PDA

View Full Version : I think my computer is infected



Atheos
2010-06-06, 22:44
I cannot put my finger on it but my pc has ben acting "weird" of late


Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSX64
Run by John at 20:34:40.49 on 06.06.2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.4095.2136 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Users\John\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Core_Temp\Core Temp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\Clarus\Samsung Auto Backup\ISFGuage.exe
C:\Program Files (x86)\Clarus\Samsung Auto Backup\ISFRealTimeD.exe
C:\Program Files (x86)\Clarus\Samsung Auto Backup\ISFTimerD.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\John\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15187&l=dis
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files (x86)\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~2\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~2\micros~3\office14\URLREDIR.DLL
BHO: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files (x86)\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files (x86)\ask.com\GenericAskToolbar.dll
uRun: [googletalk] c:\users\john\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [IDMan] c:\program files (x86)\internet download manager\IDMan.exe /onboot
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
uRun: [igndlm.exe] c:\program files (x86)\download manager\DLM.exe /windowsstart /startifwork
uRun: [Core Temp] "c:\core_temp\Core Temp.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files (x86)\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files (x86)\erunt\AUTOBACK.EXE
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\seagat~1.lnk - c:\users\john\appdata\roaming\leadertech\powerregister\Seagate 2GHJZK8F Product Registration.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\gigane~1.lnk - c:\program files (x86)\giganews accelerator\GiganewsAccelerator.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\samsun~3.lnk - c:\program files (x86)\clarus\samsung auto backup\ISFGuage.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\samsun~2.lnk - c:\program files (x86)\clarus\samsung auto backup\ISFRealTimeD.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\samsun~1.lnk - c:\program files (x86)\clarus\samsung auto backup\ISFTimerD.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{83cccbdc-3a56-4f3b-89df-69386c3b7d62}\IcoUltraMon.ico
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\program files (x86)\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files (x86)\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files (x86)\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files (x86)\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files (x86)\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~2\spybot~1\SDHelper.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\common files\microsoft shared\office14\MSOXMLMF.DLL
AppInit_DLLs: c:\windows\syswow64\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~3\office14\GROOVEEX.DLL
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
AppInit_DLLs-X64: c:\windows\system32\guard64.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\nmeu353s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\users\john\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\progra~2\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~2\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files (x86)\download manager\npfpdlm.dll
FF - plugin: c:\program files (x86)\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\john\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 69152]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-6-1 19840]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-1 236112]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 33208]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files (x86)\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files (x86)\testout\orbis\OrbisClient.Services.exe [2010-3-23 14336]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-2-2 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\common files\realtime soft\ultramonmirrordrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-3-5 202776]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-3-5 1417240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-3-5 94744]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files (x86)\lavalys\everest ultimate edition\kerneld.amd64 [2010-6-4 26752]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 NVNET55;NVIDIA nForce 10/100/1000 Mbps Ethernet ;c:\windows\system32\drivers\nvmimx64.sys [2009-7-1 423968]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-2-1 133104]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service\AL6Licensing.exe [2010-3-6 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2010-3-5 79360]
S3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files (x86)\common files\creative labs shared\service\DDLLicensing.exe [2010-3-6 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-3-5 202776]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-3-5 1417240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-3-5 94744]
S3 ENTECH64;ENTECH64;c:\windows\system32\drivers\Entech64.sys [2010-1-31 12744]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 51456888]
S3 ose64;Office 64 Source Engine;c:\program files\common files\microsoft shared\source engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-5-8 31800]
S3 RivaTuner64;RivaTuner64;c:\program files (x86)\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner64.sys [2009-8-22 19952]
S3 RTCore64;RTCore64;c:\program files (x86)\evga precision\RTCore64.sys [2010-1-21 14376]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-5 1255736]
S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files (x86)\samsung\samsung pc share manager\WiselinkPro.exe [2010-2-17 3007488]

