Explorer.exe also infected by Win32:Bamital-AC

Inactive
By jcliu0
Oct 5, 2010
Topic Status:
Not open for further replies.
  1. ok after reading alot i found many pplz were able to fix (coz using 32bit system)
    when i tried follow wat they did i was stopped by using a64bit system
    so now i am postin to ask wat i can do
    Now to its easier to read the logs
    i am goin to make a small index.....

    1.10000 DDs.txt log
    1.20000 attach.txt log
    1.30000 MBAM scan log....

    1.10000
    my DDs.txt log
    DDS (Ver_10-03-17.01) - NTFSX64
    Run by Archer at 17:06:52.80 on 05/10/2010 Tue
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows 7 Ultimate 6.1.7600.0.950.886.1033.18.4095.2304 [GMT 10:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
    C:\Program Files\ATKGFNEX\GFNEXSrv.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
    C:\Program Files\Wireless Console 2\wcourier.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\RocketDock\RocketDock.exe
    C:\Program Files (x86)\HideWindowPlus\HWinPlus.exe
    C:\Users\Archer\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Users\Archer\AppData\Roaming\fbx.exe
    C:\Program Files (x86)\BayGenie\ProEdition\BayGenie.exe
    C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
    C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
    C:\Users\Archer\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files (x86)\gogobox\gogobox.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\Lunascape\Lunascape6\Luna.exe
    C:\Program Files\Rainmeter\Rainmeter.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k defragsvc
    C:\Program Files\P4G\BatteryLife.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Nakido\nakido.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Program Files (x86)\gogobox\gogobox_e.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\gogobox\upnp\upnp.exe
    C:\Program Files (x86)\gogobox\gogobox_t.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Users\Archer\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://fl.iamwired.net/
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mLocal Page = c:\windows\syswow64\blank.htm
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files (x86)\orbitdownloader\orbitcth.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AddTask Class: {6a19c29d-ed45-4483-8999-9f939c8161f2} - c:\program files\eread\eread\WebHook.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~2\micros~1\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files (x86)\orbitdownloader\GrabPro.dll
    uRun: [RocketDock] "c:\program files (x86)\rocketdock\RocketDock.exe"
    uRun: [HideWindowPlus] c:\program files (x86)\hidewindowplus\HWinPlus.exe -background
    uRun: [Google Update] "c:\users\archer\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
    uRun: [InstallMon] c:\users\archer\appdata\roaming\fbx.exe
    uRun: [BayGenie] "c:\program files (x86)\baygenie\proedition\BayGenie.exe"
    mRun: [HControlUser] c:\program files (x86)\asus\atk hotkey\HControlUser.exe
    mRun: [ATKOSD2] c:\program files (x86)\asus\atkosd2\ATKOSD2.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [gogobox.exe] c:\program files (x86)\gogobox\gogobox.exe
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [StormCodec_Helper] "c:\program files (x86)\ringz studio\storm codec\StormSet.exe" /S /opti
    mRun: [Malwarebytes' Anti-Malware] "c:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\archer\appdata\roaming\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
    StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\lunasc~1.lnk - c:\program files (x86)\lunascape\lunascape6\Luna.exe
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: &Download by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/204
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Do&wnload selected by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files (x86)\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files (x86)\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
    Trusted Zone: gogobox.com.tw
    Trusted Zone: gogobox.com.tw
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {3C073A4B-B1D2-4A7B-B970-7F1277D74FB0} - hxxps://www.chb.com.tw/chbib/faces/theme/CHBCertificateDBClientCOM.cab
    DPF: {650BBB86-3D77-49BA-A4B2-2455E44EB031} - hxxps://netbank.chb.com.tw/Security/PasswordMD5ClientCOM.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {C9B6115C-DEA9-11D6-8C3C-0050BAA6346E} - hxxps://netbank.chb.com.tw/Security/CertificateDBClientCOM.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DF3336AF-E259-4978-9D69-B4BBF47BE261} - hxxp://tel.isoshu.com/zxlqs.cab
    DPF: {EB8D26BA-9A4C-444C-80D1-1B544F68D797} - hxxps://netbank.chb.com.tw/Security/XMLSignatureClientCOM.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\Skype4COM.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
    mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun-x64: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    IE-X64: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
    IE-X64: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files (x86)\fiddler2\Fiddler.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\archer\appdata\roaming\mozilla\firefox\profiles\iufg130q.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://fl.iamwired.net/websearch.php?src=tops&search=
    FF - prefs.js: browser.search.selectedEngine - Search
    FF - prefs.js: browser.startup.homepage - hxxp://fl.iamwired.net/
    FF - prefs.js: keyword.URL - hxxp://fl.iamwired.net/websearch.php?src=tops&search=
    FF - component: c:\program files (x86)\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\progra~2\micros~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~2\micros~1\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files (x86)\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npBFPlugin.dll
    FF - plugin: c:\users\archer\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\archer\appdata\roaming\mozilla\firefox\profiles\iufg130q.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\windows\system32\wat\npWatWeb.dll
    FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
  2. jcliu0

    jcliu0 Newcomer, in training Topic Starter

    ============= SERVICES / DRIVERS ===============

    R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-9-8 12368]
    R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-9-8 250448]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-4-25 37392]
    R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-9-8 125520]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-9-8 463952]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-8 121936]
    R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 59904]
    R2 ASMMAP64;ASMMAP64;c:\program files\atkgfnex\ASMMAP64.sys [2010-4-25 14904]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-8 20048]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-8 61008]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
    R2 Nakido;Nakido;c:\program files (x86)\nakido\nakido.exe [2010-9-8 337408]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\drivers\NETw5s64.sys [2009-9-15 6952960]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-4-25 86120]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2010-3-4 346144]
    S2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-9-8 119200]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 MBAMService;MBAMService;c:\program files (x86)\malwarebytes' anti-malware\mbamservice.exe [2010-10-5 304464]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
    S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-4-25 51120]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-5 24664]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-11 5434368]
    S3 ose64;Office 64 Source Engine;c:\program files\common files\microsoft shared\source engine\OSE.EXE [2009-9-26 174424]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4924336]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 17920]
    S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-25 1255736]

    =============== Created Last 30 ================

    2010-10-05 06:36:16 0 d-----w- c:\users\archer\appdata\roaming\Malwarebytes
    2010-10-05 06:36:07 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-05 06:36:07 0 d-----w- c:\programdata\Malwarebytes
    2010-10-05 06:36:07 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2010-10-05 06:08:04 0 --sha-w- C:\DkHyperbootSync
    2010-10-04 09:49:37 1060864 ----a-w- c:\windows\syswow64\mfc71.dll
    2010-10-04 09:49:37 1047552 ----a-w- c:\windows\syswow64\mfc71u.dll
    2010-10-04 09:49:37 1 ----a-w- c:\windows\syswow64\uuddc32.dll
    2010-10-04 09:49:37 0 d-----w- c:\program files (x86)\BayGenie
    2010-10-04 09:39:03 40344 ----a-w- c:\users\archer\appdata\roaming\FbxU.exe
    2010-09-29 00:08:19 56 ---ha-w- c:\windows\syswow64\ezsidmv.dat
    2010-09-29 00:06:50 0 d-----r- c:\program files (x86)\Skype
    2010-09-29 00:06:45 0 d-----w- c:\programdata\Skype
    2010-09-25 00:24:46 81920 ----a-w- c:\users\archer\appdata\roaming\fbx.exe
    2010-09-19 00:39:23 0 d-----w- c:\programdata\Apple Computer
    2010-09-19 00:39:22 0 d-----w- c:\program files (x86)\common files\Real
    2010-09-19 00:39:21 0 d-----w- c:\program files (x86)\Ringz Studio
    2010-09-19 00:30:55 0 d-----w- c:\users\archer\appdata\roaming\Application Data
    2010-09-19 00:30:55 0 d-----w- c:\programdata\Storm
    2010-09-18 15:57:11 38 ----a-w- c:\windows\avisplitter.ini
    2010-09-18 15:57:06 839680 ----a-w- c:\windows\syswow64\lameACM.acm
    2010-09-18 15:57:06 414 ----a-w- c:\windows\syswow64\lame_acm.xml
    2010-09-18 15:57:06 39936 ----a-w- c:\windows\syswow64\huffyuv.dll
    2010-09-18 15:57:06 391680 ----a-w- c:\windows\syswow64\I263_32.drv
    2010-09-18 15:57:06 2931712 ----a-w- c:\windows\syswow64\x264vfw.dll
    2010-09-18 15:57:06 287744 ----a-w- c:\windows\syswow64\divxa32.acm
    2010-09-18 15:57:06 232448 ----a-w- c:\windows\syswow64\mp3fhg.acm
    2010-09-18 15:57:06 217088 ----a-w- c:\windows\syswow64\yv12vfw.dll
    2010-09-18 15:57:06 151552 ----a-w- c:\windows\syswow64\ac3acm.acm
    2010-09-15 07:46:34 0 --sh--r- C:\logwmemory.bin
    2010-09-14 21:15:05 2058752 ----a-w- c:\windows\syswow64\iertutil.dll
    2010-09-14 21:14:52 558592 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-08 12:04:26 463952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2010-09-08 12:04:25 125520 ----a-w- c:\windows\system32\drivers\aswFW.sys
    2010-09-08 12:04:03 250448 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
    2010-09-08 12:03:59 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-09-08 12:03:38 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-08 12:03:38 167592 ----a-w- c:\windows\syswow64\aswBoot.exe
    2010-09-08 12:03:38 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
    2010-09-08 11:29:45 0 d-----w- c:\users\archer\appdata\roaming\PPStream
    2010-09-08 11:29:44 20 ----a-w- c:\windows\powerlist.ini
    2010-09-08 11:29:38 709 ----a-w- c:\windows\powerplayer.ini
    2010-09-08 11:29:38 251 ----a-w- c:\windows\psnetwork.ini
    2010-09-08 11:29:37 447880 ----a-w- c:\windows\system32\rmsplt.ax
    2010-09-08 11:29:37 1384448 ----a-w- c:\windows\system32\PPSMInfo.dll
    2010-09-08 10:52:29 0 d-----w- c:\program files (x86)\Nakido
    2010-09-05 09:53:35 0 d-----w- c:\users\archer\appdata\roaming\K-ON_DTA
    2010-09-05 09:51:52 0 d-----w- c:\program files (x86)\data

    ==================== Find3M ====================

    2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
    2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
    2010-07-23 10:48:44 108432 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
    2010-07-12 09:49:51 258352 ----a-w- c:\windows\syswow64\unicows.dll
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2010-04-27 17:48:08 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2010-04-27 17:48:08 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2010-04-27 17:48:08 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2010-04-24 17:23:51 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 17:08:36.11 ===============


    1.20000
    my attach.txt log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 25/04/2010 2:09:27 PM
    System Uptime: 10/05/2010 5:03:39 PM (3552 hours ago)

    Motherboard: ASUSTeK Computer Inc. | | N50Vn
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Socket 478 | 2401/267mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 98 GiB total, 2.636 GiB free.
    D: is FIXED (NTFS) - 135 GiB total, 8.306 GiB free.
    E: is CDROM ()
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Virtual WiFi Miniport Adapter
    Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&FEFA7DE&0&01
    Manufacturer: Microsoft
    Name: Microsoft Virtual WiFi Miniport Adapter
    PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&FEFA7DE&0&01
    Service: vwifimp

    Class GUID:
    Description: STK7700D
    Device ID: USB\VID_1164&PID_1F08\0000000001
    Manufacturer:
    Name: STK7700D
    PNP Device ID: USB\VID_1164&PID_1F08\0000000001
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    ??????????
    7-Zip 4.65
    Active@ Partition Recovery
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Reader 9.3.4
    Adobe Shockwave Player 11.5
    Alien Swarm - SDK
    ASUS LifeFrame3
    ASUS Virtual Camera
    ATK Generic Function Service
    ATK Hotkey
    ATKOSD2
    avast! Internet Security
    BayGenie eBay Auction Sniper Pro Edition 3.3.5.4
    Cheat Engine 5.5
    Cheat Engine 5.6
    e-tax 2010
    GOGOBOX
    Google Chrome
    HP USB Disk Storage Format Tool
    ImgBurn
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 20
    JDownloader
    K-Lite Mega Codec Pack 6.4.0
    Lunascape6 (All Users)
    Malwarebytes' Anti-Malware
    Messenger Plus! Live
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.10)
    MSVCRT
    Nakido
    NVIDIA PhysX
    Orbit Downloader
    piaip AppLocale
    Picasa 3
    Rainmeter (remove only)
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    RICOH R5U8xx Media Driver ver.3.62.02
    RocketDock 1.3.5
    save2pc Pro 3.60
    Sengoku Rance English v1.01
    Skype Toolbars
    Skype? 4.2
    StarCraft II
    Steam
    Storm Codec
    System Requirements Lab
    TalonRO Client 1.0.0
    Team Fortress 2
    Team Fortress 2 Dedicated Server
    WC3Banlist
    Windows 7 USB/DVD Download Tool
    Windows Live Communications Platform
    Windows Live Messenger
    Windows Media Player Firefox Plugin
    WinPcap 4.1.1
    Wireless Console 2
    μTorrent
    炎?孕??????身体測定

    ==== Event Viewer Messages From Past Week ========

    5/10/2010 5:05:58 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/10/2010 5:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    5/10/2010 5:05:57 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    5/10/2010 5:02:12 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    5/10/2010 5:02:11 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The remote procedure call failed. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    5/10/2010 5:02:11 PM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    5/10/2010 5:01:49 PM, Error: Service Control Manager [7034] - The ASLDR Service service terminated unexpectedly. It has done this 1 time(s).
    5/10/2010 4:13:43 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
    4/10/2010 9:38:34 AM, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following error: Access is denied.
    4/10/2010 2:49:02 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    29/09/2010 2:14:50 AM, Error: Service Control Manager [7031] - The avast! Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

    ==== End Of File ===========================
  3. jcliu0

    jcliu0 Newcomer, in training Topic Starter

    1.30000
    my MBAM scan log
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4746

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    5/10/2010 6:22:40 PM
    mbam-log-2010-10-05 (18-22-40).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 295956
    Time elapsed: 1 hour(s), 16 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Archer\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0006e3 (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Users\Archer\Desktop\PPS網路電視+vip破解+無廣告\PPStreamNOAD.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
    C:\Users\Archer\Desktop\temp\Desktop\CrazyMulti.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Users\Archer\Desktop\temp\Nore._9.4.26.0\Keymaker.Nero.9.4.26.0 v5.55.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Archer\Desktop\temp\Your Uninstaller! 2008 PRO v6.1.1233\Your Uninstaller 2008\Keygen.exe (Trojan.Dropper.PGen) -> Quarantined and deleted succes
  4. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/


    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    • Close SUPERAntiSpyware.
    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    • Open SUPERAntiSpyware.
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Copy and paste the Scan Log results in your next reply with a new HijackThis log.
    • Click Close to exit the program.

    Post SUPERAntiSpyware log.

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.