TechSpot

Boring rootkits attacking me all day

By g4mer
Oct 8, 2010
  1. Every 20-30 minutes avast!!!! Free AV tells me i got infected with some rootkits called Win32:Confi [Wrm] and Win32:Rootkit-gen [Rtk]. Location is C:\Windows\System32 and infected file is called x. I have no idea what should i do about this. Help!!
    I took a screenshot of avast!!!!!!!!!! Virus chest.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, paste the logs for review into your next reply .OK to use multiple posts if needed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    When i scanned with Malwarebytes, 9 threats were found, but i got BSoD before scan was complete (dont know why). I ran scan with Malwarebytes again but it only found 3 threats.
    Here are the logs:
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please observe this:
    It is too time consuming for me to have to copy and paste entries that I need to identify into a search. When logs are pasted in, I can searh directly from within my browser.

    P2P or 'file sharing Warning':
    I notice that you are running uTorrent, LimeWire and eMule These are all file sharing programs.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I encourage you to uninstall all 3 program for these reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    You are 'bored' with continuing attacks by rootkit malware but you are continuing to use file sharing which opens a door to malware.

    The entires in Mbam show No Action Taken This means that you did not check the line for removal. Please udate Malwarebytes and rescan, following this: Be sure that everything is checked, and click Remove Selected.
    ============================================
    After the rescan with Malwarebytes:
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==========================================
    After the Mbam scan and Conbofix:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste all logs in next reply. Use multiple posts if needed.
     
  5. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    I removed LimeWIre, uTorrent and eMule long ago. Those are just folders remains.
    I selected everything to delete in Mbytes, but after i saved log. Sorry for that.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4784

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    10/9/2010 8:47:45 PM
    mbam-log-2010-10-09 (20-47-45).txt

    Scan type: Quick scan
    Objects scanned: 130514
    Time elapsed: 4 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    ComboFix 10-10-09.01 - Srki 10/09/2010 20:59:38.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1149 [GMT 2:00]
    Running from: c:\documents and settings\Srki\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Dvbpws.dll
    c:\windows\wpe pro.INI

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
    .

    2010-10-09 09:00 . 2010-10-09 09:00 -------- d-----w- c:\documents and settings\Srki\Application Data\Malwarebytes
    2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-09 08:59 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-09 08:59 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-02 13:59 . 2010-10-02 13:59 -------- d--h--w- c:\windows\PIF
    2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Opera
    2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\program files\Opera
    2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- C:\Cache
    2010-09-28 18:33 . 2010-09-28 18:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-09-27 14:14 . 2010-09-27 14:14 503808 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\msvcp71.dll
    2010-09-27 14:14 . 2010-09-27 14:14 499712 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\jmc.dll
    2010-09-27 14:14 . 2010-09-27 14:14 348160 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\msvcr71.dll
    2010-09-27 14:14 . 2010-09-27 14:14 61440 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4de8c945-n\decora-sse.dll
    2010-09-27 14:14 . 2010-09-27 14:14 12800 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4de8c945-n\decora-d3d.dll
    2010-09-26 19:31 . 2010-09-26 19:31 -------- d-----w- c:\program files\Common Files\Java
    2010-09-26 19:31 . 2010-09-26 19:30 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-09-26 19:30 . 2010-09-26 19:30 -------- d-----w- c:\program files\Java
    2010-09-24 20:22 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Publish Providers
    2010-09-24 20:21 . 2010-09-24 20:21 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Sony
    2010-09-24 20:21 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Sony
    2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
    2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\program files\Sony
    2010-09-24 20:17 . 2010-09-26 09:17 -------- d-----w- c:\windows\system32\LogFiles
    2010-09-24 20:17 . 2010-09-24 20:17 -------- d-----w- c:\windows\system32\drivers\UMDF
    2010-09-24 20:17 . 2006-09-15 23:05 23856 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-09-24 15:13 . 2010-09-25 10:30 -------- d-----w- c:\documents and settings\Srki\Application Data\Ventrilo
    2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Ventrilo
    2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-09-23 19:51 . 2010-09-23 19:51 -------- d-----w- c:\program files\YouTube Downloader
    2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\documents and settings\Srki\Application Data\AnvSoft
    2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\program files\AnvSoft
    2010-09-23 18:12 . 2010-09-23 18:12 -------- d-----w- c:\documents and settings\Srki\Application Data\VMware
    2010-09-23 16:17 . 2010-09-23 16:17 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
    2010-09-23 16:17 . 2010-09-23 16:14 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
    2010-09-23 16:17 . 2010-09-23 16:14 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
    2010-09-23 16:17 . 2010-09-23 16:14 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
    2010-09-23 16:17 . 2010-09-23 16:14 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
    2010-09-23 16:17 . 2010-09-23 16:14 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
    2010-09-23 16:17 . 2010-09-23 16:14 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
    2010-09-23 16:17 . 2010-09-23 16:14 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
    2010-09-23 16:16 . 2010-01-22 15:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
    2010-09-23 16:16 . 2010-01-22 15:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
    2010-09-23 16:16 . 2010-01-22 19:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
    2010-09-23 16:16 . 2010-01-22 19:57 395824 ----a-w- c:\windows\system32\vmnat.exe
    2010-09-23 16:16 . 2010-01-22 19:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
    2010-09-23 16:16 . 2010-01-22 15:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
    2010-09-23 16:16 . 2010-01-22 19:57 760368 ----a-w- c:\windows\system32\vnetlib.dll
    2010-09-23 16:16 . 2010-01-22 19:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
    2010-09-23 16:16 . 2010-10-09 18:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
    2010-09-23 16:15 . 2010-09-23 16:15 -------- d-----w- c:\program files\Common Files\VMware
    2010-09-23 16:15 . 2010-10-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
    2010-09-23 16:15 . 2010-09-23 16:15 -------- d-----w- c:\program files\VMware
    2010-09-23 11:56 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-09-21 13:25 . 2010-09-21 17:09 -------- d-----w- c:\program files\SpeedFan
    2010-09-19 18:10 . 2010-09-19 18:10 -------- d-----w- c:\documents and settings\Administrator
    2010-09-19 15:19 . 2010-09-19 15:19 -------- d-----w- c:\documents and settings\Srki\Application Data\Need for Speed World
    2010-09-19 14:47 . 2010-09-19 14:47 10904848 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\nfsw.exe
    2010-09-19 14:47 . 2010-09-19 14:47 267536 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\gameplay.dll
    2010-09-19 14:47 . 2010-09-19 14:47 1789200 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\gameplay.native.dll
    2010-09-19 14:47 . 2010-09-19 14:47 4068624 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\eawebkit.dll
    2010-09-19 14:47 . 2010-09-19 14:47 462864 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\d3dx10_37.dll
    2010-09-19 14:47 . 2010-09-19 14:47 3786760 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\d3dx9_37.dll
    2010-09-19 14:31 . 2010-09-19 14:31 -------- d-----w- c:\documents and settings\Srki\Application Data\Nero
    2010-09-19 14:30 . 2010-09-19 14:30 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Ahead
    2010-09-19 14:28 . 2010-09-19 14:29 -------- d-----w- c:\program files\Common Files\Nero
    2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\program files\Nero
    2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-09-19 13:28 . 2010-09-19 13:28 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Identities
    2010-09-19 12:58 . 2010-09-19 12:58 883670 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\pb\pbcl.dll
    2010-09-19 12:58 . 2010-09-19 12:58 57344 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\pb\pbag.dll
    2010-09-19 12:03 . 2010-09-19 12:03 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Electronic_Arts_Inc
    2010-09-19 12:02 . 2010-09-19 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
    2010-09-19 08:06 . 2010-09-28 17:42 -------- d-----w- c:\windows\Logs
    2010-09-18 18:12 . 2010-09-18 18:12 -------- d-----w- c:\program files\OCCT
    2010-09-18 18:10 . 2010-09-18 18:10 -------- d-----w- c:\documents and settings\Srki\Application Data\NVIDIA
    2010-09-18 17:11 . 2010-09-18 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2010-09-18 11:46 . 2010-09-18 11:46 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Blizzard Entertainment
    2010-09-18 10:45 . 2010-09-18 20:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-09-18 10:44 . 2010-09-18 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
    2010-09-18 06:37 . 2010-09-18 06:37 -------- d-----w- c:\documents and settings\Srki\Application Data\GRETECH
    2010-09-18 06:36 . 2010-09-18 06:36 -------- d-----w- c:\program files\GRETECH
    2010-09-17 20:52 . 2010-09-18 07:51 -------- d-----w- C:\totalcmd
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\UC.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\RAR.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKZIP.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKUNZIP.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\NOCLOSE.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\LHA.PIF
    2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\ARJ.PIF
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft ActiveSync
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\windows\SHELLNEW
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft.NET
    2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\Adobe Mini Bridge CS5
    2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    2010-09-14 16:39 . 2010-09-14 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
    2010-09-14 15:17 . 2010-09-18 08:56 238888 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-09-14 15:17 . 2010-09-18 08:56 238888 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-09-14 15:17 . 2010-09-18 08:56 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-09-14 15:16 . 2010-09-11 06:46 887912 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-09-14 15:16 . 2010-09-11 06:46 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-09-14 15:16 . 2010-09-11 06:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-09-14 15:16 . 2010-09-11 06:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
    2010-09-14 15:16 . 2010-09-11 06:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-09-14 15:16 . 2010-09-11 06:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-09-14 15:16 . 2010-09-11 06:46 2293194 ----a-w- c:\windows\system32\nvdata.bin
    2010-09-14 15:16 . 2010-09-11 06:46 14528512 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-09-14 15:16 . 2010-09-11 06:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
    2010-09-14 15:16 . 2010-09-11 06:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-14 15:15 . 2010-09-14 15:15 -------- d-----w- C:\NVIDIA
    2010-09-14 15:15 . 2010-09-28 18:33 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Adobe
    2010-09-14 15:12 . 2010-09-14 15:12 -------- d-----w- c:\program files\Phyxion.net
    2010-09-14 14:59 . 2010-09-24 15:27 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-14 12:35 . 2010-09-14 12:37 -------- d-----w- c:\documents and settings\Srki\Application Data\Auslogics
    2010-09-14 12:34 . 2010-09-14 12:34 -------- d-----w- c:\program files\Auslogics
    2010-09-14 12:32 . 2004-08-03 21:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
    2010-09-14 12:32 . 2004-08-03 21:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
    2010-09-14 12:32 . 2004-08-03 22:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
    2010-09-14 12:32 . 2004-08-03 22:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
    2010-09-14 12:32 . 2004-08-03 21:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
    2010-09-14 12:32 . 2004-08-03 21:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
    2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Srki\Application Data\InstallShield
    2010-09-14 01:16 . 2010-09-14 01:24 -------- d-----w- C:\Boot
    2010-09-13 21:13 . 2010-09-13 21:13 -------- d-----w- c:\program files\Common Files\Ulead Systems
    2010-09-13 21:13 . 2010-10-02 08:13 -------- d-----w- c:\program files\WinFast

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-09 09:27 . 2010-09-13 14:07 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-10-08 19:54 . 2010-09-13 14:12 -------- d-----w- c:\documents and settings\Srki\Application Data\uTorrent
    2010-10-07 20:39 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\Srki\Application Data\Skype
    2010-10-07 20:38 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\Srki\Application Data\skypePM
    2010-09-26 15:18 . 2010-09-13 14:13 -------- d-----w- c:\program files\uTorrent
    2010-09-19 14:59 . 2010-09-13 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2010-09-18 07:58 . 2010-09-13 14:05 35544 ----a-w- c:\documents and settings\Srki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-15 20:16 . 2010-09-13 14:16 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 5
    2010-09-15 16:41 . 2010-09-13 13:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-09-15 12:22 . 2010-09-13 14:20 -------- d-----w- c:\documents and settings\Srki\Application Data\Winamp
    2010-09-14 15:17 . 2010-09-13 14:02 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-09-13 20:55 . 2010-09-13 14:20 -------- d-----w- c:\program files\Winamp
    2010-09-13 15:00 . 2010-09-13 14:48 -------- d-----w- c:\program files\NeoSmart Technologies
    2010-09-13 14:19 . 2010-09-13 14:19 0 ----a-w- c:\windows\nsreg.dat
    2010-09-13 14:14 . 2010-09-13 14:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----r- c:\program files\Skype
    2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----w- c:\program files\Common Files\Skype
    2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-09-13 14:11 . 2010-09-13 14:11 -------- d-----w- c:\program files\Alwil Software
    2010-09-13 14:11 . 2010-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-09-13 14:07 . 2010-09-13 14:07 -------- d-----w- c:\program files\Realtek AC97
    2010-09-13 14:07 . 2010-09-13 14:07 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-09-13 13:55 . 2010-09-13 13:55 -------- d-----w- c:\program files\microsoft frontpage
    2010-09-13 13:51 . 2010-09-13 13:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-09-11 06:46 . 2010-09-13 14:01 9586016 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2010-09-11 06:46 . 2010-09-13 14:01 6358912 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-09-10 21:23 . 2010-09-10 21:23 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-09-10 21:23 . 2010-09-10 21:23 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2010-09-10 21:23 . 2010-09-10 21:23 156776 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-09-10 21:23 . 2010-09-10 21:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-09-10 21:23 . 2010-09-10 21:23 13851752 ----a-w- c:\windows\system32\nvcpl.dll
    2010-09-10 21:23 . 2010-09-10 21:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-09-07 15:12 . 2010-09-13 14:21 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-09-13 14:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-09-13 14:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-09-13 14:12 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-09-13 14:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-09-13 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-09-13 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-09-13 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-09-13 14:12 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "NvMediaCenter"="NvMCTray.dll" [2010-09-10 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-09-10 13851752]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "e:\\Games\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
    "e:\\Games\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
     
  7. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8370:TCP"= 8370:TCP:League of Legends Launcher
    "8370:UDP"= 8370:UDP:League of Legends Launcher
    "8371:TCP"= 8371:TCP:League of Legends Launcher
    "8371:UDP"= 8371:UDP:League of Legends Launcher
    "8372:TCP"= 8372:TCP:League of Legends Launcher
    "8372:UDP"= 8372:UDP:League of Legends Launcher
    "8373:TCP"= 8373:TCP:League of Legends Launcher
    "8373:UDP"= 8373:UDP:League of Legends Launcher
    "8374:TCP"= 8374:TCP:League of Legends Launcher
    "8374:UDP"= 8374:UDP:League of Legends Launcher
    "8375:TCP"= 8375:TCP:League of Legends Launcher
    "8375:UDP"= 8375:UDP:League of Legends Launcher
    "8376:TCP"= 8376:TCP:League of Legends Launcher
    "8376:UDP"= 8376:UDP:League of Legends Launcher
    "8377:TCP"= 8377:TCP:League of Legends Launcher
    "8377:UDP"= 8377:UDP:League of Legends Launcher
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    "8380:TCP"= 8380:TCP:League of Legends Launcher
    "8380:UDP"= 8380:UDP:League of Legends Launcher

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/13/2010 4:12 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2010 4:12 PM 17744]
    R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 9:57 PM 70704]
    R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 9:00 PM 563760]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS --> c:\program files\WinFast\WFDTV\WFIOCTL.SYS [?]
    S3 WFLR6654;WinFast TV2000 XP Global/Global TV (XC2028);c:\windows\system32\drivers\wfeaglxt.sys --> c:\windows\system32\drivers\wfeaglxt.sys [?]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\VMware\VMware Player\vsocklib.dll
    FF - ProfilePath - c:\documents and settings\Srki\Application Data\Mozilla\Firefox\Profiles\ehk57e6w.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-NBKey - c:\documents and settings\Srki\My Documents\Downloads\Exp hacker 3.0.8.exe


    .
    Completion time: 2010-10-09 21:03:07
    ComboFix-quarantined-files.txt 2010-10-09 19:03

    Pre-Run: 43,940,098,048 bytes free
    Post-Run: 43,904,434,176 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    ; This boot.ini was automatically generated by NeoSmart Technologies' BootGrabber.exe
    ; Use EasyBCD from http://neosmart.net/dl.php?id=1 to manage your bootloader
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP on D:\" /fastdetect

    - - End Of File - - C168E1243251237ABF6EF0A3ADA377BB
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Have you had a change to run the Eset online scan yet? Please leave the log.

    If the Win32.Rootkit-gen[RTK] is anywhere on the system, I will see it here. It could be in a restore point or quarantined but still showing in Avast- although it wouldn't be active in the system. Some AV programs continue to give warnings, even though an entry may have already been handled.

    Check Avast and see if it has a option not to alert you.

    I will have a few removals in script to run through Combofix, but I'd like to see the Eset log first.

    Edit: Are you still using WinFast? Combofix is showing 2 drivers for it as a ?
     
  9. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    ESET Log:
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=9357091c5ff13d4e94ecb011eb3d2879
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-10 07:28:49
    # local_time=2010-10-10 09:28:49 (+0100, Central Europe Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 2350263 2350263 0 0
    # compatibility_mode=8192 67108863 100 0 441 441 0 0
    # scanned=38007
    # found=0
    # cleaned=0
    # scan_time=1559

    Im not using WinFast. I have 2 drivers that need to be updated.
    BTW im not getting virus alert anymore. Avast and MBAM probably removed it.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we have made progress!

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\winfast\wfdtv\wfioctl.sys
    c:\windows\system32\drivers\wfeaglxt.sys
    c:\windows\UC.PIF
    c:\windows\RAR.PIF
    c:\windows\PKZIP.PIF
    c:\windows\PKUNZIP.PIF
    c:\windows\NOCLOSE.PIF
    c:\windows\LHA.PIF
    c:\windows\ARJ.PIF
    Folder::
    c:\program files\LimeWire
    c:\program files\eMule
    
    DirLook::
    C:\Boot
    C:\Cache
    C:\bootmgr
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    Driver::
    WFIOCTL
    WFLR6654
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Are you aware of all the Globally Open Ports for League of Legends Launcher?
    Please update Java to v6u21:
    =====================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    FILE ::
    "c:\program files\winfast\wfdtv\wfioctl.sys"
    "c:\windows\ARJ.PIF"
    "c:\windows\LHA.PIF"
    "c:\windows\NOCLOSE.PIF"
    "c:\windows\PKUNZIP.PIF"
    "c:\windows\PKZIP.PIF"
    "c:\windows\RAR.PIF"
    "c:\windows\system32\drivers\wfeaglxt.sys"
    "c:\windows\UC.PIF"

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    c:\windows\ARJ.PIF
    c:\windows\LHA.PIF
    c:\windows\NOCLOSE.PIF
    c:\windows\PKUNZIP.PIF
    c:\windows\PKZIP.PIF
    c:\windows\RAR.PIF
    c:\windows\UC.PIF

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_WFIOCTL
    -------\Service_WFIOCTL
    -------\Service_WFLR6654


    ((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
    .

