Jump to content

Change Mode

Recommended Posts

Hello all. I may need some help here but I am not sure. I had a battle net account compromised and I am trying to find the source.

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:15:25 PM, on 8/25/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17080)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Edward\My Documents\Downloads\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 4306 bytes

Link to post
Share on other sites

Hello Epochsend and :wp:

 

My name is JonTom.

 

  • Malware Logs can sometimes take a lot of time to research and interpret.

  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

Please work your way through the following steps:

 

 

  • Please perform the following scan

     

     

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

Please post the DDS logs and the GMER log in your next reply.

 

If you encounter any difficulties come back and let me know.

 

 

Link to post
Share on other sites

Hello there JonTom! Here is the DDS reports, however I am having a tough time getting GMER to complete a scan. It cause a hard lock up of my system.

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by Edward at 16:17:40.57 on Thu 08/26/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1469 [GMT -7:00]

 

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Steam\Steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Edward\My Documents\Downloads\dds.scr

 

============== Pseudo HJT Report ===============

 

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\edward\applic~1\mozilla\firefox\profiles\zgxv3nqu.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\documents and settings\edward\application data\mozilla\firefox\profiles\zgxv3nqu.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-23 11608]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-1-12 123280]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-1-12 41616]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-23 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-23 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-23 56816]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-12-17 99152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-12-17 110096]

S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [2009-12-23 70144]

 

=============== Created Last 30 ================

 

2010-08-26 01:43:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-26 01:43:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-26 01:43:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-26 01:24:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2010-08-26 01:24:18 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2010-08-26 01:24:17 0 d-----w- c:\program files\SpywareBlaster

2010-08-14 04:50:57 45 ----a-w- c:\windows\system32\initdebug.nfo

2010-08-14 04:45:19 0 d-----w- c:\program files\Lavalys

2010-08-05 23:08:39 0 d-----w- c:\docume~1\edward\applic~1\.purple

2010-08-05 23:05:09 0 d-----w- c:\program files\Pidgin

2010-07-30 04:59:58 0 d-----w- c:\program files\mektek.net

2010-07-29 19:13:22 0 d-----w- c:\program files\StarCraft II

 

==================== Find3M ====================

 

2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

 

============= FINISH: 16:18:05.62 ===============

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-03-17.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume5

Install Date: 12/23/2009 7:55:53 PM

System Uptime: 8/26/2010 4:12:58 PM (0 hours ago)

 

Motherboard: EPoX COMPUTER CO., LTD | | nForce4 DDR: 9NPA+ / 9NPA+Ultra / 9NPAJ / 9NPA Ultra Series

Processor: AMD Athlon 64 X2 Dual Core Processor 4200+ | Socket 939 | 2530/230mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 74 GiB total, 13.36 GiB free.

D: is CDROM (CDFS)

E: is CDROM (UDF)

 

==== Disabled Device Manager Items =============

 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Memory Controller

Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_10111695&REV_A3\3&2411E6FE&0&00

Manufacturer:

Name: PCI Memory Controller

PNP Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_10111695&REV_A3\3&2411E6FE&0&00

Service:

 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SM Bus Controller

Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_10111695&REV_A2\3&2411E6FE&0&09

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_10111695&REV_A2\3&2411E6FE&0&09

Service:

 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Multimedia Audio Controller

Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_10111695&REV_A2\3&2411E6FE&0&20

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_10111695&REV_A2\3&2411E6FE&0&20

Service:

 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Multimedia Audio Controller

Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00\4&13699180&0&2848

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00\4&13699180&0&2848

Service:

 

==== System Restore Points ===================

 

RP55: 5/31/2010 1:44:57 AM - Software Distribution Service 3.0

RP56: 6/3/2010 2:00:15 PM - System Checkpoint

RP57: 6/4/2010 2:29:27 PM - System Checkpoint

RP58: 6/5/2010 3:30:56 PM - System Checkpoint

RP59: 6/6/2010 8:20:32 PM - System Checkpoint

RP60: 6/9/2010 2:45:07 PM - System Checkpoint

RP61: 6/10/2010 3:13:28 AM - Software Distribution Service 3.0

RP62: 6/10/2010 3:22:24 PM - Installed Java 6 Update 20

RP63: 6/10/2010 3:23:18 PM - Software Distribution Service 3.0

RP64: 6/16/2010 4:18:19 PM - System Checkpoint

RP65: 6/17/2010 4:32:08 PM - System Checkpoint

RP66: 6/23/2010 4:06:34 PM - System Checkpoint

RP67: 6/24/2010 4:53:37 PM - System Checkpoint

RP68: 6/30/2010 2:38:03 PM - System Checkpoint

RP69: 7/1/2010 2:59:21 AM - Software Distribution Service 3.0

RP70: 7/4/2010 3:16:31 PM - System Checkpoint

RP71: 7/7/2010 3:45:23 PM - System Checkpoint

RP72: 7/8/2010 6:17:37 PM - System Checkpoint

RP73: 7/14/2010 6:09:15 PM - System Checkpoint

RP74: 7/15/2010 2:49:57 AM - Software Distribution Service 3.0

RP75: 7/18/2010 8:57:36 PM - System Checkpoint

RP76: 7/19/2010 9:20:46 PM - System Checkpoint

RP77: 7/21/2010 4:05:25 PM - System Checkpoint

RP78: 7/22/2010 4:36:42 PM - System Checkpoint

RP79: 7/28/2010 2:43:55 PM - System Checkpoint

RP80: 7/29/2010 7:11:35 PM - System Checkpoint

RP81: 7/29/2010 9:59:56 PM - Installed MTX

RP82: 8/4/2010 4:11:47 PM - System Checkpoint

RP83: 8/11/2010 4:39:26 PM - System Checkpoint

RP84: 8/12/2010 4:37:43 PM - Installed Adobe Reader 8.2.0

RP85: 8/13/2010 5:16:15 PM - System Checkpoint

RP86: 8/14/2010 5:29:10 PM - System Checkpoint

RP87: 8/15/2010 8:10:00 PM - System Checkpoint

RP88: 8/18/2010 1:11:13 PM - Installed Java 6 Update 21

RP89: 8/19/2010 1:20:33 PM - System Checkpoint

RP90: 8/25/2010 3:02:07 PM - System Checkpoint

RP91: 8/25/2010 5:48:47 PM - Software Distribution Service 3.0

 

==== Installed Programs ======================

 

 

7-Zip 4.65

Adobe Flash Player 10 Plugin

Adobe Reader 8.2.4

Avira AntiVir Personal - Free Antivirus

Call of Duty: Modern Warfare 2

Call of Duty: Modern Warfare 2 - Multiplayer

EVEREST Home Edition v2.20

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

InfraRecorder

iSEEK AnswerWorks English Runtime

Java Auto Updater

Java 6 Update 21

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

ML-1200 Series

Mozilla Firefox (3.6.8)

MTX

NVIDIA Display Control Panel

NVIDIA Drivers

NVIDIA nView Desktop Manager

NVIDIA PhysX

OpenOffice.org 3.1

Pidgin

Privateer

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

SpywareBlaster 4.3

StarCraft II

Steam

Sun VirtualBox

TurboTax 2009

TurboTax 2009 waziper

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wrapper

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Ventrilo Client

WebFldrs XP

Windows Internet Explorer 7

Windows XP Service Pack 3

World of Warcraft

 

==== End Of File ===========================

Link to post
Share on other sites

Hello Epochsend

 

I am having a tough time getting GMER to complete a scan

Sometimes GMER can be a little difficult, but the information it provides can often be invaluable (GMER can detect things that many tools can't see).

 

 

  • GMER

     

     

    • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
    • If GMER does not produce a log please try running it from Safe Mode.

    • How to use the F8 method to Start Your Computer in Safe Mode

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Safe mode menu item.
    • Press Enter.

    • If GMER in safe mode does not work, please try RootRepeal:

  • RootRepeal

     

     

    • Please download RootRepeal to your desktop.
    • Physically disconnect your machine from the internet as your system will be unprotected.
    • Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
    • Click the Report tab at the bottom and then the Scan button.
    • A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
    • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
    • The scan will take a little while to run, so let it go unhindered.
    • Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
    • Reconnect to the internet.

    Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.

Link to post
Share on other sites

Morning/Afternoon Jon Tom. I did manage to get GMER to run in safe mode, however the report it produced was empty. During my unsuccessful scans in normal boot it did produce entries though but I could not get the scan to complete and produce a log in normal boot mode. A few entries looked unique in GMER compared to the results from the rootrepeal log below.

 

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/08/29 01:40

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB3AD0000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xB860A000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB34CC000 Size: 49152 File Visible: No Signed: -

Status: -

 

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xb87881d6

 

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xb87881cc

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xb87881db

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xb87881e5

 

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xb87881ea

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xb87881b8

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xb87881bd

 

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xb87881f4

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xb87881ef

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xb87881e0

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xb87881c7

 

==EOF==

Link to post
Share on other sites

Hello EpochsEnd

 

Thank you for the log.

 

A few entries looked unique in GMER compared to the results from the rootrepeal log below.

I think there may be something on your system that is trying very hard to avoid detection. Before proceeding I would like to take another look at your machine with the following scanner:

 

 

  • Please download and run Rooter

     

     

  • Download Rooter by clicking here, and save the file (called Rooter.exe) to your desktop.
  • Double click on the desktop icon to start the scan.
  • When Rooter has completed its scan, a Notepad file containing the scan report will open (this report can also be found at %systemdrive%\Rooter.txt).
  • Please post the Rooter log in your next reply.
Link to post
Share on other sites

Hello Jon Tom. Here is the rooter log.

 

 

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 3

[32_bits] - x86 Family 15 Model 35 Stepping 2, AuthenticAMD

.

[wscsvc] (Security Center) RUNNING (state:4)

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Enabled

.

Internet Explorer 7.0.5730.13

.

C:\ [Fixed-NTFS] .. ( Total:74 Go - Free:13 Go )

D:\ [CD_Rom]

E:\ [CD_Rom]

.

Scan : 01:39.53

Path : C:\Documents and Settings\Edward\Desktop\Rooter.exe

User : Edward ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (956)

______ \??\C:\WINDOWS\system32\csrss.exe (1008)

______ \??\C:\WINDOWS\system32\winlogon.exe (1032)

______ C:\WINDOWS\system32\services.exe (1076)

______ C:\WINDOWS\system32\lsass.exe (1088)

______ C:\WINDOWS\system32\nvsvc32.exe (1292)

______ C:\WINDOWS\system32\svchost.exe (1336)

______ C:\WINDOWS\system32\svchost.exe (1408)

______ C:\WINDOWS\System32\svchost.exe (192)

______ C:\WINDOWS\system32\svchost.exe (400)

______ C:\WINDOWS\system32\svchost.exe (592)

______ C:\WINDOWS\system32\spoolsv.exe (784)

______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (880)

______ C:\WINDOWS\Explorer.EXE (1508)

______ C:\WINDOWS\system32\svchost.exe (1720)

______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (1788)

______ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (1820)

______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (1836)

______ C:\Program Files\Steam\Steam.exe (1864)

______ C:\WINDOWS\system32\ctfmon.exe (1888)

______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (180)

______ C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (268)

______ C:\Program Files\Java\jre6\bin\jqs.exe (332)

______ C:\WINDOWS\system32\wuauclt.exe (420)

______ C:\WINDOWS\System32\alg.exe (3280)

______ C:\Program Files\Mozilla Firefox\firefox.exe (2608)

______ C:\WINDOWS\System32\svchost.exe (2724)

______ C:\Documents and Settings\Edward\Desktop\Rooter.exe (1352)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:39900801024)

\Device\Harddisk0\Partition0 (Start_Offset:39900833280 | Length:40098240000)

\Device\Harddisk0\Partition2 (Start_Offset:76692542976 | Length:3306530304)

\Device\Harddisk0\Partition0 (Start_Offset:39900833792 | Length:35228873728)

\Device\Harddisk0\Partition3 (Start_Offset:39900897792 | Length:35228809728)

\Device\Harddisk0\Partition0 (Start_Offset:75129707520 | Length:1562803200)

\Device\Harddisk0\Partition4 (Start_Offset:75129739776 | Length:1562770944)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\SA.DAT

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 01:39.57

.

C:\Rooter$\Rooter_1.txt - (30/08/2010 | 01:39.57)

Link to post
Share on other sites

Hello EpochsEnd

 

Thank you for the log.

 

Please do the following:

 

 

  • Combofix

     

     

  • Download ComboFix from one of the following locations:

     

    Link 1

    Link 2

  • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

 

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

 

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Link to post
Share on other sites

Hello JonTom.

 

Here is the combo fix log.

 

 

ComboFix 10-08-30.02 - Edward 08/31/2010 1:45.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1606 [GMT -7:00]

Running from: c:\documents and settings\Edward\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))

.

 

2010-08-30 08:39 . 2010-08-30 08:42 -------- d-----w- C:\Rooter$

2010-08-29 08:36 . 2010-08-29 08:36 0 ----a-w- c:\documents and settings\Edward\settings.dat

2010-08-26 01:43 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-26 01:43 . 2010-08-26 01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-26 01:43 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-26 01:24 . 2010-08-26 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-26 01:24 . 2010-01-11 02:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2010-08-26 01:24 . 2010-08-26 01:24 -------- d-----w- c:\program files\SpywareBlaster

2010-08-25 21:39 . 2010-08-25 21:39 2303 ----a-w- c:\documents and settings\Edward\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com

2010-08-25 21:39 . 2010-08-25 21:39 2095 ----a-w- c:\documents and settings\Edward\Application Data\.purple\certificates\x509\tls_peers\login.live.com

2010-08-18 20:11 . 2010-08-18 20:11 -------- d-----w- c:\program files\Common Files\Java

2010-08-14 06:16 . 2010-03-17 18:35 309248 ----a-w- c:\documents and settings\Edward\Application Data\Mozilla\Firefox\Profiles\zgxv3nqu.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll

2010-08-14 04:45 . 2010-08-14 04:45 -------- d-----w- c:\program files\Lavalys

2010-08-14 02:14 . 2010-08-14 02:14 -------- d-----w- c:\windows\Sun

2010-08-13 00:09 . 2010-08-13 00:09 503808 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-393ddd60-n\msvcp71.dll

2010-08-13 00:09 . 2010-08-13 00:09 499712 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-393ddd60-n\jmc.dll

2010-08-13 00:09 . 2010-08-13 00:09 348160 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-393ddd60-n\msvcr71.dll

2010-08-13 00:09 . 2010-08-13 00:09 61440 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3c7a5d2a-n\decora-sse.dll

2010-08-13 00:09 . 2010-08-13 00:09 12800 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3c7a5d2a-n\decora-d3d.dll

2010-08-12 23:38 . 2010-08-12 23:38 -------- d-----w- c:\documents and settings\Edward\Local Settings\Application Data\Adobe

2010-08-12 23:37 . 2010-08-12 23:38 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-12 03:27 . 2010-08-12 03:27 2145 ----a-w- c:\documents and settings\Edward\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com

2010-08-05 23:17 . 2010-08-05 23:17 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

2010-08-05 23:09 . 2010-08-05 23:09 2165 ----a-w- c:\documents and settings\Edward\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com

2010-08-05 23:08 . 2010-08-25 23:43 -------- d-----w- c:\documents and settings\Edward\Application Data\.purple

2010-08-05 23:05 . 2010-08-05 23:05 -------- d-----w- c:\program files\Pidgin

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-31 08:32 . 2009-12-24 04:24 -------- d-----w- c:\program files\Steam

2010-08-19 00:49 . 2010-07-29 19:13 -------- d-----w- c:\program files\StarCraft II

2010-08-18 20:11 . 2010-01-16 16:44 -------- d-----w- c:\program files\Java

2010-08-05 23:13 . 2010-03-26 03:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-07-30 05:02 . 2010-07-30 04:59 -------- d-----w- c:\program files\mektek.net

2010-07-30 05:00 . 2010-07-30 05:00 26582 ----a-r- c:\documents and settings\Edward\Application Data\Microsoft\Installer\{6583D00E-0924-4950-8BE9-5D09FE70B333}\_AAFEC972C6A808875A25F1.exe

2010-07-30 05:00 . 2010-07-30 05:00 26582 ----a-r- c:\documents and settings\Edward\Application Data\Microsoft\Installer\{6583D00E-0924-4950-8BE9-5D09FE70B333}\_43651A41F8B233F970CAD4.exe

2010-07-29 20:34 . 2010-03-26 03:12 -------- d-----w- c:\program files\World of Warcraft

2010-07-29 20:24 . 2010-03-26 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2010-07-17 12:00 . 2010-06-10 22:22 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2009-12-24 02:52 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-10 10:09 . 2010-06-10 10:09 503808 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-441869e1-n\msvcp71.dll

2010-06-10 10:09 . 2010-06-10 10:09 499712 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-441869e1-n\jmc.dll

2010-06-10 10:09 . 2010-06-10 10:09 348160 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-441869e1-n\msvcr71.dll

2010-06-10 10:09 . 2010-06-10 10:09 61440 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17bb219a-n\decora-sse.dll

2010-06-10 10:09 . 2010-06-10 10:09 12800 ----a-w- c:\documents and settings\Edward\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17bb219a-n\decora-d3d.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2010-08-25 1242448]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Program Files\\mektek.net\\MTX\\mtx.exe"=

"c:\\Program Files\\mektek.net\\Mechwarrior Mercenaries - Mektek Mekpak\\MW4Mercs.exe"=

 

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [1/12/2010 1:39 AM 123280]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [1/12/2010 1:38 AM 41616]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/23/2009 8:35 PM 108289]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/17/2009 3:02 PM 99152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/17/2009 3:02 PM 110096]

S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [12/23/2009 8:09 PM 70144]

.

.

------- Supplementary Scan -------

.

Trusted Zone: intuit.com\ttlc

FF - ProfilePath - c:\documents and settings\Edward\Application Data\Mozilla\Firefox\Profiles\zgxv3nqu.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\documents and settings\Edward\Application Data\Mozilla\Firefox\Profiles\zgxv3nqu.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-nwiz - nwiz.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-31 01:48

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(564)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-08-31 01:49:45

ComboFix-quarantined-files.txt 2010-08-31 08:49

 

Pre-Run: 14,236,033,024 bytes free

Post-Run: 16,041,353,216 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - 6663FE2041EE251313B09F58C5FF6E93

Link to post
Share on other sites

Hello EpochsEnd

 

ComboFix does not look too bad. Lets clean out your temp files and run an online scan:

 

 

  • Clean out your temporary files

     

     

    • Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
    • Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
    • Check the boxes to the left of the following:

    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache

    • The rest are optional. If you want to remove everything check the "Select All" box.
    • Click on "Empty Selected" to begin cleaning.
    • Once the "Done Cleaning" message appears, click OK.
    • If you use Firefox, Click on the Firefox tab and repeat the above process.
    • When you have finished cleaning, click on the "Exit" button in the main menu.

  • Please perform the following scan:

     

     

    • This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.

     

    • It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
    • DO NOT surf the net while your resident protection is disabled!
    • Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.

     

    • Please perform a Kaspersky Online Scan of your computer by clicking here or here.

     

    • Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run (at times it may appear to stall).
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    • Once the scan is complete, click on View scan report. To obtain the report:
    • Click on: Save Report As
    • Next, in the Save as prompt, Save in area, select: Desktop
    • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
    • Then, click: Save
    • Please post the Kaspersky Online Scanner Report in your reply.
    • If you need help performing the above steps, an animated tutorial can be found here.

    Please post the Kaspersky Online Scan log along with a new HJT scan log.

     

    Also, please describe how your system is behaving.

Link to post
Share on other sites

Due to inactivity, this topic has been closed.

 

If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).

 

Everyone else please start a new topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...