20 --------- d-----w c:\users\The Dudes\AppData\Roaming\uTorrent
2008-11-01 21:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-29 04:31 66,872 ----a-w c:\windows\System32\PnkBstrA.exe
2008-10-29 04:31 22,328 ----a-w c:\users\The Dudes\AppData\Roaming\PnkBstrK.sys
2008-10-28 00:04 --------- d-----w c:\program files\LucasArts
2008-10-25 01:29 --------- d-----w c:\program files\Anim8or Beta
2008-10-23 04:04 --------- d-----w c:\program files\iTunes
2008-10-20 02:28 14,465 ----a-w C:\filledsphere.zip
2008-10-19 04:11 --------- d-----w c:\program files\ANPARK
2008-10-19 03:07 20,068 ----a-w C:\xwing.zip
2008-10-17 16:10 --------- d-----w c:\programdata\2DBoy
2008-10-17 16:10 --------- d-----w c:\program files\WorldOfGooDemo
2008-10-16 18:58 --------- d-----w c:\programdata\NVIDIA
2008-10-16 18:56 --------- d-----w c:\program files\AGEIA Technologies
2008-10-16 03:41 --------- d-----w c:\program files\HiDigit
2008-10-15 17:59 --------- d-----w c:\users\The Dudes\AppData\Roaming\InstallShield Installation Information
2008-10-15 17:56 --------- d-----w c:\program files\Unreal Tournament 3 Demo
2008-10-15 03:39 --------- d-----w c:\users\The Dudes\AppData\Roaming\InstallShield
2008-10-12 20:41 --------- d-----w c:\users\The Dudes\AppData\Roaming\IGN_DLM
2008-10-12 17:58 --------- d-----w c:\program files\Download Manager
2008-10-10 23:17 --------- d-----w c:\program files\KOEI
2008-10-09 02:48 --------- d-----w c:\program files\uTorrent
2008-10-08 21:45 --------- d-----w c:\users\The Dudes\AppData\Roaming\Lost Marble
2008-10-08 21:45 --------- d-----w c:\program files\Smith Micro
2008-10-07 22:21 --------- d-----w c:\program files\ExGen
2008-10-05 05:15 --------- d-----w c:\users\The Dudes\AppData\Roaming\Music Recognition
2008-10-05 05:15 --------- d-----w c:\program files\Able Editor 1.3
2008-10-04 17:24 --------- d-----w c:\users\The Dudes\AppData\Roaming\Microsoft Games
2008-10-04 17:12 --------- d-----w c:\program files\Microsoft Games
2008-10-04 17:11 --------- d-----w c:\users\The Dudes\AppData\Roaming\Microsoft Game Studios
2008-10-04 17:11 --------- d-----w c:\programdata\Microsoft Games
2008-10-03 02:26 --------- d-----w c:\users\The Dudes\AppData\Roaming\fretsonfire
2008-10-03 01:39 --------- d-----w c:\program files\Frets on Fire
2008-10-03 00:36 --------- d-----w c:\program files\FoF
2008-10-02 23:46 81,920 ----a-w c:\windows\System32\frapsvid.dll
2008-10-02 15:07 453,152 ----a-w c:\windows\System32\NVUNINST.EXE
2008-09-29 01:39 --------- d-----w c:\programdata\YoYoGames
2008-09-28 17:19 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-09-27 04:37 --------- d-----w c:\users\The Dudes\AppData\Roaming\X-Chat 2
2008-09-26 21:27 --------- d-----w c:\program files\GlovePIE
2008-09-26 03:51 --------- d-----w c:\program files\xchat
2008-09-24 20:31 --------- d-----w c:\program files\Free Audio Pack
2008-09-24 20:26 --------- d-----w c:\program files\Windows Media Components
2008-09-24 16:23 --------- d-----w c:\program files\Meridian
2008-09-24 16:11 --------- d-----w c:\program files\Google
2008-09-24 01:38 --------- d-----w c:\users\The Dudes\AppData\Roaming\Blender Foundation
2008-09-24 01:38 --------- d-----w c:\program files\Blender Foundation
2008-09-23 01:32 --------- d-----w c:\program files\7-Zip
2008-09-23 01:14 --------- d-----w c:\program files\SNES9X
2008-09-23 01:05 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-09-23 01:05 --------- d-----w c:\program files\Java
2008-09-22 17:47 --------- d-----w c:\program files\Audacity
2008-09-19 15:57 5,384,109 ----a-w c:\users\The Dudes\AppData\Roaming\consoleclassixsetup.exe
2008-09-18 05:38 174 --sha-w c:\program files\desktop.ini
2008-09-18 05:27 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-18 05:26 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 05:04 47,560 ----a-w c:\windows\System32\SPReview.exe
2008-09-18 05:04 152,576 ----a-w c:\windows\System32\SPWizUI.dll
2008-09-18 02:16 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-09-18 02:16 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-09-18 02:16 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-09-18 02:16 272,896 ----a-w c:\windows\System32\polstore.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-18 02:14 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-09-18 02:14 28,160 ----a-w c:\windows\System32\Apphlpdm.dll
2008-09-18 02:14 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-09-18 02:14 1,695,744 ----a-w c:\windows\System32\gameux.dll
2008-09-18 02:06 303,616 ----a-w c:\windows\System32\wmpeffects.dll
2008-09-18 02:06 2,048 ----a-w c:\windows\System32\tzres.dll
2008-09-18 01:56 181,760 ----a-w c:\windows\System32\fsquirt.exe
2008-09-18 01:55 988,216 ----a-w c:\windows\System32\winload.exe
2008-09-18 01:55 927,288 ----a-w c:\windows\System32\winresume.exe
2008-09-18 01:55 615,992 ----a-w c:\windows\System32\ci.dll
2008-09-18 01:55 6,656 ----a-w c:\windows\System32\kbd106n.dll
2008-09-18 01:55 46,592 ----a-w c:\windows\System32\setbcdlocale.dll
2008-09-18 01:55 40,960 ----a-w c:\windows\System32\srclient.dll
2008-09-18 01:55 378,368 ----a-w c:\windows\System32\srcore.dll
2008-09-18 01:55 318,464 ----a-w c:\windows\System32\rstrui.exe
2008-09-18 01:55 19,000 ----a-w c:\windows\System32\kd1394.dll
2008-09-18 01:55 14,848 ----a-w c:\windows\System32\srdelayed.exe
2008-09-18 01:53 295,936 ----a-w c:\windows\System32\gdi32.dll
2008-09-18 01:50 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-09-18 01:48 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-09-18 01:48 738,304 ----a-w c:\windows\System32\inetcomm.dll
2008-09-18 01:48 1,314,816 ----a-w c:\windows\System32\quartz.dll
2008-09-18 01:47 428,544 ----a-w c:\windows\System32\EncDec.dll