=============== Created Last 30 ================

2010-06-06 18:34:29 0 d-----w- c:\programdata\NVIDIA
2010-06-06 18:31:34 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-05 20:17:58 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-05 16:02:49 0 d-----w- c:\windows\syswow64\Wat
2010-06-05 16:02:49 0 d-----w- c:\windows\system32\Wat
2010-06-05 15:07:15 0 d-----w- c:\users\john\NewsBin
2010-06-05 15:07:15 0 d-----w- c:\program files (x86)\NewsBinGN
2010-06-04 23:44:19 0 d-----w- c:\program files (x86)\NirSoft
2010-06-04 23:38:30 469186421 ------w- c:\windows\MEMORY.DMP
2010-06-04 21:55:27 0 d-----w- c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
2010-06-04 21:27:47 0 d-----w- c:\programdata\COMODO
2010-06-04 21:27:28 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-06-04 21:26:04 0 d-----w- c:\program files\COMODO
2010-06-04 18:59:21 0 d-sh--w- c:\windows\syswow64\%APPDATA%
2010-06-04 15:39:03 0 d-----w- C:\VirtualDub
2010-06-04 15:25:48 0 d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2010-06-03 23:05:01 65536 ------w- c:\windows\system32\Ikeext.etl
2010-06-03 21:44:51 0 d-----w- c:\program files (x86)\Path Analyzer Pro 2.7
2010-06-03 18:18:46 0 d-----w- c:\program files (x86)\Giganews Accelerator
2010-06-03 17:06:04 0 d-----w- c:\users\john\appdata\roaming\SEGA Corporation
2010-06-03 17:06:03 0 d-----w- c:\programdata\SEGA Corporation
2010-06-03 15:36:07 0 d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-06-03 13:55:52 112 ----a-w- c:\windows\syswow64\_WKERNEL.SYL
2010-06-03 13:55:46 56496 ----a-w- c:\windows\syswow64\wbhelp2.dll
2010-06-03 13:55:46 544768 ----a-w- c:\windows\syswow64\wbocx.ocx
2010-06-03 13:55:46 4608 ----a-w- c:\windows\syswow64\W95INF32.DLL
2010-06-03 13:55:46 439 ----a-w- c:\windows\syswow64\shfolder.inf
2010-06-03 13:55:46 33968 ----a-w- c:\windows\syswow64\anim.dll
2010-06-03 13:55:46 258352 ----a-w- c:\windows\syswow64\unicows.dll
2010-06-03 13:55:46 2272 ----a-w- c:\windows\syswow64\W95INF16.DLL
2010-06-03 13:55:46 1706800 ----a-w- c:\windows\syswow64\gdiplus.dll
2010-06-03 13:55:46 0 d-----w- c:\program files (x86)\WinUtilities
2010-06-02 21:44:12 0 d-----w- c:\users\john\appdata\roaming\NewsLeecher
2010-06-02 21:43:54 0 d-----w- c:\program files (x86)\NewsLeecher
2010-06-01 18:00:52 278288 ----a-w- c:\windows\syswow64\guard32.dll
2010-06-01 18:00:46 354032 ----a-w- c:\windows\system32\guard64.dll
2010-06-01 18:00:18 33208 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 18:00:18 236112 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 18:00:16 19840 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-05-31 22:26:11 0 d-----w- C:\VTC.CompTIA.Linux.PLUS.Certification.2009-iNKiSO
2010-05-31 16:35:30 0 d-----w- c:\windows\pss
2010-05-30 00:40:10 0 d-----w- C:\Solutions
2010-05-30 00:39:56 0 d-----w- C:\PowerPoints
2010-05-29 15:37:25 0 d-----w- c:\programdata\TestOut
2010-05-29 14:52:31 0 d-----w- C:\ExamView
2010-05-28 00:09:00 41872 ----a-w- c:\windows\syswow64\xfcodec.dll
2010-05-28 00:09:00 27536 ----a-w- c:\windows\system32\xfcodec64.dll
2010-05-26 14:13:53 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 14:13:53 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 15:47:08 0 d-----w- c:\program files (x86)\Windows SideShow
2010-05-18 17:19:20 0 d-----w- c:\program files (x86)\uCertify
2010-05-18 16:10:55 0 d-----w- c:\users\john\appdata\roaming\Thinstall
2010-05-16 17:03:03 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-05-16 03:08:38 0 d-----w- C:\SWGEmu
2010-05-16 03:07:51 0 d-----w- c:\users\john\appdata\roaming\LPECommon
2010-05-16 02:55:49 0 d-----w- c:\program files (x86)\Sony
2010-05-15 20:16:34 0 d-----w- c:\program files (x86)\AVATAR Interactive Desktop
2010-05-15 14:11:51 0 d-----w- C:\MKVExtract
2010-05-15 14:08:43 0 d-----w- C:\eac3to
2010-05-13 19:23:47 0 d-----w- c:\program files (x86)\Pando Networks
2010-05-12 20:46:21 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-12 14:22:03 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 14:22:03 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-11 18:26:25 0 d-----w- C:\md5
2010-05-09 16:27:32 0 d-----w- c:\users\john\appdata\roaming\Mumble
2010-05-09 16:27:21 0 d-----w- c:\program files (x86)\Mumble
2010-05-08 21:37:13 0 d--h--w- C:\VritualRoot
2010-05-08 21:33:40 0 d-----w- c:\program files (x86)\COMODO
2010-05-08 21:32:58 0 d-----w- c:\programdata\Comodo Downloader
2010-05-08 20:18:33 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-08 20:18:32 0 d-----w- c:\program files\VS Revo Group
2010-05-08 19:48:58 0 d-----w- c:\program files (x86)\MSECACHE