    2010-10-12 22:05 . 2010-10-12 22:14 240124 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-10-12 22:05 . 2010-10-12 22:14 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-10-12 22:05 . 2010-10-12 22:14 240124 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-10-12 22:05 . 2010-10-08 08:30 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-12 22:05 . 2010-10-08 08:30 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-12 22:05 . 2010-10-08 08:30 14528512 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-10-10 20:42 . 2010-10-10 20:43 -------- d-----w- C:\DXFiles
    2010-10-10 17:51 . 2010-10-10 17:51 60416 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-10 17:51 . 2010-10-10 17:51 60416 ----a-w- c:\windows\ALCFDRTM.EXE
    2010-10-10 17:51 . 2010-10-10 17:51 -------- d-----w- c:\windows\system32\Lang
    2010-10-09 09:00 . 2010-10-09 09:00 -------- d-----w- c:\documents and settings\Srki\Application Data\Malwarebytes
    2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-09 08:59 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-09 08:59 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-08 00:28 . 2010-10-08 00:28 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-10-08 00:28 . 2010-10-08 00:28 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2010-10-08 00:28 . 2010-10-08 00:28 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-10-08 00:28 . 2010-10-08 00:28 13851752 ----a-w- c:\windows\system32\nvcpl.dll
    2010-10-08 00:28 . 2010-10-08 00:28 156776 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-10-08 00:28 . 2010-10-08 00:28 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-10-02 13:59 . 2010-10-02 13:59 -------- d--h--w- c:\windows\PIF
    2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Opera
    2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\program files\Opera
    2010-09-28 18:33 . 2010-09-28 18:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-09-26 19:31 . 2010-09-26 19:31 -------- d-----w- c:\program files\Common Files\Java
    2010-09-26 19:31 . 2010-09-26 19:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-26 19:31 . 2010-09-26 19:30 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-09-26 19:30 . 2010-09-26 19:30 -------- d-----w- c:\program files\Java
    2010-09-24 20:22 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Publish Providers
    2010-09-24 20:21 . 2010-09-24 20:21 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Sony
    2010-09-24 20:21 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Sony
    2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
    2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\program files\Sony
    2010-09-24 20:17 . 2010-09-26 09:17 -------- d-----w- c:\windows\system32\LogFiles
    2010-09-24 20:17 . 2010-09-24 20:17 -------- d-----w- c:\windows\system32\drivers\UMDF
    2010-09-24 20:17 . 2006-09-15 23:05 23856 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-09-24 15:13 . 2010-09-25 10:30 -------- d-----w- c:\documents and settings\Srki\Application Data\Ventrilo
    2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Ventrilo
    2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\documents and settings\Srki\Application Data\AnvSoft
    2010-09-23 18:12 . 2010-09-23 18:12 -------- d-----w- c:\documents and settings\Srki\Application Data\VMware
    2010-09-23 16:16 . 2010-10-10 09:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
    2010-09-23 16:15 . 2010-10-10 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
    2010-09-23 11:56 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-09-19 18:10 . 2010-09-19 18:10 -------- d-----w- c:\documents and settings\Administrator
    2010-09-19 15:19 . 2010-09-19 15:19 -------- d-----w- c:\documents and settings\Srki\Application Data\Need for Speed World
    2010-09-19 14:31 . 2010-09-19 14:31 -------- d-----w- c:\documents and settings\Srki\Application Data\Nero
    2010-09-19 14:30 . 2010-09-19 14:30 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Ahead
    2010-09-19 14:28 . 2010-09-19 14:29 -------- d-----w- c:\program files\Common Files\Nero
    2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\program files\Nero
    2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-09-19 14:27 . 2006-11-01 16:31 1669120 ----a-w- c:\program files\Windows Media Player\wmsetsdk.exe
    2010-09-19 14:27 . 2004-08-10 23:45 47616 ----a-w- c:\program files\Windows Media Player\msoobci.dll
    2010-09-19 13:28 . 2010-09-19 13:28 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Identities
    2010-09-19 12:03 . 2010-09-19 12:03 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Electronic_Arts_Inc
    2010-09-19 08:06 . 2010-09-28 17:42 -------- d-----w- c:\windows\Logs
    2010-09-18 18:10 . 2010-09-18 18:10 -------- d-----w- c:\documents and settings\Srki\Application Data\NVIDIA
    2010-09-18 17:11 . 2010-09-18 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2010-09-18 11:46 . 2010-09-18 11:46 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Blizzard Entertainment
    2010-09-18 10:45 . 2010-09-18 20:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-09-18 10:44 . 2010-09-18 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
    2010-09-18 06:37 . 2010-09-18 06:37 -------- d-----w- c:\documents and settings\Srki\Application Data\GRETECH
    2010-09-18 06:36 . 2010-09-18 06:36 -------- d-----w- c:\program files\GRETECH
    2010-09-17 20:52 . 2010-09-18 07:51 -------- d-----w- C:\totalcmd
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft ActiveSync
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\windows\SHELLNEW
    2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft.NET
    2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\Adobe Mini Bridge CS5
    2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    2010-09-14 16:39 . 2010-09-14 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
    2010-09-14 15:16 . 2010-10-08 08:30 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-09-14 15:16 . 2010-10-08 08:30 4882432 ----a-w- c:\windows\system32\nvcuda.dll
    2010-09-14 15:16 . 2010-10-08 08:30 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-09-14 15:16 . 2010-10-08 08:30 2666088 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-09-14 15:16 . 2010-10-08 08:30 2293194 ----a-w- c:\windows\system32\nvdata.bin
    2010-09-14 15:16 . 2010-10-08 08:30 1462272 ----a-w- c:\windows\system32\nvapi.dll
    2010-09-14 15:16 . 2010-10-08 08:30 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-14 15:15 . 2010-09-14 15:15 -------- d-----w- C:\NVIDIA
    2010-09-14 15:15 . 2010-09-28 18:33 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Adobe
    2010-09-14 15:12 . 2010-09-14 15:12 -------- d-----w- c:\program files\Phyxion.net
    2010-09-14 14:59 . 2010-09-24 15:27 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-14 12:35 . 2010-09-14 12:37 -------- d-----w- c:\documents and settings\Srki\Application Data\Auslogics
    2010-09-14 12:34 . 2010-09-14 12:34 -------- d-----w- c:\program files\Auslogics
    2010-09-14 12:32 . 2004-08-03 21:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
    2010-09-14 12:32 . 2004-08-03 21:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
    2010-09-14 12:32 . 2004-08-03 22:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
    2010-09-14 12:32 . 2004-08-03 22:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
    2010-09-14 12:32 . 2004-08-03 22:56 56832 ----a-w- c:\windows\system32\MSDvbNP.ax
    2010-09-14 12:32 . 2004-08-03 22:56 33280 ----a-w- c:\windows\system32\PsisRndr.ax
    2010-09-14 12:32 . 2004-08-03 21:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
    2010-09-14 12:32 . 2004-08-03 21:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
    2010-09-14 12:32 . 2004-08-03 22:56 18432 ----a-w- c:\windows\system32\BdaPlgIn.ax
    2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Srki\Application Data\InstallShield
    2010-09-14 01:16 . 2010-09-14 01:24 -------- d-----w- C:\Boot
    2010-09-13 21:13 . 2010-09-13 21:13 -------- d-----w- c:\program files\Common Files\Ulead Systems
    2010-09-13 21:13 . 2002-12-05 12:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
    2010-09-13 21:13 . 2002-12-02 11:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
    2010-09-13 21:13 . 2010-09-13 21:13 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
    2010-09-13 21:13 . 2003-02-27 14:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
    2010-09-13 21:13 . 2002-12-02 13:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
    2010-09-13 21:13 . 2002-12-02 11:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
    2010-09-13 21:13 . 2010-09-13 21:13 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
    2010-09-13 21:13 . 2010-10-02 08:13 -------- d-----w- c:\program files\WinFast
    2010-09-13 20:58 . 2004-08-03 22:56 90624 ----a-w- c:\windows\system32\kswdmcap.ax
    2010-09-13 20:58 . 2004-08-03 22:56 61952 ----a-w- c:\windows\system32\kstvtune.ax
    2010-09-13 20:58 . 2004-08-03 22:56 28672 ----a-w- c:\windows\system32\vidcap.ax
    2010-09-13 20:58 . 2004-08-03 22:56 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
    2010-09-13 20:58 . 2004-08-03 22:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
    2010-09-13 20:58 . 2004-08-03 22:56 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-09-13 20:57 . 2010-10-02 08:13 -------- d-----w- c:\windows\system32\WinFast
    2010-09-13 20:57 . 2010-09-13 20:57 -------- d-----w- c:\windows\system32\WinFox
    2010-09-13 20:57 . 2003-09-05 07:57 9469 ----a-w- c:\windows\system32\drivers\WINFOXIO.sys
    2010-09-13 20:57 . 2004-04-18 21:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
    2010-09-13 20:57 . 2004-04-18 21:39 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
    2010-09-13 20:57 . 2004-04-18 21:39 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
    2010-09-13 20:57 . 2004-04-18 21:39 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
    2010-09-13 20:57 . 2010-09-13 20:57 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
    2010-09-13 20:57 . 2004-04-18 21:42 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
    2010-09-13 20:57 . 2010-09-13 20:57 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\Boot ----

    2010-09-14 01:24 . 2009-06-10 21:15 47452 ----a-w- c:\boot\Fonts\wgl4_boot.ttf
    2010-09-14 01:24 . 2009-06-10 21:15 2371360 ----a-w- c:\boot\Fonts\kor_boot.ttf
    2010-09-14 01:24 . 2009-06-10 21:15 1984228 ----a-w- c:\boot\Fonts\jpn_boot.ttf
    2010-09-14 01:24 . 2009-06-10 21:15 3876772 ----a-w- c:\boot\Fonts\cht_boot.ttf
    2010-09-14 01:24 . 2009-06-10 21:15 3694080 ----a-w- c:\boot\Fonts\chs_boot.ttf
    2010-09-14 01:24 . 2010-09-14 01:24 65536 --sha-w- c:\boot\BOOTSTAT.DAT
    2010-09-14 01:24 . 2009-07-14 01:17 70224 ----a-w- c:\boot\zh-HK\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 70208 ----a-w- c:\boot\zh-TW\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 87104 ----a-w- c:\boot\tr-TR\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 70720 ----a-w- c:\boot\zh-CN\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 87616 ----a-w- c:\boot\sv-SE\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90192 ----a-w- c:\boot\ru-RU\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\pl-PL\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90176 ----a-w- c:\boot\pt-BR\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 89664 ----a-w- c:\boot\pt-PT\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 88144 ----a-w- c:\boot\nb-NO\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\nl-NL\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:20 485440 ----a-w- c:\boot\memtest.exe
    2010-09-14 01:24 . 2009-07-14 01:17 76352 ----a-w- c:\boot\ja-JP\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 75344 ----a-w- c:\boot\ko-KR\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90688 ----a-w- c:\boot\hu-HU\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\it-IT\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 89152 ----a-w- c:\boot\fi-FI\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 93248 ----a-w- c:\boot\fr-FR\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 90192 ----a-w- c:\boot\es-ES\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 02:11 43600 ----a-w- c:\boot\en-US\memtest.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 94800 ----a-w- c:\boot\el-GR\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 85056 ----a-w- c:\boot\en-US\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 91712 ----a-w- c:\boot\de-DE\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 87616 ----a-w- c:\boot\da-DK\bootmgr.exe.mui
    2010-09-14 01:24 . 2009-07-14 01:17 89168 ----a-w- c:\boot\cs-CZ\bootmgr.exe.mui
    2010-09-14 01:16 . 2010-10-10 17:54 1024 --sha-w- c:\boot\BCD.LOG
    2010-09-14 01:16 . 2010-10-10 17:55 262144 --sha-w- c:\boot\BCD

    ---- Directory of C:\bootmgr ----


    ---- Directory of C:\Cache ----



    ((((((((((((((((((((((((((((( SnapShot@2010-10-13_18.59.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-13 19:22 . 2010-10-13 19:22 16384 c:\windows\temp\Perflib_Perfdata_1a8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "e:\\Games\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
    "e:\\Games\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8370:TCP"= 8370:TCP:League of Legends Launcher
    "8370:UDP"= 8370:UDP:League of Legends Launcher
    "8371:TCP"= 8371:TCP:League of Legends Launcher
    "8371:UDP"= 8371:UDP:League of Legends Launcher
    "8372:TCP"= 8372:TCP:League of Legends Launcher
    "8372:UDP"= 8372:UDP:League of Legends Launcher
    "8373:TCP"= 8373:TCP:League of Legends Launcher
    "8373:UDP"= 8373:UDP:League of Legends Launcher
    "8374:TCP"= 8374:TCP:League of Legends Launcher
    "8374:UDP"= 8374:UDP:League of Legends Launcher
    "8375:TCP"= 8375:TCP:League of Legends Launcher
    "8375:UDP"= 8375:UDP:League of Legends Launcher
    "8376:TCP"= 8376:TCP:League of Legends Launcher
    "8376:UDP"= 8376:UDP:League of Legends Launcher
    "8377:TCP"= 8377:TCP:League of Legends Launcher
    "8377:UDP"= 8377:UDP:League of Legends Launcher
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    "8380:TCP"= 8380:TCP:League of Legends Launcher
    "8380:UDP"= 8380:UDP:League of Legends Launcher

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/13/2010 4:12 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2010 4:12 PM 17744]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Srki\Application Data\Mozilla\Firefox\Profiles\ehk57e6w.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2972)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\system32\nvcpl.dll
    c:\windows\system32\nvapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\imapi.exe
     
  12. g4mer

    g4mer TS Maniac Topic Starter Posts: 310

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:31:52 PM, on 10/13/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Mozilla Firefox 4.0 Beta 5\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 3757 bytes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...