2008-09-18 01:47 293,376 ----a-w c:\windows\System32\psisdecd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"Google Update"="c:\users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-18 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 c:\windows\RtHDVCpl.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-10 16:50 1234712 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 15:22 3739648 c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-08-01 14:36 1103216 c:\program files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-22 19:07 144792 c:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ECE7B0B3-8656-4304-8CA9-AE74F054D833}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{624C4D49-5640-4CAB-AC0B-C7AAA2A588F3}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8EE47403-CD3E-4DDB-BE20-26D67485E8C8}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6E1AED82-8EB1-485F-BAA5-12098AD19F58}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{77E5F756-97AA-4921-9CC0-DEE8E3F17D20}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{FF0BB031-FE75-4973-B107-86B4D411811C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5A815BB4-29FC-4B0E-B014-5E7C0069C669}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04A184CE-6015-40B3-8A88-3B84CF61DD4A}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{FDBAA8BC-6C8D-4851-AB48-1168E7BF5540}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{4BF6EAFA-C96C-4682-B726-9A6B7FD3A1F7}c:\\program files\\xchat\\xchat.exe"= UDP:c:\program files\xchat\xchat.exe:XChat IRC Client
"UDP Query User{5B17CAAD-60D2-4872-A615-F07E85876E55}c:\\program files\\xchat\\xchat.exe"= TCP:c:\program files\xchat\xchat.exe:XChat IRC Client
"{BBAA310A-1B7F-4771-9BF5-2516F1105471}"= UDP:c:\program files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{58745F79-8900-443E-8030-D8264581F538}"= TCP:c:\program files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{ED01F608-7B1B-483F-B494-CD9928CB5D7D}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{046B3AD1-A5C6-4851-A752-D2A03FD65BB8}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7A877C68-403C-42BF-9222-C0FF511F4CC0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{490F6AAF-2133-408E-849E-F32061B2F995}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{2C2D82F3-3FC7-443E-A2E7-9B13BD196DEF}c:\\program files\\electronic arts\\crytek\\crysis wars\\bin32\\crysis.exe"= UDP:c:\program files\electronic arts\crytek\crysis wars\bin32\crysis.exe:Crysis
"UDP Query User{3D5D2D0A-8B4A-4A6B-8CBB-2BF2F9DBB36A}c:\\program files\\electronic arts\\crytek\\crysis wars\\bin32\\crysis.exe"= TCP:c:\program files\electronic arts\crytek\crysis wars\bin32\crysis.exe:Crysis
"{0620F7C9-03FE-46FC-85EF-A9CA6ED94BF2}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7360290D-F7D0-4AE0-9328-3316B93149E0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{C81E6395-CF33-430E-914E-9488C3A1C15A}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"UDP Query User{B6099AB3-4346-4C47-A083-9D9FC4937C43}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"{0F26A9B0-79C4-4633-A791-AA4260CA0690}"= UDP:c:\program files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe:Star Wars Jedi Knight(TM): Jedi Outcast(TM)
"{27750D18-0577-43B1-8B8B-A2BEAFBB22CE}"= TCP:c:\program files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe:Star Wars Jedi Knight(TM): Jedi Outcast(TM)
"{3E718D3A-AF84-44DE-B92A-DCC5BBA39C30}"= UDP:c:\program files\Unreal Tournament 3 Demo\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{5C84D0AD-D866-412C-9E6F-693AE0653D08}"= TCP:c:\program files\Unreal Tournament 3 Demo\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{5615CC8E-F9FB-4464-B18A-C294E47E1875}"= UDP:c:\program files\LucasArts\Star Wars Battlefront\GameData\battlefront.exe:Star Wars(TM): Battlefront(TM)
"{0318D15A-8E8A-4FA7-9ECA-C60E870E95B9}"= TCP:c:\program files\LucasArts\Star Wars Battlefront\GameData\battlefront.exe:Star Wars(TM): Battlefront(TM)
"TCP Query User{9E7ECE46-D848-4AE3-ACB1-91B3CAE90635}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= UDP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"UDP Query User{EEC3DCC1-191D-47C3-B4B6-E04D5FA2AE18}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= TCP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"{99602664-FE35-4D0E-A392-5D9653216E7F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A47333D7-58D3-44FF-A040-632A89652715}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\xchat\\xchat.exe"= c:\program files\xchat\xchat.exe:*:Enabled:XChat IRC Client
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-09-17 4608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-10 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-10 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-10 231704]
R3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-07-06 906368]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-11-10 69128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a88bee2-852b-11dd-aa9a-806e6f6e6963}]
\shell\AutoRun\command - E:\AutoRunMorrowind.exe
\shell\install\command - E:\Setup.exe
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-18 09:44]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\The Dudes\AppData\Roaming\Mozilla\Firefox\Profiles\lskjutl3.default\
FF -: plugin - c:\program files\Download Manager\npfpdlm.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\users\The Dudes\AppData\Local\Google\Update\1.2.131.25\npGoogleOneClick6.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 14:27:02
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-22 14:28:13
ComboFix-quarantined-files.txt 2008-11-22 20:27:52
Pre-Run: 91,932,372,992 bytes free
Post-Run: 92,228,251,648 bytes free
351 --- E O F --- 2008-11-06 21:30:43
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:13 PM, on 11/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=my&.done=http://att.my.yahoo.com&.intl=us&.partner=sbc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 5007 bytes
Hi
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
c:\users\The Dudes\AppData\Roaming\uTorrent
c:\program files\uTorrent
Empty Recycle Bin.