==================== Find3M ====================

2010-06-06 19:30:40 1351681 ----a-w- c:\windows\system32\HWMBlackBoxX64.dll
2010-05-15 22:40:24 218808 ----a-w- c:\windows\syswow64\PnkBstrB.exe
2010-05-09 09:01:02 108032 ----a-w- c:\windows\syswow64\ff_vfw.dll
2010-05-08 16:43:04 669184 ----a-w- c:\windows\syswow64\pbsvc.exe
2010-05-05 20:16:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-05 20:16:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-29 14:39:28 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 13:45:56 72856 ----a-w- c:\windows\syswow64\xliveinstallhost.exe
2010-04-27 13:45:56 187544 ----a-w- c:\windows\syswow64\xliveinstall.dll
2010-04-16 23:04:40 306032 ----a-w- c:\windows\WLXPGSS.SCR
2010-04-16 21:12:18 48464 ----a-w- c:\windows\syswow64\sirenacm.dll
2010-04-12 16:29:27 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-04-12 16:29:26 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-04-12 16:29:25 145184 ----a-w- c:\windows\syswow64\java.exe
2010-04-03 17:42:00 159336 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 17:42:00 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-04-03 17:42:00 14828648 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 17:42:00 116328 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 17:42:00 1067624 ----a-w- c:\windows\system32\nvsvc64.dll
2010-04-02 16:17:52 15426200 ----a-w- c:\windows\syswow64\xlive.dll
2010-04-02 16:17:52 13642904 ----a-w- c:\windows\syswow64\xlivefnt.dll
2010-03-25 18:52:36 318992 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-03-20 16:27:47 75064 ----a-w- c:\windows\syswow64\PnkBstrA.exe
2010-03-20 16:27:47 2434856 ----a-w- c:\windows\syswow64\pbsvc_bc2.exe
2010-03-17 15:57:08 11030 ----a-w- c:\windows\syswow64\SpoonUninstall-dBpoweramp DSP Effects.dat
2010-03-17 15:57:06 3494576 ----a-w- c:\windows\syswow64\SpoonUninstall.exe
2010-03-17 15:57:05 15613 ----a-w- c:\windows\syswow64\SpoonUninstall-dBpoweramp Music Converter.dat
2010-03-17 15:56:41 5894 ----a-w- c:\windows\syswow64\SpoonUninstall-dBpoweramp CD Writer.dat
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 17:44:34 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:37:10.90 ===============

shelf life
2010-06-11, 00:36
hi,


I cannot put my finger on it

Any of these (http://www.virusvault.us/signs.html)happening?

Atheos
2010-06-11, 22:08
Hey Shelf Life,

I should have given more info in my first post, it was late and i was lazy.

I have Comodo Internet Security Premium installed and it found some issues after a scan.

It found 4 .exe's in the sytem volume information of my E: drive

A0015387.exe
A0014751.exe
A0014636.exe
A0013729.exe

I thought it had cleaned them so i ran MalwareBytes anti malware and it found two of them

Database version: 4175

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

07.06.2010 17:23:56
mbam-log-2010-06-07 (17-23-56).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 565833
Time elapsed: 1 hour(s), 39 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\System Volume Information\_restore{C1DEA4B5-AF9E-485B-9401-032B1B7F4111}\RP57\A0014396.exe (Trojan.Agent.CK) -> No action taken.
E:\System Volume Information\_restore{C1DEA4B5-AF9E-485B-9401-032B1B7F4111}\RP57\A0014399.exe (Trojan.Agent.CK) -> No action taken.


I am not sure if i am still infected or not

Spybot usually finds cookies etc and i clean them.

If you need more info or scans etc let me know.

Thank you for your valuable time.

shelf life
2010-06-12, 02:25
hi,

Those files are in the system restore archive. You can clean them out. The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot