Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: IE hijack/win32 trouble

  1. #1
    Junior Member
    Join Date
    Oct 2010
    Posts
    11

    Default IE hijack/win32 trouble

    I've let this problem sit for a little too long. Back in July, I got hit with a virus that I thought I got rid of. About a week later, all yahoo searches (and some google searches) started getting redirected, followed by new IE screens popping up with random advertising websites. AVG kept picking up infected files, and only deleting some of them. Last week, I noticed that, half of the time, the new IE windows would try to open, but fail, and that this would be followed, at some point with a 'Generic Host Process for Win32 Services has encountered a problem' message.

    I assume this either showed up through uTorrent (which I thought I had deleted, but is still apparently in the system), or BigFish games (please don't judge me).

    DDS LOG:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 14:56:08.60 on Mon 10/04/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1396 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\WINDOWS\Imgtask.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uStart Page = hxxp://www.yahoo.com/
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll__BHODemonDisabled_YCQERMWRPPKJGTYHRKJGKLMNVMCZGSC
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.eadultgames.com/holdem/"
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
    mRun: [ImgTask] c:\windows\Imgtask.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRunOnce: [RunNarrator] Narrator.exe
    mExplorerRun: [msoffice] c:\docume~1\owner\locals~1\temp\scvhost.exe
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\gamesp~1.lnk - c:\program files\gamespot\GameSpotDownloadManager_Win32.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: cbXRJATK - cbXRJATK.dll
    Notify: tuvWPFyv - tuvWPFyv.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    SEH: {6afb6f98-289c-442e-b577-5e5125c742e2} - c:\windows\system32\tuvWPFyv.dll
    SEH: {39e06d62-aa5e-4e40-8adc-e22ccb4bd55c} - c:\windows\system32\cbXRJATK.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKAPGx
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-5 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-5 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-5 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-9-22 91392]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-11 24652]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-30 136176]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-8-4 96256]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-27 25832]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 19712]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-2 23936]
    S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-6-11 42512]

    =============== Created Last 30 ================

    2010-10-03 22:54:30 0 d-----w- c:\documents and settings\owner\Maximize Games
    2010-10-01 21:55:56 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-10-01 20:06:36 0 d-----w- c:\docume~1\owner\applic~1\World-Loom
    2010-09-30 17:59:30 0 d-----w- c:\program files\Cooking Dash 3 - Thrills and Spills Collector's Edition
    2010-09-30 05:25:36 0 d-----w- c:\documents and settings\all users\TheFallTrilogyEp2-BF
    2010-09-30 03:58:37 0 d-----w- c:\program files\James Patterson Women's Murder Club - A Darker Shade of Grey
    2010-09-28 04:34:46 0 d-----w- c:\docume~1\owner\applic~1\Batovi
    2010-09-28 03:34:45 0 d-----w- c:\docume~1\owner\applic~1\Realore_Whiterra Roads Of Rome
    2010-09-28 03:29:39 0 d-----w- c:\program files\Roads of Rome
    2010-09-27 17:59:18 0 d-----w- c:\docume~1\owner\applic~1\KingArthur
    2010-09-24 18:51:38 0 d-----w- c:\program files\Wandering Willows
    2010-09-23 17:55:40 0 d-----w- c:\program files\Twisted Lands - Shadow Town Collector's Edition
    2010-09-23 03:40:05 0 d-----w- c:\program files\Valerie Porter and the Scarlet Scandal
    2010-09-20 02:52:19 0 d-----w- c:\docume~1\owner\applic~1\Freeze Tag
    2010-09-17 20:18:58 0 d-----w- c:\docume~1\owner\applic~1\MA
    2010-09-17 19:58:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SpinTop Games
    2010-09-17 07:58:48 73216 ----a-w- c:\windows\temp.000
    2010-09-16 07:50:57 0 d-----w- c:\docume~1\owner\applic~1\Whisper of a Rose Saves
    2010-09-15 18:39:26 0 d-----w- c:\docume~1\owner\applic~1\Gamers Digital
    2010-09-15 18:39:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Gamers Digital
    2010-09-14 18:05:03 0 d-----w- c:\docume~1\owner\applic~1\BigFishGames
    2010-09-14 06:07:57 0 d-----w- c:\program files\DragonStone
    2010-09-13 22:21:54 0 d-----w- c:\docume~1\owner\applic~1\Artifact Quest
    2010-09-13 06:04:34 0 d-----w- c:\docume~1\owner\applic~1\SunRay Games
    2010-09-13 05:36:36 0 d-----w- c:\docume~1\owner\applic~1\Big Splash Games
    2010-09-13 05:36:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Big Splash Games
    2010-09-12 05:46:05 0 d-----w- c:\docume~1\owner\applic~1\Ten Heavens
    2010-09-12 03:03:58 0 d-----w- c:\program files\Royal Trouble
    2010-09-12 00:29:49 0 d-----w- c:\docume~1\owner\applic~1\TOMI2.THE GATES OF FATE
    2010-09-09 17:55:31 0 d-----w- c:\docume~1\owner\applic~1\SecretIslandEng
    2010-09-07 17:53:03 0 d-----w- c:\docume~1\owner\applic~1\Elephant Games
    2010-09-07 06:54:18 0 d-----w- c:\docume~1\owner\applic~1\quickclick
    2010-09-07 03:37:27 0 d-----w- c:\docume~1\owner\applic~1\Ghost Ship Studios

    ==================== Find3M ====================

    2010-10-04 17:38:16 1984 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-10-04 00:54:24 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
    2010-10-04 00:52:45 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
    2010-09-17 08:26:22 249856 ------w- c:\windows\Setup1.exe
    2010-09-17 08:26:21 73216 ----a-w- c:\windows\ST6UNST.EXE
    2010-08-09 22:18:06 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-08-09 22:18:03 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-07-22 03:41:54 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-07-22 03:41:54 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 16:32:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-09 22:38:00 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-07-09 22:38:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-07-09 22:38:00 604776 ----a-w- c:\windows\system32\nvudisp.exe
    2010-07-09 22:38:00 4595712 ----a-w- c:\windows\system32\nvcuda.dll
    2010-07-09 22:38:00 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-07-09 22:38:00 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcodins.dll
    2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcod.dll
    2010-07-09 22:38:00 2195030 ----a-w- c:\windows\system32\nvdata.bin
    2010-07-09 22:38:00 1388544 ----a-w- c:\windows\system32\nvapi.dll
    2010-07-09 22:38:00 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-07-09 22:38:00 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-07-09 20:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-07-09 20:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2010-07-09 20:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-07-09 20:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-07-09 20:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-07-09 20:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    2010-07-07 17:46:46 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
    2007-11-04 22:22:26 13445 ----a-w- c:\program files\install.log
    2009-07-07 02:18:11 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2008-06-14 07:16:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061420080615\index.dat
    2009-11-26 21:26:56 16384 --sha-w- c:\windows\temp\cookies\index.dat
    2009-11-26 21:26:56 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
    2009-11-26 21:26:56 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

    ============= FINISH: 14:57:29.26 ===============

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi,

    You had problems since July? Malware usually fetches more malware. Your probably part of a bot network by now. You might consider a reformat/reinstall of Windows. If you still need help post back.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Oct 2010
    Posts
    11

    Default

    Doing a reformat removes all files from the drive, correct? But I thought any storage devices that get plugged in tend to get infected, too. Is there a safe way to get necessary files off of the computer before reformatting?

    Also, is there somewhere I can find a good, simple guide for reformatting a computer?

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Doing a reformat removes all files from the drive, correct?
    Yes a reformat wipes the drive.

    But I thought any storage devices that get plugged in tend to get infected, too
    Yes some malware can infect another drive, not all malware will do this.

    Is there a safe way to get necessary files off of the computer before reformatting?
    USB sticks, CD/DVD, free storage sites. The OS and software can be reinstalled, you would only need to save data you created.

    simple guide for reformatting a computer?
    Your computer vendors web site should have guides on how to do a reformat/reinstall.

    A reformat was a suggestion. Let see if we can clean it up. We will get two downloads to use. the first is TDSSkiller, the second is combofix. Use TDSSkiller first. combofix requires you read through a guide first before you use it.

    TDSSkiller:
    Please download TDSS Killer.exe and save it to your desktop
    Double click to launch the utility. After it initializes click the start scan button.

    Once the scan completes you can click the continue button.

    "The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

    "After clicking Next, the utility applies selected actions and outputs the result."

    "A reboot might require after disinfection."

    A report will be found in your Root drive Local Disk C as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
    Please post the log report

    Everything you need to know about combofix will be in the guide. read through the guide and apply the directions on your own machine:

    Guide to using Combofix
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Oct 2010
    Posts
    11

    Default

    Okay, I ran both programs. They seem to have had at least a little effect. After they ran, I re-activated my firewall, antivirus, etc. As I did so, I noticed that, at some point during the infection, Spybot TeaTimer had been disabled. I now had the option of putting it back online, after which it let me know about two dozen registry changes. I allowed them, thinking that they were changes spybot was making. Should I have done that? (I don't know enough about malware to know if it can have 'backdoor' bits that can re-activate itself afterwards.)

    Anyway, here are the logs -

    ---TDSSKILLER---

    2010/10/08 14:08:38.0750 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
    2010/10/08 14:08:38.0750 ================================================================================
    2010/10/08 14:08:38.0750 SystemInfo:
    2010/10/08 14:08:38.0750
    2010/10/08 14:08:38.0750 OS Version: 5.1.2600 ServicePack: 3.0
    2010/10/08 14:08:38.0750 Product type: Workstation
    2010/10/08 14:08:38.0750 ComputerName: OWNER-BB1B8237F
    2010/10/08 14:08:38.0750 UserName: Owner
    2010/10/08 14:08:38.0750 Windows directory: C:\WINDOWS
    2010/10/08 14:08:38.0750 System windows directory: C:\WINDOWS
    2010/10/08 14:08:38.0750 Processor architecture: Intel x86
    2010/10/08 14:08:38.0750 Number of processors: 2
    2010/10/08 14:08:38.0750 Page size: 0x1000
    2010/10/08 14:08:38.0750 Boot type: Normal boot
    2010/10/08 14:08:38.0750 ================================================================================
    2010/10/08 14:08:39.0093 Initialize success
    2010/10/08 14:09:30.0484 ================================================================================
    2010/10/08 14:09:30.0484 Scan started
    2010/10/08 14:09:30.0484 Mode: Manual;
    2010/10/08 14:09:30.0484 ================================================================================
    2010/10/08 14:09:31.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/10/08 14:09:31.0109 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/10/08 14:09:31.0156 ADIHdAudAddService (d392183cc5379e302e50ceba635248eb) C:\WINDOWS\system32\drivers\ADIHdAud.sys
    2010/10/08 14:09:31.0187 AEAudioService (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\AEAudio.sys
    2010/10/08 14:09:31.0203 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/10/08 14:09:31.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/10/08 14:09:31.0406 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2010/10/08 14:09:31.0453 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
    2010/10/08 14:09:31.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/10/08 14:09:31.0687 atapi (006899ff8c518d23068bd4f7cea9baf7) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/10/08 14:09:31.0687 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 006899ff8c518d23068bd4f7cea9baf7, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
    2010/10/08 14:09:31.0687 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/10/08 14:09:31.0765 atksgt (3c4b9850a2631c2263507400d029057b) C:\WINDOWS\system32\DRIVERS\atksgt.sys
    2010/10/08 14:09:31.0796 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/10/08 14:09:31.0843 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/10/08 14:09:31.0906 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
    2010/10/08 14:09:31.0937 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
    2010/10/08 14:09:32.0046 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
    2010/10/08 14:09:32.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/10/08 14:09:32.0156 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/10/08 14:09:32.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/10/08 14:09:32.0250 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/10/08 14:09:32.0265 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/10/08 14:09:32.0375 ctlsb16 (e2b1aedb62845581d848037f0a614ee6) C:\WINDOWS\system32\drivers\ctlsb16.sys
    2010/10/08 14:09:32.0437 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/10/08 14:09:32.0484 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/10/08 14:09:32.0546 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/10/08 14:09:32.0562 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/10/08 14:09:32.0593 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/10/08 14:09:32.0656 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/10/08 14:09:32.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/10/08 14:09:32.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/10/08 14:09:32.0750 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/10/08 14:09:32.0765 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/10/08 14:09:32.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/10/08 14:09:32.0828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/10/08 14:09:32.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/10/08 14:09:32.0921 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/10/08 14:09:32.0968 HdAudAddService (f58d2900c66a1e773e3375098e0e9337) C:\WINDOWS\system32\drivers\HdAudio.sys
    2010/10/08 14:09:33.0000 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/10/08 14:09:33.0046 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/10/08 14:09:33.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/10/08 14:09:33.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/10/08 14:09:33.0250 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/10/08 14:09:33.0312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/10/08 14:09:33.0343 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/10/08 14:09:33.0468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/10/08 14:09:33.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/10/08 14:09:33.0531 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/10/08 14:09:33.0562 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/10/08 14:09:33.0593 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/10/08 14:09:33.0625 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/10/08 14:09:33.0671 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/10/08 14:09:33.0703 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/10/08 14:09:33.0796 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
    2010/10/08 14:09:33.0843 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/10/08 14:09:33.0875 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/10/08 14:09:33.0968 motccgp (c741717b0a18813dd7d12085937cee72) C:\WINDOWS\system32\DRIVERS\motccgp.sys
    2010/10/08 14:09:34.0000 motccgpfl (b812da6605caf02641312f1f65c75419) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
    2010/10/08 14:09:34.0031 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2010/10/08 14:09:34.0125 motport (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motport.sys
    2010/10/08 14:09:34.0187 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/10/08 14:09:34.0218 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/10/08 14:09:34.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/10/08 14:09:34.0375 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/10/08 14:09:34.0437 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/10/08 14:09:34.0640 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/10/08 14:09:34.0734 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/10/08 14:09:34.0750 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/10/08 14:09:34.0765 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/10/08 14:09:34.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/10/08 14:09:34.0843 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2010/10/08 14:09:34.0875 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/10/08 14:09:34.0921 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/10/08 14:09:34.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/10/08 14:09:35.0000 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/10/08 14:09:35.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/10/08 14:09:35.0031 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/10/08 14:09:35.0046 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/10/08 14:09:35.0062 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/10/08 14:09:35.0125 NPF (243126da7ba441d7c7c3262dcf435a9c) C:\WINDOWS\system32\drivers\npf.sys
    2010/10/08 14:09:35.0156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/10/08 14:09:35.0187 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/10/08 14:09:35.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/10/08 14:09:35.0593 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/10/08 14:09:36.0046 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2010/10/08 14:09:36.0093 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2010/10/08 14:09:36.0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/10/08 14:09:36.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/10/08 14:09:36.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/10/08 14:09:36.0234 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/10/08 14:09:36.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/10/08 14:09:36.0296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/10/08 14:09:36.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/10/08 14:09:36.0359 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/10/08 14:09:36.0500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/10/08 14:09:36.0578 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/10/08 14:09:36.0593 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/10/08 14:09:36.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/10/08 14:09:36.0625 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/10/08 14:09:36.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/10/08 14:09:36.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/10/08 14:09:36.0796 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/10/08 14:09:36.0796 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/10/08 14:09:36.0843 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/10/08 14:09:36.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/10/08 14:09:36.0921 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/10/08 14:09:36.0968 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/10/08 14:09:36.0984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/10/08 14:09:37.0062 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/10/08 14:09:37.0187 SenFiltService (f22e6dd1d2cf71b77119eead1b3fc79d) C:\WINDOWS\system32\drivers\Senfilt.sys
    2010/10/08 14:09:37.0218 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/10/08 14:09:37.0234 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/10/08 14:09:37.0250 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/10/08 14:09:37.0343 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/10/08 14:09:37.0390 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/10/08 14:09:37.0421 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/10/08 14:09:37.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/10/08 14:09:37.0468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/10/08 14:09:37.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/10/08 14:09:37.0609 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/10/08 14:09:37.0640 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/10/08 14:09:37.0671 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/10/08 14:09:37.0703 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/10/08 14:09:37.0781 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
    2010/10/08 14:09:37.0828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/10/08 14:09:37.0875 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/10/08 14:09:37.0921 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/10/08 14:09:37.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/10/08 14:09:37.0953 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/10/08 14:09:38.0000 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/10/08 14:09:38.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/10/08 14:09:38.0109 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/10/08 14:09:38.0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/10/08 14:09:38.0187 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/10/08 14:09:38.0250 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/10/08 14:09:38.0312 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2010/10/08 14:09:38.0359 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/10/08 14:09:38.0453 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2010/10/08 14:09:38.0500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/10/08 14:09:38.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/10/08 14:09:38.0656 ================================================================================
    2010/10/08 14:09:38.0656 Scan finished
    2010/10/08 14:09:38.0656 ================================================================================
    2010/10/08 14:09:38.0671 Detected object count: 1
    2010/10/08 14:09:48.0593 atapi (006899ff8c518d23068bd4f7cea9baf7) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/10/08 14:09:48.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 006899ff8c518d23068bd4f7cea9baf7, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
    2010/10/08 14:09:51.0343 Backup copy found, using it..
    2010/10/08 14:09:51.0343 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot
    2010/10/08 14:09:51.0343 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure
    2010/10/08 14:09:55.0078 Deinitialize success


    ---COMBOFIX---

    ComboFix 10-10-07.02 - Owner 10/08/2010 14:41:48.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1489 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .
    PEV Error: ProfilesFile
    PEV Error: ProfilesFolder

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\INSTALL.LOG
    c:\windows\desktop
    c:\windows\Downloaded Program Files\ODCTOOLS
    c:\windows\Imgtask.exe
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\sBJSAJjl.ini
    c:\windows\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
    .

    2010-10-04 18:55 . 2010-10-04 18:55 -------- d-----w- c:\program files\ERUNT
    2010-10-04 17:00 . 2010-10-04 17:00 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
    2010-10-04 17:00 . 2010-10-04 17:00 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
    2010-10-04 17:00 . 2010-10-04 17:00 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-10-03 22:54 . 2010-10-03 22:54 -------- d-----w- c:\documents and settings\Owner\Maximize Games
    2010-10-01 21:55 . 2010-10-01 21:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-10-01 20:06 . 2010-10-01 20:06 -------- d-----w- c:\documents and settings\Owner\Application Data\World-Loom
    2010-09-30 17:59 . 2010-09-30 17:59 -------- d-----w- c:\program files\Cooking Dash 3 - Thrills and Spills Collector's Edition
    2010-09-30 05:25 . 2010-09-30 05:29 -------- d-----w- c:\documents and settings\All Users\TheFallTrilogyEp2-BF
    2010-09-30 03:58 . 2010-09-30 03:58 -------- d-----w- c:\program files\James Patterson Women's Murder Club - A Darker Shade of Grey
    2010-09-28 04:34 . 2010-09-28 04:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Batovi
    2010-09-28 03:34 . 2010-09-28 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Realore_Whiterra Roads Of Rome
    2010-09-28 03:29 . 2010-09-28 03:29 -------- d-----w- c:\program files\Roads of Rome
    2010-09-28 03:28 . 2010-09-28 03:29 77686936 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\GameDB\F5941T1L1\setup_gF5941T1L1_d1046986304_l1_s1.exe
    2010-09-27 17:59 . 2010-09-27 17:59 -------- d-----w- c:\documents and settings\Owner\Application Data\KingArthur
    2010-09-24 18:51 . 2010-09-24 18:51 -------- d-----w- c:\program files\Wandering Willows
    2010-09-23 17:55 . 2010-09-23 17:56 -------- d-----w- c:\program files\Twisted Lands - Shadow Town Collector's Edition
    2010-09-23 17:37 . 2010-09-23 17:37 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-09-23 17:37 . 2010-09-23 17:37 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
    2010-09-23 17:37 . 2010-09-23 17:37 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-09-23 17:37 . 2010-09-23 17:37 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
    2010-09-23 17:37 . 2010-09-23 17:37 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
    2010-09-23 17:37 . 2010-09-23 17:37 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
    2010-09-23 17:36 . 2010-09-23 17:36 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-09-23 03:40 . 2010-09-23 03:40 -------- d-----w- c:\program files\Valerie Porter and the Scarlet Scandal
    2010-09-20 02:52 . 2010-09-20 02:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Freeze Tag
    2010-09-17 20:18 . 2010-09-17 20:19 -------- d-----w- c:\documents and settings\Owner\Application Data\MA
    2010-09-17 19:58 . 2010-09-17 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
    2010-09-16 07:50 . 2010-09-16 07:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Whisper of a Rose Saves
    2010-09-15 18:39 . 2010-09-23 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamers Digital
    2010-09-15 18:39 . 2010-09-15 18:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Gamers Digital
    2010-09-14 18:05 . 2010-09-14 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\BigFishGames
    2010-09-14 06:07 . 2010-09-14 06:08 -------- d-----w- c:\program files\DragonStone
    2010-09-13 22:21 . 2010-09-13 22:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Artifact Quest
    2010-09-13 06:04 . 2010-09-13 06:04 -------- d-----w- c:\documents and settings\Owner\Application Data\SunRay Games
    2010-09-13 05:36 . 2010-09-13 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Big Splash Games
    2010-09-13 05:36 . 2010-09-13 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Splash Games
    2010-09-12 05:46 . 2010-09-12 05:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Ten Heavens
    2010-09-12 03:03 . 2010-09-12 03:04 -------- d-----w- c:\program files\Royal Trouble
    2010-09-12 00:29 . 2010-09-12 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\TOMI2.THE GATES OF FATE
    2010-09-09 17:55 . 2010-09-09 17:56 -------- d-----w- c:\documents and settings\Owner\Application Data\SecretIslandEng

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-08 18:10 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-10-08 17:58 . 2009-11-02 04:10 1984 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-10-07 19:01 . 2008-06-12 03:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-04 00:54 . 2010-05-24 20:04 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
    2010-10-04 00:52 . 2010-05-24 20:02 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
    2010-09-30 18:00 . 2009-12-08 18:42 -------- d-----w- c:\documents and settings\Owner\Application Data\PlayFirst
    2010-09-30 07:57 . 2008-01-15 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
    2010-09-30 06:33 . 2008-01-15 02:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Flood Light Games
    2010-09-28 18:05 . 2010-07-19 04:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Vogat Interactive
    2010-09-26 07:56 . 2010-05-24 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-09-26 07:55 . 2007-03-07 08:14 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-23 17:57 . 2010-08-17 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
    2010-09-23 02:40 . 2010-03-19 20:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Artifex Mundi
    2010-09-20 23:05 . 2010-05-30 16:59 -------- d-----w- c:\program files\Google
    2010-09-17 08:26 . 2007-03-07 08:23 249856 ------w- c:\windows\Setup1.exe
    2010-09-17 08:26 . 2007-03-07 08:23 73216 ----a-w- c:\windows\ST6UNST.EXE
    2010-09-16 17:23 . 2008-01-04 19:10 -------- d-----w- c:\program files\Steam
    2010-09-15 18:56 . 2009-04-01 20:32 -------- d-----w- c:\program files\bfgclient
    2010-09-15 18:55 . 2010-03-18 17:54 3964328 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-09-13 02:01 . 2010-08-03 17:58 -------- d-----w- c:\documents and settings\Owner\Application Data\ERS Game Studios
    2010-09-08 18:02 . 2010-08-26 16:41 -------- d-----w- c:\documents and settings\Owner\Application Data\xLoader-Cache
    2010-09-07 17:53 . 2010-09-07 17:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Elephant Games
    2010-09-07 06:54 . 2010-09-07 06:54 -------- d-----w- c:\documents and settings\Owner\Application Data\quickclick
    2010-09-07 03:37 . 2010-09-07 03:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Ghost Ship Studios
    2010-09-02 17:40 . 2010-03-30 17:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Specialbit
    2010-09-01 18:57 . 2010-09-01 18:57 -------- d-----w- c:\program files\Common Files\Real
    2010-09-01 18:57 . 2007-06-06 15:32 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-01 09:19 . 2010-09-01 09:18 -------- d-----w- c:\program files\My Kingdom for the Princess II
    2010-08-31 04:34 . 2010-08-31 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\blg
    2010-08-31 01:41 . 2009-04-05 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
    2010-08-31 00:19 . 2010-08-31 00:19 -------- d-----w- c:\documents and settings\Owner\Application Data\blg
    2010-08-28 22:45 . 2010-02-15 00:23 -------- d-----w- c:\program files\A Tale of Two Kingdoms
    2010-08-26 16:39 . 2010-08-26 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Sega-CD
    2010-08-26 05:56 . 2010-08-26 05:56 -------- d-----w- c:\program files\Avenue Flo
    2010-08-26 03:23 . 2010-08-26 03:19 -------- d-----w- c:\documents and settings\Owner\Application Data\PeaceCraft2
    2010-08-26 03:02 . 2010-08-26 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Exorcist DS 1
    2010-08-26 02:51 . 2010-08-26 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Veronica&BoD
    2010-08-23 19:35 . 2007-03-07 08:19 -------- d-----w- c:\program files\Common Files\Java
    2010-08-23 19:34 . 2007-03-07 08:19 -------- d-----w- c:\program files\Java
    2010-08-23 05:20 . 2010-05-13 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
    2010-08-21 02:56 . 2009-02-24 03:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
    2010-08-21 01:56 . 2009-02-24 03:16 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
    2010-08-19 01:55 . 2010-08-19 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\ShaoLin
    2010-08-18 19:22 . 2010-08-18 19:22 -------- d-----w- c:\program files\Shaolin Mystery - Tale of the Jade Dragon Staff
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\shaolin-mystery-tale-of-the-jade-dragon-staff_s1_l1_gF5921T1L1_d1000111261[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\robins-quest_s1_l1_gF5927T1L1_d1005236074[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dinerdashfloontheg_s1_l1_gF1312T1L1_d1000659895[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dinerdash2restaura_s1_l1_gF976T1L1_d1000409443[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dinerdash_s1_l1_gF60T1L1_d1000112871[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dinerdash_s1_l1_gF60T1L1_d1000111574[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\diner-dash-seasonal-snack-pack_s1_l1_gF2639T1L1_d1001205668[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\diner-dash-hometown-hero_s1_l1_gF2206T1L1_d1001125388[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\diner-dash-flo-through-time_s1_l1_gF2730T1L1_d1006290210[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\diner-dash-5-boom_s1_l1_gF5458T1L1_d1006290428[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\chime-spirits_s1_l1_gF5809T1L1_d1000113306[1].exe
    2010-08-17 01:38 . 2010-08-17 01:38 143392 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\chime-spirits_s1_l1_gF5809T1L1_d1000111110[1].exe
    2010-08-09 23:01 . 2010-08-09 23:01 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
    2010-08-09 23:01 . 2010-08-09 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2010-08-09 23:01 . 2010-08-09 21:01 -------- d-----w- c:\program files\StarCraft II
    2010-08-09 22:20 . 2009-07-31 20:08 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-08-09 22:19 . 2007-08-06 16:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-08-09 22:18 . 2007-12-10 02:09 -------- d-----w- c:\program files\AGEIA Technologies
    2010-08-09 22:18 . 2010-08-09 22:18 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-08-09 22:18 . 2010-08-09 22:18 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-08-09 22:18 . 2010-08-09 22:18 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-08-09 22:05 . 2008-01-21 05:17 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-08-09 20:22 . 2007-11-07 15:44 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-08-08 16:03 . 2010-08-08 16:03 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2eaff6ea-n\decora-sse.dll
    2010-08-08 16:03 . 2010-08-08 16:03 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20fbf4b0-n\msvcp71.dll
    2010-08-08 16:03 . 2010-08-08 16:03 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20fbf4b0-n\jmc.dll
    2010-08-08 16:03 . 2010-08-08 16:03 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20fbf4b0-n\msvcr71.dll
    2010-08-08 16:03 . 2010-08-08 16:03 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2eaff6ea-n\decora-d3d.dll
    2010-07-22 03:41 . 2008-08-10 07:08 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-07-22 03:41 . 2008-08-10 07:08 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-07-17 09:00 . 2010-06-22 18:38 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 16:32 . 2009-10-05 19:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 16:32 . 2010-07-15 16:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 16:31 . 2009-10-05 19:21 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 16:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\WINDOWS\\system32\\dxdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\half-life\\hl.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\half-life blue shift\\hl.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\eternal-silence\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\dystopia\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\age of chivalry\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
    "c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
    "c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
    "c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
    "c:\\Documents and Settings\\Owner\\Local Settings\\Apps\\2.0\\17O8DGDD.ZXT\\ON1DH7WT.V9H\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6401:TCP"= 6401:TCP:*:Disabled:SolidNetworkManager
    "6401:UDP"= 6401:UDP:*:Disabled:SolidNetworkManager
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 3:21 PM 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 3:21 PM 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 12:32 PM 308136]
    R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [9/22/2009 1:26 PM 91392]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/11/2007 3:43 AM 24652]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2010 12:59 PM 136176]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [8/4/2008 11:44 PM 96256]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/27/2009 12:03 AM 25832]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 19712]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/2/2009 6:27 PM 23936]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 16:59]

    2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 16:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_cyri_4.1.71.0.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    ShellExecuteHooks-{6AFB6F98-289C-442E-B577-5E5125C742E2} - c:\windows\system32\tuvWPFyv.dll
    ShellExecuteHooks-{39E06D62-AA5E-4E40-8ADC-E22CCB4BD55C} - c:\windows\system32\cbXRJATK.dll
    Notify-cbXRJATK - cbXRJATK.dll
    Notify-tuvWPFyv - tuvWPFyv.dll
    SafeBoot-klmdb.sys
    AddRemove-DivX Content Uploader - c:\program files\DivX\DivXContentUploaderUninstall.exe
    AddRemove-Episode 205 - What's New, Beelzebub? - c:\program files\Telltale Games\Sam and Max - Season Two\Uninstall Episode 205 - What's New
    AddRemove-LucasArts' Grim Fandango - c:\program files\LucasArts\Grim\DeIsL1.isu
    AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
    AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-507921405-562591055-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:dd,6a,35,ad,47,ec,cf,b2,cb,ad,3d,77,fd,6b,ec,4c,ac,2f,84,12,65,e5,cb,
    cf,73,40,7e,60,a9,c0,1f,8b,a4,fd,f5,89,4b,bd,e1,6e,91,68,a8,e9,63,29,03,2e,\
    "??"=hex:2e,0c,57,33,13,0b,8a,48,08,cd,a1,2c,27,53,aa,81

    [HKEY_USERS\S-1-5-21-507921405-562591055-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:94,cd,2e,2d,58,78,3e,38,47,92,9b,54,6d,dc,07,3b,73,d2,6a,ac,e5,
    7f,a0,c8,a9,9a,b7,4f,ed,37,2c,26,4b,58,c4,72,de,e0,05,7d,20,ca,30,4d,07,52,\
    "rkeysecu"=hex:86,c4,68,d0,51,94,a3,61,1d,f3,7f,23,0a,d2,36,40

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3748)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\UPHClean\uphclean.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    c:\program files\Motorola\MotoConnectService\MotoConnect.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-08 14:59:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-08 18:59

    Pre-Run: 46,316,761,088 bytes free
    Post-Run: 48,693,567,488 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

    - - End Of File - - CE5F4E602D41E23EDF1998955459F5C4

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok good. For now you can get another download to use and keep. Link and directions:

    Please download the free version of Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Oct 2010
    Posts
    11

    Default

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4792

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/10/2010 10:08:28 PM
    mbam-log-2010-10-10 (22-08-28).txt

    Scan type: Full scan (C:\|F:\|)
    Objects scanned: 391465
    Time elapsed: 2 hour(s), 29 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\windows sound (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok good. Run combofix once more like you did before. It will probably ask to update, let it. Post the new log after it runs.
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    Oct 2010
    Posts
    11

    Default

    New log for Combofix -

    ComboFix 10-10-11.01 - Owner 10/11/2010 21:53:08.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1497 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
    .

    2010-10-08 19:15 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-10-04 18:55 . 2010-10-04 18:55 -------- d-----w- c:\program files\ERUNT
    2010-10-03 22:54 . 2010-10-03 22:54 -------- d-----w- c:\documents and settings\Owner\Maximize Games
    2010-10-01 20:06 . 2010-10-01 20:06 -------- d-----w- c:\documents and settings\Owner\Application Data\World-Loom
    2010-09-30 17:59 . 2010-09-30 17:59 -------- d-----w- c:\program files\Cooking Dash 3 - Thrills and Spills Collector's Edition
    2010-09-30 05:25 . 2010-09-30 05:29 -------- d-----w- c:\documents and settings\All Users\TheFallTrilogyEp2-BF
    2010-09-30 03:58 . 2010-09-30 03:58 -------- d-----w- c:\program files\James Patterson Women's Murder Club - A Darker Shade of Grey
    2010-09-28 04:34 . 2010-09-28 04:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Batovi
    2010-09-28 03:34 . 2010-09-28 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Realore_Whiterra Roads Of Rome
    2010-09-28 03:29 . 2010-09-28 03:29 -------- d-----w- c:\program files\Roads of Rome
    2010-09-27 17:59 . 2010-09-27 17:59 -------- d-----w- c:\documents and settings\Owner\Application Data\KingArthur
    2010-09-24 18:51 . 2010-09-24 18:51 -------- d-----w- c:\program files\Wandering Willows
    2010-09-23 17:55 . 2010-09-23 17:56 -------- d-----w- c:\program files\Twisted Lands - Shadow Town Collector's Edition
    2010-09-23 03:40 . 2010-09-23 03:40 -------- d-----w- c:\program files\Valerie Porter and the Scarlet Scandal
    2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2010-09-20 02:52 . 2010-09-20 02:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Freeze Tag
    2010-09-17 20:18 . 2010-09-17 20:19 -------- d-----w- c:\documents and settings\Owner\Application Data\MA
    2010-09-17 19:58 . 2010-09-17 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
    2010-09-17 07:58 . 2010-09-17 07:58 73216 ----a-w- c:\windows\temp.000
    2010-09-16 07:50 . 2010-09-16 07:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Whisper of a Rose Saves
    2010-09-15 18:39 . 2010-09-23 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamers Digital
    2010-09-15 18:39 . 2010-09-15 18:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Gamers Digital
    2010-09-14 18:05 . 2010-09-14 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\BigFishGames
    2010-09-14 06:07 . 2010-09-14 06:08 -------- d-----w- c:\program files\DragonStone
    2010-09-13 22:21 . 2010-09-13 22:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Artifact Quest
    2010-09-13 06:04 . 2010-09-13 06:04 -------- d-----w- c:\documents and settings\Owner\Application Data\SunRay Games
    2010-09-13 05:36 . 2010-09-13 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Big Splash Games
    2010-09-13 05:36 . 2010-09-13 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Splash Games
    2010-09-12 05:46 . 2010-09-12 05:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Ten Heavens
    2010-09-12 03:03 . 2010-09-12 03:04 -------- d-----w- c:\program files\Royal Trouble

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 16:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRJATK]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWPFyv]
    [BU]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\WINDOWS\\system32\\dxdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\source sdk base\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\half-life\\hl.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\half-life blue shift\\hl.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\eternal-silence\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\dystopia\\hl2.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\pizzadude26\\age of chivalry\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
    "c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
    "c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
    "c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
    "c:\\Documents and Settings\\Owner\\Local Settings\\Apps\\2.0\\17O8DGDD.ZXT\\ON1DH7WT.V9H\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6401:TCP"= 6401:TCP:*:Disabled:SolidNetworkManager
    "6401:UDP"= 6401:UDP:*:Disabled:SolidNetworkManager
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 3:21 PM 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 3:21 PM 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 12:32 PM 308136]
    R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [9/22/2009 1:26 PM 91392]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/11/2007 3:43 AM 24652]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2010 12:59 PM 136176]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [8/4/2008 11:44 PM 96256]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/27/2009 12:03 AM 25832]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 19712]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/2/2009 6:27 PM 23936]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 16:59]

    2010-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 16:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-507921405-562591055-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:dd,6a,35,ad,47,ec,cf,b2,cb,ad,3d,77,fd,6b,ec,4c,ac,2f,84,12,65,e5,cb,
    cf,73,40,7e,60,a9,c0,1f,8b,a4,fd,f5,89,4b,bd,e1,6e,91,68,a8,e9,63,29,03,2e,\
    "??"=hex:2e,0c,57,33,13,0b,8a,48,08,cd,a1,2c,27,53,aa,81

    [HKEY_USERS\S-1-5-21-507921405-562591055-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:94,cd,2e,2d,58,78,3e,38,47,92,9b,54,6d,dc,07,3b,73,d2,6a,ac,e5,
    7f,a0,c8,a9,9a,b7,4f,ed,37,2c,26,4b,58,c4,72,de,e0,05,7d,20,ca,30,4d,07,52,\
    "rkeysecu"=hex:86,c4,68,d0,51,94,a3,61,1d,f3,7f,23,0a,d2,36,40

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3308)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-11 22:03:49
    ComboFix-quarantined-files.txt 2010-10-12 02:03
    ComboFix2.txt 2010-10-08 18:59

    Pre-Run: 49,745,711,104 bytes free
    Post-Run: 49,832,554,496 bytes free

    - - End Of File - - 52598CEFBA5A55485FD11C4B997F5CA8

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok. We will use combofix.

    Click Start, then Run and type Notepad and click OK.
    Copy/paste the text in the code box below into notepad:

    Code:
    DDS:
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Name the Notepad file CFScript.txt and Save it to your desktop.
    now locate the file you just saved and the combofix icon, both on your desktop
    using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
    please post the new combofix log.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •