TechSpot

[Closed- Porn] Trojan removal help

By rcboosted
May 19, 2012
  1. I downloaded a screen saver disguised as a jpg and ran it by accident. virustotal.com says it's a trojan, although their site is down, so I don't have the exact name. But the trojan has an .exe file called bsp_06.exe that runs during start up. According to virustotal.com only drweb detected it. So I downloaded dr web 7.0 for pc and ran an express scan, it found nothing. I then downloaded cureit.exe from drweb and ran it under safe mode. It cleaned out a bunch of files, but upon reboot to normal windows, I saw 3 command prompts running bsp_06.exe during start up. Remembering that I had used combofix.exe as recommended here 2 years ago, I found it still sitting on my desktop. I ran it, combofix.exe updated itself and said Volsnap.sys is infected, and it did a bunch of clean up, rebooted my box. After the reboot, I rand combofix.exe again, it still says c:\windows\system32\Drivers\Volsnap.sys is infected, but the 2nd time it did very little clean up.

    How can I make sure I'm trojan-free and/or virus/spyware/worm-free?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, let's remove your random attempts to clean the system. I note that Broni had you run the OTL Cleanup in 2010. I don't think that removes Combofix and it should have been removed- and you shouldn't be using it without a helper instructing you.

    To start: Uninstall directions,[/b]
    Click START> then RUN> type Combofix /Uninstall in the runbox > click OK. Note the space between the X and the U, it needs to be there.
    [​IMG]

    Uninstall Dr. Web and Cure it. Be sure they aren't running on startup. Reboot the compute when finished.

    Don't run any scans or clean up programs other than those I instruct you to do.

    ---------------------------------------------------
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Thank you for the reply. I have uninstalled cureit, drweb, combofix, and malwarebytes. Downloaded and installed the malwarebytes version specified in the 5 steps thread, updated it, and ran a quick scan. Nothing was found. Log is on the other PC while it is running a scan with GMER will attach log later. Question regarding GMER. The instruction said a quick scan will be run on start up of GMER, but I didn't see a quick scan. Unless the 3 second it took to list out the few items in the list was the quick scan? I wasn't sure, so I clicked on the Scan button and it is taking a really long time to scan at the moment. Please advise. Also, I have 3 drives, only C:\ is checked, should all 3 be checked?
     
  4. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.19.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    rcboosted :: I5-750 [administrator]

    5/19/2012 12:42:44 PM
    mbam-log-2012-05-19 (12-42-44).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201774
    Time elapsed: 4 minute(s), 29 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  5. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-05-19 18:59:51
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3500320AS rev.SD1A
    Running: 7d1c78py.exe; Driver: C:\DOCUME~1\rcboosted\LOCALS~1\Temp\kwtdrpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT E1C39B08 ZwConnectPort

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6936380, 0x5414D5, 0xE8000020]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c9b4d9
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c9b4d9@001f200a30a7 0x16 0xB9 0x5A 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c9b4d9 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c9b4d9@001f200a30a7 0x16 0xB9 0x5A 0x67 ...

    ---- EOF - GMER 1.0.15 ----
     
  6. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by rcboosted at 19:05:53 on 2012-05-19
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2198 [GMT -7:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
    svchost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Pogoplug\HBPLUG\HBADMIN.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Synology\Assistant\UsbClientService.exe
    C:\WINDOWS\System32\Drivers\WTSRV.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
    svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\WTClient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Pogoplug] "c:\program files\pogoplug\PogoplugMonitor.exe"
    mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"
    mRun: [Cpu Level Up help] "c:\program files\asus\ai suite\CpuLevelUpHelp.exe"
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [MPlayerForWindows_UpdateReminder] "c:\program files\mplayer for windows\AutoUpdate.exe" /L=1033 /TASK
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [WTClient] WTClient.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    dPolicies-explorer: NoSMHelp = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: NoResolveTrack = 1 (0x1)
    dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307} : NameServer = 192.168.1.1
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-1-1 11448]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
    R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.02\AsSysCtrlService.exe [2010-1-1 90112]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
    R2 DokanCEDriver;DokanCEDriver;c:\program files\pogoplug\dokance.sys [2012-1-30 54592]
    R2 HBAdmin;HBAdmin;c:\program files\pogoplug\hbplug\hbadmin.exe [2012-1-30 738112]
    R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-4-16 689416]
    R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
    R2 UsbClientService;UsbClientService;c:\program files\synology\assistant\UsbClientService.exe [2011-2-17 245760]
    R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
    R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2011-2-17 46304]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-6 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-6 1393144]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-1 1381632]
    R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [2011-11-3 34624]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-1-23 10384]
    S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-11-13 30312]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
    S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-4-16 894216]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-11-13 96488]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-11-13 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-11-13 121576]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-05-19 19:42:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-19 05:50:05 -------- d-sh--w- C:\DrWeb Quarantine
    2012-05-19 03:15:02 -------- d-----w- C:\username123
    2012-05-18 06:27:57 -------- d-----w- c:\documents and settings\rcboosted\Doctor Web
    2012-05-18 06:26:44 -------- d-----w- c:\program files\common files\Doctor Web
    2012-05-18 06:26:14 -------- d-----w- c:\program files\DrWeb
    2012-05-18 06:26:14 -------- d-----w- c:\documents and settings\all users\application data\Doctor Web
    2012-05-13 19:36:55 -------- d-----w- C:\Ascot Hills Park
    2012-05-01 02:45:11 -------- d-----w- c:\documents and settings\rcboosted\application data\.purple
    2012-05-01 02:40:15 -------- d-----w- c:\program files\Pidgin
    2012-04-22 23:04:43 -------- d-----w- C:\Python27
    2012-04-22 21:58:56 -------- d-----w- c:\documents and settings\rcboosted\application data\Arduino
    .
    ==================== Find3M ====================
    .
    2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-03-18 20:52:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
    2012-02-21 07:12:15 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
    2012-02-21 07:12:15 206144 ----a-w- c:\windows\system32\ftd2xx.dll
    2012-02-21 07:12:15 197952 ----a-w- c:\windows\system32\FTLang.dll
    .
    ============= FINISH: 19:06:05.95 ===============
     
  7. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/1/2010 12:40:45 AM
    System Uptime: 5/19/2012 12:37:48 PM (7 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P7P55D EVO
    Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | LGA1156 | 2675/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 123.111 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 9.943 GiB free.
    E: is FIXED (NTFS) - 112 GiB total, 35.933 GiB free.
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    Z: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek PCIe GBE Family Controller
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_83A31043&REV_03\4&3B3118C8&0&00E7
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek PCIe GBE Family Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_83A31043&REV_03\4&3B3118C8&0&00E7
    Service: RTLE8023xp
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_820D1043&REV_10\4&34079B1D&0&20F0
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_820D1043&REV_10\4&34079B1D&0&20F0
    Service: RTL8023xp
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    ĀµTorrent
    ACDSee Classic
    ACDSee Pro 3
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Photoshop Lightroom 2.7
    Adobe Reader X (10.1.3)
    AI Suite
    ASUSUpdate
    Avidemux 2.5
    Bing Maps 3D
    Blender
    CamStudio
    Canon Camera Access Library
    Canon Camera Support Core Library
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon MOV Encoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Codec
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.7
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities Original Data Security Tools
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    Canon Utilities RemoteCapture DC
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities WFT-E1/E2/E3/E4 Utility
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Castle Link
    CCleaner (remove only)
    CDDRV_Installer
    Cisco Systems VPN Client 5.0.02.0090
    Combined Community Codec Pack 2008-05-17
    CoreAVC Professional Edition
    CrystalDiskMark 3.0.1b
    DIRECTV Player
    DVR Client
    Dynamic-Photo HDR 4.5
    erLT
    Foxit Reader
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP USB Disk Storage Format Tool
    Intel(R) Solid-State Drive Toolbox
    Java Auto Updater
    Java(TM) 6 Update 27
    JMicron JMB36X Driver
    KhalInstallWrapper
    League of Legends
    LiveUpdate 2.0 (Symantec Corporation)
    Logitech SetPoint
    Malwarebytes Anti-Malware version 1.61.0.1400
    ManyCam 2.4 (remove only)
    MC-300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MPlayer for Windows (Full Package)
    Nero 8 Micro 8.3.2.1b
    NewsLeecher v3.8 Final
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    OpenOffice.org 3.2
    OpenSCAD (remove only)
    Opera 11.64
    Pando Media Booster
    PDF Settings CS5
    PerfectDisk 2008 Professional
    Photomatix Pro version 3.2.7
    Pidgin
    Platform
    Pogoplug
    Python 2.6 pyserial-2.5
    Python 2.6.5
    Python 2.7 pyreadline-1.7.1
    Python 2.7 pyserial-2.5
    Python 2.7.2
    QuickPar 0.9
    R/C Data Recorder (BETA Version)
    ratDVD 0.78.1444
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    SAMSUNG USB Driver for Mobile Phones
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2559049)
    Security Update for Windows Internet Explorer 7 (KB2586448)
    Security Update for Windows Internet Explorer 7 (KB2618444)
    Security Update for Windows Internet Explorer 7 (KB2647516)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Spybot - Search & Destroy
    StarCraft II
    Symantec AntiVirus
    SyncBack
    Synology Assistant (remove only)
    The KMPlayer
    Unlocker 1.8.7
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Platform Device Manager
    VLC media player 1.0.3
    Winamp
    Windows Internet Explorer 8
    Windows Live Mail
    Windows Live Messenger
    Windows Live Safety Scanner
    WinRAR archiver
    wxPython 2.8.12.0 (unicode) for Python 2.7
    x264vfw - H.264/MPEG-4 AVC codec (remove only)
    XML Paper Specification Shared Components Pack 1.0
    Your Uninstaller! 2008 Version 6.0
    ZScreen 3.27.0.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/18/2012 8:19:10 PM, error: Service Control Manager [7031] - The UsbClientService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
    5/18/2012 8:15:01 PM, error: Service Control Manager [7034] - The WinTab Service service terminated unexpectedly. It has done this 1 time(s).
    5/18/2012 12:35:46 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
    5/18/2012 12:35:45 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.
    5/18/2012 12:24:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/18/2012 12:24:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO AsUpIO DrWebWfp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SYMTDI Tcpip
    5/18/2012 12:24:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/18/2012 12:24:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/18/2012 12:24:00 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
    5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The LBeepKE service failed to start due to the following error: A device attached to the system is not functioning.
    5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The helpsvc service failed to start due to the following error: The system cannot find the file specified.
    5/17/2012 11:39:40 PM, error: Service Control Manager [7034] - The DokanCEMounter service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't know what you put into Virus Total to have it bring up Dr. Web. You also just left bsp_06.exe which is not a proper entry. What was the path? So for now, we are going to ignore the Virustotal/Dr.Web, et all findings and work with what I have you run.

    For the first part you need to run Error Checking (CHKDSK) on 2 of the drives per the following:
    5/18/2012 12:35:46 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
    5/18/2012 12:35:45 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.

    It will be set at the C Drive, so you will need to run it twice- setting for E and then D.
    If you have not run the Error Check on these drives, it may take a while. Let it finish. The system will reboot when through.
    --------------------------------------
    Where to set Error Checking up
    You can do the Error Check from Command Prompt:
    Using the Command Prompt should have been this: Start> Run> type in cmd> type in Chkdsk /f/r followed by a reboot. Chkdsk will start in a few seconds

    Or Windows Explorer:
    Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

    The choices in Error Checking:
    1. CHKDSK or Error Check alone will only scan the current drive but will not fix errors on the disc or attempt to recover bad sectors. Using Start or Enter begins the process without a reboot.
    2. VolumeSpecifies the drive letter other than the Local Drive (followed by a colon), mount point, or volume name.) To have the checking use a different drive, the Command Chkdsk is followed by the drive letter, then a colon such as chkdsk volume E:
    3. File Errors can be found and fixed using the switch /F The nag message that comes up can be closed and the system rebooted to start the checking.
    4. Recovery of readable information in bad sectors can be done by using the switch /R This implies that the /F switch has also been used. Locates bad sectors and recovers readable information (implies /F).The nag message that comes up can be closed and the system rebooted to start the checking.

    (Please note: this is not meant to include all of the options available for Error Checking- just the appropriate options here)
    ================================================
    When you have completed checking both drives, please go on to the following:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===================================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================================
    Please tell me what is being done here: StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat

    Please leave the Combofix and Eset scan logs in your next reply.
     
  9. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    D:\ and E:\ were checked last time when I ran combofix before posting here. But I checked again with surface scan etc all checked. Here's combofix' log, running Eset right now...

    ComboFix 12-05-20.10 - rcboosted 05/20/2012 21:44:46.11.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2194 [GMT -7:00]
    Running from: c:\documents and settings\rcboosted\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-21 to 2012-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-19 19:42 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-19 05:50 . 2012-05-19 05:50 -------- d-sh--w- C:\DrWeb Quarantine
    2012-05-19 03:15 . 2012-05-19 03:15 -------- d-----w- C:\username123
    2012-05-18 06:27 . 2012-05-19 03:07 -------- d-----w- c:\documents and settings\rcboosted\Doctor Web
    2012-05-18 06:26 . 2012-05-18 06:26 -------- d-----w- c:\program files\Common Files\Doctor Web
    2012-05-18 06:26 . 2012-05-19 05:55 -------- d-----w- c:\program files\DrWeb
    2012-05-18 06:26 . 2012-05-19 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
    2012-05-13 19:36 . 2012-05-13 19:43 -------- d-----w- C:\Ascot Hills Park
    2012-05-01 02:45 . 2012-05-18 06:43 -------- d-----w- c:\documents and settings\rcboosted\Application Data\.purple
    2012-05-01 02:40 . 2012-05-01 02:40 -------- d-----w- c:\program files\Pidgin
    2012-04-22 23:04 . 2012-04-22 23:09 -------- d-----w- C:\Python27
    2012-04-22 21:58 . 2012-04-22 21:58 -------- d-----w- c:\documents and settings\rcboosted\Application Data\Arduino
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 13:14 . 2008-04-13 22:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2008-04-13 23:00 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2008-04-13 19:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-03-18 20:52 . 2011-09-18 14:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-13 02:53 . 2012-03-13 02:53 63080 ----a-r- c:\documents and settings\rcboosted\Application Data\Microsoft\Installer\{5F3783B7-F809-45A7-8A92-A44B441FDA7C}\ARPPRODUCTICON.exe
    2012-03-01 11:01 . 2008-06-05 01:36 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2008-06-05 01:35 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2008-06-05 01:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2008-06-05 01:35 385024 ------w- c:\windows\system32\html.iec
    2012-02-21 07:12 . 2012-02-21 07:12 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
    2012-02-21 07:12 . 2012-02-21 07:12 206144 ----a-w- c:\windows\system32\ftd2xx.dll
    2012-02-21 07:12 . 2012-02-21 07:12 197952 ----a-w- c:\windows\system32\FTLang.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
    "Pogoplug"="c:\program files\Pogoplug\PogoplugMonitor.exe" [2012-01-31 234304]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-01-01 33636352]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2008-12-11 114688]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-03-01 66680]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
    "QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-08-20 603136]
    "Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-08-21 887936]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2010-02-06 254376]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "WTClient"="WTClient.exe" [2009-10-30 32768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\rcboosted\Start Menu\Programs\Startup\
    hosts.bat [2010-10-18 84]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-1-23 813584]
    VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2010-11-14 6144]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Pogoplug\\HBPLUG\\HBPLUG.EXE"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57221:TCP"= 57221:TCP:pando Media Booster
    "57221:UDP"= 57221:UDP:pando Media Booster
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    .
    R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [1/1/2010 2:44 AM 11448]
    R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [1/1/2010 4:36 PM 90112]
    R2 DokanCEDriver;DokanCEDriver;c:\program files\Pogoplug\dokance.sys [1/30/2012 6:04 PM 54592]
    R2 HBAdmin;HBAdmin;c:\program files\Pogoplug\HBPLUG\hbadmin.exe [1/30/2012 6:04 PM 738112]
    R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [4/16/2008 2:00 PM 689416]
    R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]
    R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/1/2010 2:18 AM 1381632]
    R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [11/3/2011 11:19 AM 34624]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2010 11:35 PM 10384]
    S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/13/2010 12:04 AM 30312]
    S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [4/16/2008 2:00 PM 894216]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 4:18 PM 169192]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/13/2010 12:04 AM 96488]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/13/2010 12:04 AM 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/13/2010 12:04 AM 121576]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002Core.job
    - c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
    .
    2012-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002UA.job
    - c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307}: NameServer = 192.168.1.1
    DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-20 21:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1532)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll
    .
    - - - - - - - > 'explorer.exe'(2968)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    Completion time: 2012-05-20 21:50:13
    ComboFix-quarantined-files.txt 2012-05-21 04:50
    ComboFix2.txt 2012-05-19 07:11
    .
    Pre-Run: 131,721,080,832 bytes free
    Post-Run: 131,701,743,616 bytes free
    .
    - - End Of File - - ACD3BA2999E274B2959770000898D2B4
     
  10. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Oh btw, the bsp_06.exe was what I saw running during start up, I don't have the path. The actual screen saver was scanned by virustotal as a trojan. It listed as a Trojan.DownLoader5.3395 by DrWeb.

    Just a FYI, this is what DrWeb says about it.

    Edit: Unrequested Dr. Web log deleted by Bobbye
     
  11. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Result of the ESETScan. the android stuff are my root kit for the phone.

    C:\Android\one.click.root.exploitv2.4.0.zip Android/Exploit.RageCage.A trojan
    C:\Android\one.click.root.exploitv2.5.5.zip Android/Exploit.RageCage.A trojan
    C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip Android/Exploit.RageCage.A trojan
    C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-flasher-fixed.zip Android/Exploit.RageCage.A trojan
    C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe a variant of Win32/Injector.FUH trojan
    C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe a variant of Win32/Injector.FUH trojan


    =======================

    regarding StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat

    I had some legit programs that made changes to my hosts file, but I have custom hosts I put in manually, so I made a separate copy and used that batch file to copy over the current one on start up. It's harmless and it is done by me.

    Also, note that the original screen saver trojan file is still on the HD, neither combofix nor ESETScan found it as a threat.

    I'm also noticing some new spam emails I have not seen before this happened in my yahoo mail boxes. (2 accounts)
     
     
  12. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Any updates? :) I hope my PC isn't beyond repair.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I have not been well and I'm very far behind.

    I can only find 1 English speaking, safe site that identifies this entry as malware: %APPDATA%\bsp06.exe. This is a files created by the malware.
    You also did not give me the path of the file. Where it is located can make the difference between legitimate file and malware.
    http://www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader3.61672.html

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files
      C:\Android\one.click.root.exploitv2.4.0.zip 
      C:\Android\one.click.root.exploitv2.5.5.zip 
      C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip 
      C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-flasher-fixed.zip 
      C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe 
      C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    --------------------------------------
    It looks like the files above have already been handled by Dr. Web. Please contact Google regarding patches for their Android. There are quite a few of them.

    I need specifics.
    =====================================================
    2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    Actually, Mbam and Dr.Web were still on the system.
    =====================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    C:\DrWeb Quarantine
    C:\username123
    c:\documents and settings\rcboosted\Doctor Web
    c:\program files\Common Files\Doctor Web
    c:\program files\DrWeb
    c:\documents and settings\All Users\Application Data\Doctor Web 
    c:\documents and settings\rcboosted\Application Data\.purple
    c:\documents and settings\rcboosted\Application Data\Arduino
    DDS::
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    =====================================================
    These are all directories that you set up?
     
  14. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Hope you're feeling better.

    I will run these when I get home. However, the Android files should not be a threat. They were scanned as threat I think because it uses exploits of the mobile phone to root it. The following are what I'm referring to, can I omit them from the OTMoveIt3?

    C:\Android\one.click.root.exploitv2.4.0.zip
    C:\Android\one.click.root.exploitv2.5.5.zip
    C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip
    C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-fl

    =========================================

    regarding:

    Before I posted here, I did the following:

    So I ran the screen saver file from my download directory. It had a strange name with a fake .jpg extension. After it ran, it started to install things in the background. I then went to virustotal.com to scan that screen saver file, which reported it as a trojan by Dr.Web, the one I posted the specifics before. (now removed) After my own efforts to remove it by cureit and drweb and combofix (named username123.exe from previous download) upon reboot, I saw command prompts come up and executing bsp_06.exe I do not have the location of the file or where it executed from. As suggested by drweb, I then ran cureit.exe under safemode, which seems to have removed bsp_06.exe, at least upon reboot, no command prompt came up executing bsp_06.exe.

    Since then I have not seen bsp_06.exe. The original screen saver file is still sitting in my download directory. I hope this clears things up a bit.

    =========================================


    regarding combofix.exe, the following are installed by me and are still in use:

    c:\documents and settings\rcboosted\Application Data\.purple
    c:\documents and settings\rcboosted\Application Data\Arduino

    Is combofix.exe just going to scan it? It won't remove it I hope.


    =========================================

    All those 3 directories were set up by me, Ascot Hills Park, pidgin, and Python27.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do not run this script if these are valid processes being used:


    They are set to be removed.
     
  16. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    OTMoveit. I removed the entries for Android files.


    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe moved successfully.
    File/Folder C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Opera cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: rcboosted
    ->Temp folder emptied: 1621816 bytes
    ->Temporary Internet Files folder emptied: 7653373 bytes
    ->Java cache emptied: 2177852 bytes
    ->Google Chrome cache emptied: 304483661 bytes
    ->Opera cache emptied: 22561099 bytes
    ->Flash cache emptied: 3511717 bytes

    User: LocalService
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 270336 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 326.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05252012_211742

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  17. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    ComboFix. I removed the entries for .purple and Arduino.


    ComboFix 12-05-26.01 - rcboosted 05/25/2012 21:33:09.12.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2090 [GMT -7:00]
    Running from: c:\documents and settings\rcboosted\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\rcboosted\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Doctor Web
    c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwservice.log
    c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwupdater.log
    c:\documents and settings\All Users\Application Data\Doctor Web\Logs\netfilter.log
    c:\documents and settings\All Users\Application Data\Doctor Web\Logs\spiderg3.log
    c:\documents and settings\rcboosted\Doctor Web
    c:\documents and settings\rcboosted\Doctor Web\dwscanner(3492).log
    c:\documents and settings\rcboosted\Doctor Web\dwscanner(3992).log
    c:\documents and settings\rcboosted\Doctor Web\dwscanner.log
    C:\DrWeb Quarantine
    c:\program files\Common Files\Doctor Web
    c:\program files\DrWeb
    c:\program files\DrWeb\drweboem.key
    C:\username123
    c:\username123\023.dat
    c:\username123\023v.dat
    c:\username123\023w7.dat
    c:\username123\AppDataFile.cfx
    c:\username123\AppDataFolder.cfx
    c:\username123\appinit.bad
    c:\username123\asp.str
    c:\username123\Assoc.cmd
    c:\username123\ATTRIB.cfxxe
    c:\username123\Auto-RC.cmd
    c:\username123\av.cmd
    c:\username123\av.vbs
    c:\username123\AWF.cmd
    c:\username123\badclsid.c
    c:\username123\Boot-Rk.cmd
    c:\username123\Boot.bat
    c:\username123\BootDrv.vbs
    c:\username123\c.bat
    c:\username123\c.mrk
    c:\username123\Catch-sub.cmd
    c:\username123\catchme.cfxxe
    c:\username123\CCS.bat
    c:\username123\CF-Script.cmd
    c:\username123\CF25060.cfxxe
    c:\username123\CFVersionOld
    c:\username123\CHCP.bat
    c:\username123\clsid.c
    c:\username123\Combobatch.bat
    c:\username123\ComboFix-Download.cfxxe
    c:\username123\Create.cmd
    c:\username123\Creg.dat
    c:\username123\CregC.cmd
    c:\username123\CregC.dat
    c:\username123\CSCRIPT.cfxxe
    c:\username123\CSet.cmd
    c:\username123\dd.cfxxe
    c:\username123\ddsDo.sed
    c:\username123\DelClsid.bat
    c:\username123\DelClsid64.bat
    c:\username123\desktop.ini
    c:\username123\DesktopFile.cfx
    c:\username123\DPF.str
    c:\username123\DrvRun.vbs
    c:\username123\dumphive.cfxxe
    c:\username123\embedded.sed
    c:\username123\ERDNT.e_e
    c:\username123\ERDNTDOS.LOC
    c:\username123\ERDNTWIN.LOC
    c:\username123\ERUNT.cfxxe
    c:\username123\erunt.dat
    c:\username123\ERUNT.LOC
    c:\username123\Exe.reg
    c:\username123\extract.cfxxe
    c:\username123\FavoriteFolder.cfx
    c:\username123\FavoritesFile.cfx
    c:\username123\FD-SV.cmd
    c:\username123\ffdefstr.dll
    c:\username123\FileKill.cfxxe
    c:\username123\files.pif
    c:\username123\Fin.dat
    c:\username123\FIND3M.bat
    c:\username123\FIXLSP.bat
    c:\username123\FKMGen.cmd
    c:\username123\ForeignWht
    c:\username123\GetHive.cmd
    c:\username123\grep.cfxxe
    c:\username123\gsar.cfxxe
    c:\username123\handle.cfxxe
    c:\username123\HDPEInfo.cfxxe
    c:\username123\hidec.exe
    c:\username123\history.bat
    c:\username123\hwid.pif
    c:\username123\iexplore.exe
    c:\username123\image001.gif
    c:\username123\Imefile.dat
    c:\username123\Install-RC.cmd
    c:\username123\katch.cmd
    c:\username123\Kill-All.cmd
    c:\username123\kmd.dat
    c:\username123\Lang.bat
    c:\username123\List-B.bat
    c:\username123\List-C.bat
    c:\username123\List-D.bat
    c:\username123\List.bat
    c:\username123\lnkread.vbs
    c:\username123\LocalAppDataFile.cfx
    c:\username123\LocalAppDataFolder.cfx
    c:\username123\LocalService.dat
    c:\username123\LocalServiceNetworkRestricted.dat
    c:\username123\LocalSettingsFile.cfx
    c:\username123\LocalSystemNetworkRestricted.dat
    c:\username123\mbr.cfxxe
    c:\username123\mbr.chk
    c:\username123\md5sum.pif
    c:\username123\Mirrors
    c:\username123\MoveIt.bat
    c:\username123\mtee.cfxxe
    c:\username123\MtPt00
    c:\username123\mynul.dat
    c:\username123\N_\13819
    c:\username123\N_\14250
    c:\username123\N_\18566
    c:\username123\N_\21789
    c:\username123\N_\2346
    c:\username123\N_\24425
    c:\username123\N_\25199
    c:\username123\N_\27146
    c:\username123\N_\27388
    c:\username123\N_\29293
    c:\username123\N_\2991
    c:\username123\N_\30182
    c:\username123\N_\3341
    c:\username123\N_\3579
    c:\username123\N_\3785
    c:\username123\N_\3921
    c:\username123\N_\6935
    c:\username123\N_\8257
    c:\username123\N_\9689
    c:\username123\N_\pingtest
    c:\username123\ncmd.com
    c:\username123\ND_.bat
    c:\username123\ND_64.bat
    c:\username123\ndis_combofix.dat
    c:\username123\netsvc.bad.dat
    c:\username123\netsvc.dat
    c:\username123\netsvc.vista.dat
    c:\username123\netsvc.xp.dat
    c:\username123\NetworkService.dat
    c:\username123\NirCmd.cfxxe
    c:\username123\NircmdB.exe
    c:\username123\NirCmdC.cfxxe
    c:\username123\NIRKMD.cfxxe
    c:\username123\NlsLanguageDefault
    c:\username123\NT-OS.cmd
    c:\username123\NULL
    c:\username123\OSid.vbs
    c:\username123\OsVer
    c:\username123\pausep.cfxxe
    c:\username123\PersonalFile.cfx
    c:\username123\PersonalFolder.cfx
    c:\username123\PEV.cfxxe
    c:\username123\pev.exe
    c:\username123\pevb.cfxxe
    c:\username123\PING.cfxxe
    c:\username123\Policies.dat
    c:\username123\powp.dat
    c:\username123\Prep.inf
    c:\username123\ProfilesFile.cfx
    c:\username123\ProfilesFolder.cfx
    c:\username123\ProgramsFile.cfx
    c:\username123\ProgramsFolder.cfx
    c:\username123\Purity.dat
    c:\username123\PV.cfxxe
    c:\username123\pv.com
    c:\username123\RCLink.dat
    c:\username123\REGDACL.sed
    c:\username123\RegDo.sed
    c:\username123\region.dat
    c:\username123\RegScan.cmd
    c:\username123\RegScan64.cmd
    c:\username123\Resident.txt
    c:\username123\restore_pt.vbs
    c:\username123\Rkey.cmd
    c:\username123\rmbr.cfxxe
    c:\username123\rogues.dat
    c:\username123\ROUTE.cfxxe
    c:\username123\run2.sed
    c:\username123\Rust.str
    c:\username123\s0rt.cfxxe
    c:\username123\safeboot.dat
    c:\username123\safeboot.def.dat
    c:\username123\safeboot.def.vista.dat
    c:\username123\Safeboot.def.w7.dat
    c:\username123\sed.cfxxe
    c:\username123\SetEnvmt.bat
    c:\username123\setpath.cfxxe
    c:\username123\SF.exe
    c:\username123\sfx.cmd
    c:\username123\SnapShot.cmd
    c:\username123\SRestore.cmd
    c:\username123\srizbi.md5
    c:\username123\Start_dat
    c:\username123\StartMenuFile.cfx
    c:\username123\StartMenuFolder.cfx
    c:\username123\StartUpFile.cfx
    c:\username123\SuppScan.cmd
    c:\username123\svc_wht.dat
    c:\username123\SvcDrv.vbs
    c:\username123\svchost.dat
    c:\username123\svchost.vista.dat
    c:\username123\svchost.vista.x64.dat
    c:\username123\svchost.w7.dat
    c:\username123\svchost.w7.x64.dat
    c:\username123\SWREG.cfxxe
    c:\username123\swreg.exe
    c:\username123\swsc.cfxxe
    c:\username123\swxcacls.cfxxe
    c:\username123\system_ini.dat
    c:\username123\tail.cfxxe
    c:\username123\TemplatesFile.cfx
    c:\username123\TemplatesFolder.cfx
    c:\username123\toolbar.sed
    c:\username123\Update-CF.cmd
    c:\username123\VerCF.bat
    c:\username123\version.txt
    c:\username123\VikPev00
    c:\username123\VInfo
    c:\username123\VInfo2
    c:\username123\Vipev.dat
    c:\username123\vistaMcode.dat
    c:\username123\vistareg.dat
    c:\username123\vun.dat
    c:\username123\VwinTemp.dacl
    c:\username123\w_sock.dll
    c:\username123\w2k_sock.dll
    c:\username123\w2kreg.dat
    c:\username123\w7Mcode.dat
    c:\username123\w7reg.dat
    c:\username123\Wmi_rem.vbs
    c:\username123\XP.mac
    c:\username123\xpmcode.dat
    c:\username123\xpreg.dat
    c:\username123\XPSBoot.reg
    c:\username123\zDomain.dat
    c:\username123\zhsvc.dat
    c:\username123\zip.cfxxe
    .
    c:\windows\system32\Drivers\Volsnap.sys . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-26 04:17 . 2012-05-26 04:17 -------- d-----w- C:\_OTM
    2012-05-21 04:56 . 2012-05-21 04:56 -------- d-----w- c:\program files\ESET
    2012-05-19 19:42 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-13 19:36 . 2012-05-13 19:43 -------- d-----w- C:\Ascot Hills Park
    2012-05-01 02:45 . 2012-05-18 06:43 -------- d-----w- c:\documents and settings\rcboosted\Application Data\.purple
    2012-05-01 02:40 . 2012-05-01 02:40 -------- d-----w- c:\program files\Pidgin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 13:14 . 2008-04-13 22:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 13:12 . 2008-04-13 23:00 1862272 ----a-w- c:\windows\system32\win32k.sys
    2012-04-11 12:35 . 2008-04-13 19:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-03-18 20:52 . 2011-09-18 14:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-13 02:53 . 2012-03-13 02:53 63080 ----a-r- c:\documents and settings\rcboosted\Application Data\Microsoft\Installer\{5F3783B7-F809-45A7-8A92-A44B441FDA7C}\ARPPRODUCTICON.exe
    2012-03-01 11:01 . 2008-06-05 01:36 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2008-06-05 01:35 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2008-06-05 01:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2008-06-05 01:35 385024 ------w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-05-21_04.49.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-05-26 04:20 . 2012-05-26 04:20 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
    "Pogoplug"="c:\program files\Pogoplug\PogoplugMonitor.exe" [2012-01-31 234304]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-01-01 33636352]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2008-12-11 114688]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-03-01 66680]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
    "QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-08-20 603136]
    "Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-08-21 887936]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2010-02-06 254376]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "WTClient"="WTClient.exe" [2009-10-30 32768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2009-03-08 128512]
    .
    c:\documents and settings\rcboosted\Start Menu\Programs\Startup\
    hosts.bat [2010-10-18 84]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-1-23 813584]
    VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2010-11-14 6144]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Pogoplug\\HBPLUG\\HBPLUG.EXE"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57221:TCP"= 57221:TCP:pando Media Booster
    "57221:UDP"= 57221:UDP:pando Media Booster
    "8378:TCP"= 8378:TCP:League of Legends Launcher
    "8378:UDP"= 8378:UDP:League of Legends Launcher
    "8379:TCP"= 8379:TCP:League of Legends Launcher
    "8379:UDP"= 8379:UDP:League of Legends Launcher
    .
    R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [1/1/2010 2:44 AM 11448]
    R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [1/1/2010 4:36 PM 90112]
    R2 DokanCEDriver;DokanCEDriver;c:\program files\Pogoplug\dokance.sys [1/30/2012 6:04 PM 54592]
    R2 HBAdmin;HBAdmin;c:\program files\Pogoplug\HBPLUG\hbadmin.exe [1/30/2012 6:04 PM 738112]
    R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [4/16/2008 2:00 PM 689416]
    R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]
    R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/1/2010 2:18 AM 1381632]
    R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [11/3/2011 11:19 AM 34624]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2010 11:35 PM 10384]
    S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/13/2010 12:04 AM 30312]
    S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [4/16/2008 2:00 PM 894216]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 4:18 PM 169192]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/13/2010 12:04 AM 96488]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/13/2010 12:04 AM 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/13/2010 12:04 AM 121576]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002Core.job
    - c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
    .
    2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002UA.job
    - c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307}: NameServer = 192.168.1.1
    DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-25 21:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1956)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll
    .
    Completion time: 2012-05-25 21:39:04
    ComboFix-quarantined-files.txt 2012-05-26 04:39
    ComboFix2.txt 2012-05-21 04:50
    ComboFix3.txt 2012-05-19 07:11
    .
    Pre-Run: 131,561,881,600 bytes free
    Post-Run: 131,534,647,296 bytes free
    .
    - - End Of File - - 37B542F6CE8F2A14E2540EF8C4CDC574
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      Volsnap.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  19. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    SystemLook 30.07.11 by jpshortstuff
    Log created at 13:26 on 26/05/2012 by rcboosted
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "Volsnap.*"
    No files found.

    -= EOF =-
     
  20. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    When I scan the screen saver file on virustotal.com now, there are quite a few (12) more hits now than before when it was just Dr.Web.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    From virustotal >> Copy the entry, save the log and paste it in your next reply.

    Have you considered just removing the screen saver?
     
  22. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    Thanks for the reply. It's not an actual screen saver though. I kept it so I can run it against virustotal for scans, I've since removed the file itself. Here's what virustotal had to say about it, it's a bit hard to read.

    SHA256: c53565c4775af3cb9232122e3c8524486b4cba6913c5899c95985b539522d6d7
    SHA1: 7a6943756bde75ada1db8c71f8a054324802d920
    MD5: efe11c369e70f1534e579aed74057bca
    File size: 801.5 KB ( 820736 bytes )
    File name: IMG_001 By gpj.SCR
    File type: Win32 EXE
    Detection ratio: 12 / 41
    Analysis date: 2012-05-27 07:09:36 UTC ( 1 day, 12 hours ago )


    0
    0
    More detailsAntivirus Result Update
    AntiVir TR/Jorik.Shakblades.gdw 20120526
    Antiy-AVL - 20120527
    Avast Win32:Malware-gen 20120526
    AVG - 20120527
    BitDefender - 20120527
    ByteHero - 20120522
    CAT-QuickHeal - 20120526
    ClamAV - 20120526
    Commtouch - 20120526
    Comodo - 20120527
    DrWeb Trojan.DownLoader5.3395 20120527
    Emsisoft - 20120527
    eSafe - 20120524
    F-Prot - 20120526
    F-Secure - 20120527
    Fortinet W32/Jorik_Shakblades.GDW!tr 20120527
    GData Win32:Malware-gen 20120527
    Ikarus - 20120527
    Jiangmin - 20120527
    K7AntiVirus - 20120525
    Kaspersky Trojan.Win32.Jorik.Shakblades.gdw 20120527
    McAfee - 20120527
    McAfee-GW-Edition - 20120527
    Microsoft - 20120527
    NOD32 - 20120526
    Norman - 20120526
    nProtect - 20120526
    Panda - 20120526
    PCTools - 20120522
    Rising - 20120524
    Sophos Mal/Generic-L 20120527
    SUPERAntiSpyware - 20120526
    Symantec Trojan.Gen 20120527
    TheHacker - 20120526
    TotalDefense - 20120525
    TrendMicro TROJ_GEN.R47C8EQ 20120527
    TrendMicro-HouseCall TROJ_GEN.R47C8EQ 20120526
    VBA32 Trojan.Jorik.Shakblades.gdw 20120525
    VIPRE Trojan.Win32.Generic!BT 20120527
    ViRobot - 20120526
    VirusBuster - 20120525
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm lost! You want to remove a screen saver that isn't actually a screen saver! Only Dr. Web finds this malware which was removed.

    You are using all of the files I can't identify.

    Please clarify just what it is you need my help with.
     
  24. rcboosted

    rcboosted TS Rookie Topic Starter Posts: 39

    I guess the thread got convoluted a bit, I apologize. So it all started with the file I downloaded and ran. It installed something in the background which included bsp_06.exe popping up in 3 command prompts during start up. I scanned the file with virustotal and it identified the file as a trojan. My early efforts to clean it with cureit and Combix seems to have failed, but with your help, I think most of offending files, processes and registry entries were cleaned. But I don't know if my PC's trojan-free or not.

    Usually these cleaning threads comes with a "Mr. Clean" seal of approval of the PC being free of infection. :) I just don't know if we're there or not. Also, I noticed I got new spam emails in 2 of my yahoo email accounts since the infection, I don't know if they're related or not. I don't know if this trojan was responsible. (ie. stole my password? logged my keys? etc) What did it do to my system? Anything I need to worry about, and what should I do now as a clean up effort?
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The file name you give: IMG_001 By gpj.SCR is porn.

    This thread is closed.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.