After that:
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.
Start hjt (right click HijackThis.exe and select 'run as administrator'), do a system scan, check (if found) and not set by yourself:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\-1669319825
Folder::
c:\program files\Easy Decrypter
c:\users\The Dudes\AppData\Roaming\uTorrent
c:\program files\uTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0620F7C9-03FE-46FC-85EF-A9CA6ED94BF2}"=-
"{7360290D-F7D0-4AE0-9328-3316B93149E0}"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
linkman2004
2008-11-23, 19:51
I wasn't able to download the updates for the online virus scanner, most likely for the same reason I can't download anything from Microsoft. Should I post the HJT and ComboFix logs anyways?
Hi
Did you try online scanner after fixing following entries and rebooting after that:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
If you can't access online scanner post the logs you have there.
linkman2004
2008-11-23, 23:17
I hadn't deleted those since they were proxy settings I set for an ad blocker, but it doesn't work even after removing them, so I definitely think it's the whatever-it-is. Here are the logs:
ComboFix:
ComboFix 08-11-22.01 - The Dudes 2008-11-23 12:28:23.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.605 [GMT -6:00]
Running from: c:\users\The Dudes\Desktop\ComboFix.exe
Command switches used :: c:\users\The Dudes\Desktop\CFScript.txt
FILE ::
C:\-1669319825
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\-1669319825
c:\program files\Easy Decrypter
c:\program files\Easy Decrypter\DecrypterLICENSE.TXT
c:\program files\Easy Decrypter\DecrypterReadme.txt
c:\program files\Easy Decrypter\e.html
c:\program files\Easy Decrypter\re.html
c:\program files\Easy Decrypter\unins000.dat
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-22 22:41 . 2008-11-23 02:14 <DIR> d-------- c:\program files\DScaler
2008-11-20 20:46 . 2008-11-20 20:46 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 21:26 . 2008-11-18 21:29 1,714,304 --a------ C:\TerribleSingerOHolyNight.mp3
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-18 17:37 . 2008-11-18 17:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 17:37 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-18 17:37 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-18 11:43 . 2008-11-18 12:06 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-18 11:43 . 2008-11-18 12:06 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-18 11:43 . 2008-11-20 21:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-18 00:16 . 2005-03-23 11:57 147,328 --a------ c:\windows\System32\drivers\rt2500usb.sys
2008-11-16 15:00 . 2008-11-16 15:00 98 --a------ C:\coolstuff.html
2008-11-14 14:49 . 2008-11-14 14:49 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\Nexon
2008-11-14 14:49 . 2003-07-20 12:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2008-11-14 14:49 . 2005-01-04 03:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2008-11-14 14:48 . 2008-11-14 14:48 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 14:16 . 2008-11-14 14:16 <DIR> d-------- C:\Nexon
2008-11-13 22:53 . 2008-11-13 22:53 <DIR> d-------- c:\program files\EPSON
2008-11-13 11:15 . 2008-11-13 11:15 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-11-13 11:15 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\System32\D3DX9_37.dll
2008-11-13 11:15 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\System32\D3DCompiler_37.dll
2008-11-13 11:15 . 2008-02-05 23:07 462,864 --a------ c:\windows\System32\d3dx10_37.dll
2008-11-13 11:15 . 2007-04-04 18:53 81,768 --a------ c:\windows\System32\xinput1_3.dll
2008-11-12 00:41 . 2008-11-12 00:41 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\PC Tools
2008-11-12 00:41 . 2008-11-12 00:41 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-12 00:41 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2008-11-12 00:41 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2008-11-12 00:41 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2008-11-12 00:41 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2008-11-10 17:11 . 2008-11-14 10:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-10 16:50 . 2008-11-20 21:10 <DIR> d-------- c:\windows\System32\drivers\Avg
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\users\All Users\avg8
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\programdata\avg8
2008-11-10 16:50 . 2008-11-10 16:50 <DIR> d-------- c:\program files\AVG
2008-11-10 16:50 . 2008-11-10 16:50 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2008-11-10 16:50 . 2008-11-10 16:50 69,128 --a------ c:\windows\System32\drivers\avgwfpx.sys
2008-11-10 16:50 . 2008-11-10 16:50 10,520 --a------ c:\windows\System32\avgrsstx.dll
2008-11-10 16:15 . 2008-11-10 16:15 0 --a------ c:\windows\nsreg.dat
2008-11-10 13:59 . 2008-11-10 13:59 <DIR> d-------- c:\program files\Privoxy
2008-11-09 23:35 . 2008-11-09 23:36 <DIR> d-------- c:\users\All Users\Lavasoft
2008-11-09 23:35 . 2008-11-09 23:36 <DIR> d-------- c:\programdata\Lavasoft
2008-11-09 23:35 . 2008-11-16 15:11 <DIR> d-------- c:\program files\Lavasoft
2008-11-08 17:04 . 2008-11-08 17:09 <DIR> d-------- c:\program files\Leadwerks Engine Evaluation Kit
2008-11-06 21:53 . 2008-11-06 21:53 <DIR> d-------- c:\program files\CAPCOM
2008-11-05 10:42 . 2008-11-05 10:45 <DIR> d-------- C:\scaler
2008-11-02 20:14 . 2008-11-02 20:15 <DIR> d-------- C:\MGE
2008-11-01 21:04 . 2008-11-01 21:05 53,761 --a------ C:\bar.png
2008-11-01 21:00 . 2008-11-01 21:01 1,440,054 --a------ C:\bar.bmp
2008-11-01 20:59 . 2007-02-08 21:48 1,440,054 --a------ C:\ar.bmp
2008-11-01 15:49 . 2008-11-02 18:11 <DIR> d-------- c:\program files\Bethesda Softworks
2008-10-31 20:38 . 2008-10-31 20:38 <DIR> d-------- C:\NewFonts
2008-10-31 08:53 . 2008-10-31 08:54 <DIR> d-------- c:\users\All Users\WindowsSearch
2008-10-31 08:53 . 2008-10-31 08:54 <DIR> d-------- c:\programdata\WindowsSearch
2008-10-29 00:26 . 2008-10-29 00:26 <DIR> d-------- c:\users\The Dudes\AppData\Roaming\DivX
2008-10-29 00:24 . 2008-10-29 00:25 <DIR> d-------- c:\program files\DivX
2008-10-29 00:01 . 2008-10-29 00:01 1,044,992 --a------ C:\awesomefire.exe
2008-10-28 22:41 . 2008-10-28 22:41 <DIR> d-------- c:\program files\Foxit Software
2008-10-28 22:31 . 2008-10-28 22:31 682,280 --a------ c:\windows\System32\pbsvc.exe
2008-10-28 22:31 . 2008-11-11 20:14 182,640 --a------ c:\windows\System32\PnkBstrB.exe
2008-10-28 22:31 . 2008-11-11 19:42 139,344 --a------ c:\windows\System32\drivers\PnkBstrK.sys
2008-10-28 17:32 . 2008-08-11 21:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-27 11:23 . 2008-10-27 11:23 <DIR> dr-h----- c:\users\The Dudes\AppData\Roaming\SecuROM
2008-10-27 11:15 . 2008-10-27 11:15 <DIR> d-------- c:\program files\Telltale Games
2008-10-26 21:58 . 2008-10-26 21:58 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-25 09:17 . 2008-10-25 09:17 87,888 --a------ C:\z-ordering.cap
2008-10-25 09:17 . 2008-10-25 09:17 76,603 --a------ C:\z-ordering.bak1.cap
2008-10-24 22:22 . 2008-10-24 22:22 11,855 --a------ C:\stuff.cap
2008-10-24 19:43 . 2008-10-24 19:43 17,393 --a------ C:\wireframe.zip
2008-10-24 19:39 . 2008-10-24 19:40 18,196 --a------ C:\np.vtx
2008-10-24 19:34 . 2008-10-24 19:39 11,548 --a------ C:\nuclearplant.an8
2008-10-24 19:28 . 2008-10-24 19:29 123,633 --a------ C:\wf.vtx
2008-10-24 07:21 . 2008-10-24 07:21 40,582 --a------ C:\raptor.vtx
2008-10-23 21:27 . 2008-10-23 21:27 44,120 --a------ C:\wirexwing.zip
2008-10-23 21:26 . 2008-10-23 21:26 87,546 --a------ C:\wirexwing.cap
2008-10-23 19:47 . 2008-10-23 20:33 89,296 --a------ C:\moreperspective.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak5.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak4.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak3.cap
2008-10-23 19:47 . 2008-10-23 20:29 89,296 --a------ C:\moreperspective.bak2.cap
2008-10-23 19:47 . 2008-10-23 20:30 89,296 --a------ C:\moreperspective.bak1.cap
2008-10-23 18:17 . 2008-10-23 18:17 87,950 --a------ C:\wirerts.bak5.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak4.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak3.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak2.cap
2008-10-23 18:17 . 2008-10-23 19:43 87,950 --a------ C:\wirerts.bak1.cap
2008-10-23 18:15 . 2008-10-23 19:44 87,950 --a------ C:\wirerts.cap
2008-10-23 18:12 . 2008-10-23 18:12 5,027 --a------ C:\tank.vtx
2008-10-23 18:12 . 2008-10-23 18:12 2,907 --a------ C:\tank.an8
2008-10-23 10:07 . 2008-10-23 10:07 510 --a------ c:\windows\WORDPAD.INI
2008-10-23 10:03 . 2008-10-23 10:07 7,253 --a------ C:\grid.vtx
2008-10-23 09:51 . 2008-10-23 09:43 82,305 --a------ C:\filleddemo.bak1.cap
2008-10-23 09:43 . 2008-10-23 09:51 85,052 --a------ C:\filleddemo.cap
2008-10-23 09:42 . 2008-10-24 19:42 87,884 --a------ C:\ffdemo.bak2.cap
2008-10-23 09:42 . 2008-10-24 19:43 87,884 --a------ C:\ffdemo.bak1.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak5.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak4.cap
2008-10-23 09:42 . 2008-10-24 19:41 87,517 --a------ C:\ffdemo.bak3.cap
2008-10-23 09:41 . 2008-10-24 19:43 87,884 --a------ C:\wiredemo.cap
2008-10-23 07:56 . 2008-10-23 07:56 5,679 --a------ C:\box.lwo
2008-10-23 07:18 . 2008-10-23 07:18 96,794 --a------ C:\ar.vtx
2008-10-23 00:01 . 2008-10-23 00:05 82,335 --a------ C:\crud.bak3.cap
2008-10-23 00:01 . 2008-10-23 00:05 82,335 --a------ C:\crud.bak2.cap
2008-10-23 00:01 . 2008-10-23 07:19 82,331 --a------ C:\crud.bak1.cap
2008-10-23 00:01 . 2008-10-23 00:05 82,317 --a------ C:\crud.bak4.cap
2008-10-23 00:01 . 2008-10-23 00:04 82,315 --a------ C:\crud.bak5.cap
2008-10-23 00:00 . 2008-10-23 07:21 82,339 --a------ C:\crud.cap
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 18:11 --------- d-----w c:\users\The Dudes\AppData\Roaming\Skype
2008-11-23 14:00 --------- d-----w c:\users\The Dudes\AppData\Roaming\skypePM
2008-11-23 03:26 --------- d-----w c:\users\The Dudes\AppData\Roaming\Scirra
2008-11-23 02:58 --------- d-----w c:\users\The Dudes\AppData\Roaming\gtk-2.0
2008-11-21 03:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 03:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-21 03:04 --------- d-----w c:\program files\Activision
2008-11-16 20:49 --------- d-----w c:\program files\Scirra
2008-11-12 06:46 --------- d---a-w c:\programdata\TEMP
2008-11-10 17:24 --------- d-----w c:\users\The Dudes\AppData\Roaming\vlc
2008-11-10 17:24 --------- d-----w c:\program files\ConsoleClassix.com
2008-11-01 21:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-29 04:31 66,872 ----a-w c:\windows\System32\PnkBstrA.exe
2008-10-29 04:31 22,328 ----a-w c:\users\The Dudes\AppData\Roaming\PnkBstrK.sys
2008-10-28 00:04 --------- d-----w c:\program files\LucasArts
2008-10-25 01:29 --------- d-----w c:\program files\Anim8or Beta
2008-10-23 04:04 --------- d-----w c:\program files\iTunes
2008-10-23 03:40 3,198,136 ----a-w c:\users\The Dudes\Me.zip
2008-10-22 11:29 14,303,392 ----a-w c:\windows\System32\xlive.dll
2008-10-22 11:29 13,643,936 ----a-w c:\windows\System32\xlivefnt.dll
2008-10-20 02:28 14,465 ----a-w C:\filledsphere.zip
2008-10-19 04:11 --------- d-----w c:\program files\ANPARK
2008-10-19 03:07 20,068 ----a-w C:\xwing.zip
2008-10-17 16:10 --------- d-----w c:\programdata\2DBoy
2008-10-17 16:10 --------- d-----w c:\program files\WorldOfGooDemo
2008-10-16 18:58 --------- d-----w c:\programdata\NVIDIA
2008-10-16 18:56 --------- d-----w c:\program files\AGEIA Technologies
2008-10-16 03:41 --------- d-----w c:\program files\HiDigit
2008-10-15 17:59 --------- d-----w c:\users\The Dudes\AppData\Roaming\InstallShield Installation Information
2008-10-15 17:56 --------- d-----w c:\program files\Unreal Tournament 3 Demo
2008-10-15 03:39 --------- d-----w c:\users\The Dudes\AppData\Roaming\InstallShield
2008-10-12 20:41 --------- d-----w c:\users\The Dudes\AppData\Roaming\IGN_DLM
2008-10-12 17:58 --------- d-----w c:\program files\Download Manager
2008-10-10 23:17 --------- d-----w c:\program files\KOEI
2008-10-08 21:45 --------- d-----w c:\users\The Dudes\AppData\Roaming\Lost Marble
2008-10-08 21:45 --------- d-----w c:\program files\Smith Micro
2008-10-07 22:21 --------- d-----w c:\program files\ExGen
2008-10-05 05:15 --------- d-----w c:\users\The Dudes\AppData\Roaming\Music Recognition
2008-10-05 05:15 --------- d-----w c:\program files\Able Editor 1.3
2008-10-04 17:24 --------- d-----w c:\users\The Dudes\AppData\Roaming\Microsoft Games
2008-10-04 17:12 --------- d-----w c:\program files\Microsoft Games
2008-10-04 17:11 --------- d-----w c:\users\The Dudes\AppData\Roaming\Microsoft Game Studios
2008-10-04 17:11 --------- d-----w c:\programdata\Microsoft Games
2008-10-03 02:26 --------- d-----w c:\users\The Dudes\AppData\Roaming\fretsonfire
2008-10-03 01:39 --------- d-----w c:\program files\Frets on Fire
2008-10-03 00:36 --------- d-----w c:\program files\FoF
2008-10-02 23:46 81,920 ----a-w c:\windows\System32\frapsvid.dll
2008-10-02 15:07 453,152 ----a-w c:\windows\System32\NVUNINST.EXE
2008-09-29 01:39 --------- d-----w c:\programdata\YoYoGames
2008-09-28 17:19 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-09-27 04:37 --------- d-----w c:\users\The Dudes\AppData\Roaming\X-Chat 2
2008-09-26 21:27 --------- d-----w c:\program files\GlovePIE
2008-09-26 03:51 --------- d-----w c:\program files\xchat
2008-09-24 20:31 --------- d-----w c:\program files\Free Audio Pack
2008-09-24 20:26 --------- d-----w c:\program files\Windows Media Components
2008-09-24 16:23 --------- d-----w c:\program files\Meridian
2008-09-24 16:11 --------- d-----w c:\program files\Google
2008-09-24 01:38 --------- d-----w c:\users\The Dudes\AppData\Roaming\Blender Foundation
2008-09-24 01:38 --------- d-----w c:\program files\Blender Foundation
2008-09-23 01:32 --------- d-----w c:\program files\7-Zip
2008-09-23 01:14 --------- d-----w c:\program files\SNES9X
2008-09-23 01:05 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-09-23 01:05 --------- d-----w c:\program files\Java
2008-09-19 15:57 5,384,109 ----a-w c:\users\The Dudes\AppData\Roaming\consoleclassixsetup.exe
2008-09-18 05:38 174 --sha-w c:\program files\desktop.ini
2008-09-18 05:27 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-18 05:26 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 05:04 47,560 ----a-w c:\windows\System32\SPReview.exe
2008-09-18 05:04 152,576 ----a-w c:\windows\System32\SPWizUI.dll
2008-09-18 02:16 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-09-18 02:16 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-09-18 02:16 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-09-18 02:16 272,896 ----a-w c:\windows\System32\polstore.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-18 02:14 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-09-18 02:14 28,160 ----a-w c:\windows\System32\Apphlpdm.dll
2008-09-18 02:14 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-09-18 02:14 1,695,744 ----a-w c:\windows\System32\gameux.dll
2008-09-18 02:06 303,616 ----a-w c:\windows\System32\wmpeffects.dll
2008-09-18 02:06 2,048 ----a-w c:\windows\System32\tzres.dll
2008-09-18 01:56 181,760 ----a-w c:\windows\System32\fsquirt.exe
2008-09-18 01:55 988,216 ----a-w c:\windows\System32\winload.exe
2008-09-18 01:55 927,288 ----a-w c:\windows\System32\winresume.exe
2008-09-18 01:55 615,992 ----a-w c:\windows\System32\ci.dll
2008-09-18 01:55 6,656 ----a-w c:\windows\System32\kbd106n.dll
2008-09-18 01:55 46,592 ----a-w c:\windows\System32\setbcdlocale.dll
2008-09-18 01:55 40,960 ----a-w c:\windows\System32\srclient.dll
2008-09-18 01:55 378,368 ----a-w c:\windows\System32\srcore.dll
2008-09-18 01:55 318,464 ----a-w c:\windows\System32\rstrui.exe
2008-09-18 01:55 19,000 ----a-w c:\windows\System32\kd1394.dll
2008-09-18 01:55 14,848 ----a-w c:\windows\System32\srdelayed.exe
2008-09-18 01:53 295,936 ----a-w c:\windows\System32\gdi32.dll
2008-09-18 01:50 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-09-18 01:48 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-09-18 01:48 738,304 ----a-w c:\windows\System32\inetcomm.dll
2008-09-18 01:48 1,314,816 ----a-w c:\windows\System32\quartz.dll
2008-09-18 01:47 428,544 ----a-w c:\windows\System32\EncDec.dll
2008-09-18 01:47 293,376 ----a-w c:\windows\System32\psisdecd.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-22_14.27.27.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-18 06:16:49 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2008-11-23 04:33:52 51,200 ----a-w c:\windows\inf\infpub.dat
- 2008-11-18 06:16:49 86,016 ----a-w c:\windows\inf\infstrng.dat
+ 2008-11-23 04:31:56 86,016 ----a-w c:\windows\inf\infstrng.dat
- 2008-11-21 03:08:18 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-22 20:27:18 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-21 03:08:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-22 20:27:12 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-11-21 03:07:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-21 03:07:20 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 08:27:22 1,083,520 ----a-w c:\windows\System32\drivers\Ph3xIB32.sys
- 2008-11-21 03:12:11 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-23 08:19:23 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-21 03:12:11 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-23 08:19:23 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2006-11-02 09:46:12 13,824 ----a-w c:\windows\System32\Ph3xIB32MV.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"Google Update"="c:\users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-18 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13584928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 c:\windows\RtHDVCpl.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-10 16:50 1234712 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 15:22 3739648 c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-08-01 14:36 1103216 c:\program files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-22 19:07 144792 c:\program files\Java\jre6\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ECE7B0B3-8656-4304-8CA9-AE74F054D833}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{624C4D49-5640-4CAB-AC0B-C7AAA2A588F3}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8EE47403-CD3E-4DDB-BE20-26D67485E8C8}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6E1AED82-8EB1-485F-BAA5-12098AD19F58}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{77E5F756-97AA-4921-9CC0-DEE8E3F17D20}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{FF0BB031-FE75-4973-B107-86B4D411811C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5A815BB4-29FC-4B0E-B014-5E7C0069C669}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04A184CE-6015-40B3-8A88-3B84CF61DD4A}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{FDBAA8BC-6C8D-4851-AB48-1168E7BF5540}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{4BF6EAFA-C96C-4682-B726-9A6B7FD3A1F7}c:\\program files\\xchat\\xchat.exe"= UDP:c:\program files\xchat\xchat.exe:XChat IRC Client
"UDP Query User{5B17CAAD-60D2-4872-A615-F07E85876E55}c:\\program files\\xchat\\xchat.exe"= TCP:c:\program files\xchat\xchat.exe:XChat IRC Client
"{BBAA310A-1B7F-4771-9BF5-2516F1105471}"= UDP:c:\program files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{58745F79-8900-443E-8030-D8264581F538}"= TCP:c:\program files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{ED01F608-7B1B-483F-B494-CD9928CB5D7D}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{046B3AD1-A5C6-4851-A752-D2A03FD65BB8}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7A877C68-403C-42BF-9222-C0FF511F4CC0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{490F6AAF-2133-408E-849E-F32061B2F995}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{2C2D82F3-3FC7-443E-A2E7-9B13BD196DEF}c:\\program files\\electronic arts\\crytek\\crysis wars\\bin32\\crysis.exe"= UDP:c:\program files\electronic arts\crytek\crysis wars\bin32\crysis.exe:Crysis
"UDP Query User{3D5D2D0A-8B4A-4A6B-8CBB-2BF2F9DBB36A}c:\\program files\\electronic arts\\crytek\\crysis wars\\bin32\\crysis.exe"= TCP:c:\program files\electronic arts\crytek\crysis wars\bin32\crysis.exe:Crysis
"TCP Query User{C81E6395-CF33-430E-914E-9488C3A1C15A}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"UDP Query User{B6099AB3-4346-4C47-A083-9D9FC4937C43}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"{0F26A9B0-79C4-4633-A791-AA4260CA0690}"= UDP:c:\program files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe:Star Wars Jedi Knight(TM): Jedi Outcast(TM)
"{27750D18-0577-43B1-8B8B-A2BEAFBB22CE}"= TCP:c:\program files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe:Star Wars Jedi Knight(TM): Jedi Outcast(TM)
"{3E718D3A-AF84-44DE-B92A-DCC5BBA39C30}"= UDP:c:\program files\Unreal Tournament 3 Demo\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{5C84D0AD-D866-412C-9E6F-693AE0653D08}"= TCP:c:\program files\Unreal Tournament 3 Demo\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{5615CC8E-F9FB-4464-B18A-C294E47E1875}"= UDP:c:\program files\LucasArts\Star Wars Battlefront\GameData\battlefront.exe:Star Wars(TM): Battlefront(TM)
"{0318D15A-8E8A-4FA7-9ECA-C60E870E95B9}"= TCP:c:\program files\LucasArts\Star Wars Battlefront\GameData\battlefront.exe:Star Wars(TM): Battlefront(TM)
"TCP Query User{9E7ECE46-D848-4AE3-ACB1-91B3CAE90635}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= UDP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"UDP Query User{EEC3DCC1-191D-47C3-B4B6-E04D5FA2AE18}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= TCP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"{99602664-FE35-4D0E-A392-5D9653216E7F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A47333D7-58D3-44FF-A040-632A89652715}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\xchat\\xchat.exe"= c:\program files\xchat\xchat.exe:*:Enabled:XChat IRC Client
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-09-17 4608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-10 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-10 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-10 231704]
R3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-07-06 906368]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-11-10 69128]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 1083520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
*Newly Created Service* - CATCHME
*Newly Created Service* - DSDRV4
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-18 09:44]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 12:30:23
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-23 12:31:32
ComboFix-quarantined-files.txt 2008-11-23 18:31:09
ComboFix2.txt 2008-11-22 20:28:14
Pre-Run: 91,544,465,408 bytes free
Post-Run: 91,510,865,920 bytes free
345 --- E O F --- 2008-11-06 21:30:43
HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:28 PM, on 11/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=my&.done=http://att.my.yahoo.com&.intl=us&.partner=sbc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\The Dudes\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 4638 bytes
Hi
Generate an Uninstall List
* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
linkman2004
2008-11-26, 04:27
Sorry it took so long to get these up. My phone lines were out for over a day.
GMER:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-24 12:18:09
Windows 6.0.6001 Service Pack 1
---- Devices - GMER 1.0.14 ----
Device \Driver\BTHUSB \Device\0000005c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000005e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027211da66
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00027211da66
---- EOF - GMER 1.0.14 ----
Uninstall List:
1.13
7-Zip 4.57
Able MIDI Editor 1.3 (remove only)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Anime Studio 5.6
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG Free 8.0
Blender (remove only)
Bonjour
Call of Duty(R) - World at War(TM) Beta
Console Classix 4.05
Construct 0.97.6
DivX Codec
DivX Web Player
Download Manager 2.3.7
DScaler 4.1.15
DW6 Demo
Foxit Reader
Fraps
Free Mp3 Wma Converter V 1.7.3
Frets On Fire
Google Talk (remove only)
GTK+ 2.10.13 runtime environment
Halo 2 for Windows Vista
HiDigit 1.1
HijackThis 2.0.2
Inkscape 0.46
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
MapleStory
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Morrowind
Morrowind Graphics Extender 3.0.3
Mozilla Firefox (3.0.3)
MyNetflix
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Privoxy (remove only)
PunkBuster Services
Python 2.5.2
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Media Encoder (KB954156)
Skype™ 3.8
SpaceMonger 2.1.1
Spybot - Search & Destroy
Spyware Doctor 6.0
Star Wars Battlefront
Star Wars Battlefront II
Star Wars JK II Jedi Outcast
Strong Bad - Strong Bad Episode 3 - Baddest of the Bands
Strong Bad - Strong Bad Episode 4 - Dangeresque 3
TES Construction Set
The GIMP 2.2.17
Unreal Tournament 3 Demo
VLC media player 0.9.2
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
XChat 2 (remove only)
Hi
Uninstall Privoxy and try access Kaspersky online scanner after that. If still not able try following:
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
linkman2004
2008-11-27, 08:09
Uninstalling Privoxy didn't work for Kaspersky(it wasn't running anyways, and it was my ad-blocker for Chrome), and the ESET scanner couldn't update either. Is there some way I could download the files elsewhere and update manually?
Hi
Archive your c:\windows\system32\drivers\etc\HOSTS file into zip file and send it as an attachment in your reply, please. If you need help with archiving please see here (http://www.asktheadmin.com/2008/06/can-i-zip-a-file-within-vista-xp-with-out-installing-a-3rd-party-application.html).
linkman2004
2008-11-28, 00:31
Okay, here it is.
2693
Hi
Locate if present the following file & delete it:
C:\windows\ntbtlog.txt
Restart the computer
Just before the OS loading screen starts hit F8 as if going to safe mode.
From the advanced boot menu choose "enable boot logging" then hit enter.
Post the following file (as an attachment if the content is big):
C:\windows\ntbtlog.txt
linkman2004
2008-11-28, 16:49
Here it is:
Service Pack 111 28 2008 09:45:20.500
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\hal.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\acpi.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\pciide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\nvstor.sys
Loaded driver \SystemRoot\system32\drivers\storport.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvstor32.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\msrpc.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\Drivers\spldr.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\ecache.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Loaded driver \SystemRoot\system32\drivers\crcdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\null.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdk8.sys
Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvlddmkm.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\3xHybrid.sys
Loaded driver \SystemRoot\system32\DRIVERS\RT2500.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvmfdx32.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Did not load driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
Loaded driver \SystemRoot\system32\DRIVERS\smb.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\BTHUSB.sys
Loaded driver \SystemRoot\system32\DRIVERS\rfcomm.sys
Loaded driver \SystemRoot\system32\DRIVERS\BthEnum.sys
Loaded driver \SystemRoot\system32\DRIVERS\bthpan.sys
Loaded driver \SystemRoot\system32\DRIVERS\rt2500usb.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdfs.sys
Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys
Loaded driver \SystemRoot\system32\drivers\luafv.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys
Loaded driver \SystemRoot\system32\DRIVERS\nwifi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys
Loaded driver \SystemRoot\system32\drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys
Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys
Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys
Loaded driver \SystemRoot\system32\drivers\mrxdav.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\Nexon\MapleStory\npkcrypt.sys
Loaded driver \SystemRoot\system32\drivers\peauth.sys
Loaded driver \SystemRoot\System32\Drivers\secdrv.SYS
Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys
Loaded driver \SystemRoot\System32\Drivers\avgwfpx.sys
Loaded driver \SystemRoot\system32\DRIVERS\asyncmac.sys
Hi
You mentioned not being able to download anything from Microsoft website. Are the downloads affected only or aren't you able to access the site at all?
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
c:
cd\
dir /s /a hosts >c:\hostsLocations.txt
notepad c:\hostsLocations.txt
Double-click on fixes.bat file to execute it. hostsLocations.txt file should open up in Notepad window. Please post the contents back here.
linkman2004
2008-11-28, 19:00
I can access the site just fine, but when I try to download anything it will tell me the URL is invalid. Here are the contents of that file:
Volume in drive C is Vegeta
Volume Serial Number is 9C80-336F
Directory of C:\Windows\System32\drivers\etc
11/18/2008 06:27 PM 763 hosts
1 File(s) 763 bytes
Directory of C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.0.6000.16386_none_024e4071fa6fea95
09/18/2006 03:41 PM 761 hosts
1 File(s) 761 bytes
Total Files Listed:
2 File(s) 1,524 bytes
0 Dir(s) 85,920,223,232 bytes free
Ok. Next I suspect that your firewall may be blocking the connection. Do you have any other firewall enabled than Vista's one? Do you access to internet thru a router? If you do, does it have a built-in firewall and is it enabled?
linkman2004
2008-11-28, 20:05
The only firewall I have is Vista's firewall. I do access the internet through a router and I found out that it does have a firewall enabled. Unfortunately, dasabling it didn't allow me to download anything from Microsoft still.
Hi
Could you provide a screenshot of the error you get when you try to download something? Do you get same error with IE and Firefox?
linkman2004
2008-11-29, 00:58
That's no longer necessary. It turned out to be a router based infection and all it took was one quick reset to the factory defaults and everything was fixed; no more Vimax ads, I can download things from Microsoft, it's all good. Sorry for wasting your time with this, but I'm really glad you were willing to help. Thanks. :)
Good to hear that origin of problems was found :) However, I still recommend you do online scan with Kaspersky and post back its report & a fresh hjt log back here to make sure the system is clean.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.