Random adverts playing in the background!

Solved
By Dessicar
Sep 28, 2010
Topic Status:
Not open for further replies.
  1. Hey a few weeks ago I picked up what I am sure is a virus now, that will play random sounds and audio advertisements in the background of my pc. I have ran my anti-virus stuff loads of times and they all come back clean. I have no Idea what to do to get rid of this tricky little guy, any help would be welcomed.

    Thanks in advance. :)
  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please read the directions given here and when done, post the requested logs.
    Please do not attach the logs unless requested, or unless they are to large to paste.
  3. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Alright here are the logs you guy asked for. I think I did it all right let me know if I didn't or what you require if I left something out. :) ( it was all a little big to copy past it all so I just put the three logs that don't fit as attachments but I did break them up into muti posts )



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4712

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18943

    9/28/2010 12:38:36 PM
    mbam-log-2010-09-28 (12-38-36).txt

    Scan type: Quick scan
    Objects scanned: 138854
    Time elapsed: 7 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Attached Files:

  4. Dessicar

    Dessicar Newcomer, in training Topic Starter

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Marijus at 13:29:12.92 on Tue 09/28/2010
    Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.1728 [GMT -4:00]

    AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
    SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    svchost.exe 4
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    svchost.exe 4
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\Razer\DeathAdder\razerhid.exe
    C:\Program Files\Razer\Lycosa\razerhid.exe
    C:\Windows\PixArt\Pac207\Monitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Razer\DeathAdder\razerofa.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\mobsync.exe
    C:\Users\Marijus\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://blizzard.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Steam] "j:\steam\steam.exe" -silent
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
    mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
    mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
    mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\marijus\appdata\roaming\mozilla\firefox\profiles\8feo2crc.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
    FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
    FF - plugin: c:\users\marijus\appdata\roaming\mozilla\firefox\profiles\8feo2crc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-11 64160]
    R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82696]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104456]
    R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 22784]
    R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-12-13 21504]
    R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-1-18 16128]
    R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112]
    R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2008-11-26 333824]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\dragon age origins\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-12 25832]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
  5. Dessicar

    Dessicar Newcomer, in training Topic Starter

    =============== Created Last 30 ================

    2010-09-22 00:48:43 0 d-----w- c:\programdata\NVIDIA Corporation
    2010-09-22 00:46:47 56936 ----a-w- c:\windows\system32\OpenCL.dll
    2010-09-22 00:46:47 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
    2010-09-22 00:46:47 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2010-09-22 00:46:47 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
    2010-09-22 00:46:43 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
    2010-09-22 00:46:42 4553832 ----a-w- c:\windows\system32\nvcuda.dll
    2010-09-22 00:46:42 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-09-22 00:46:42 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-09-22 00:46:38 236136 ----a-w- c:\windows\system32\nvcod1922.dll
    2010-09-22 00:46:38 236136 ----a-w- c:\windows\system32\nvcod.dll
    2010-09-22 00:46:38 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-16 23:29:51 0 d-----w- c:\users\marijus\appdata\roaming\LucasArts
    2010-09-16 08:46:27 4 ----a-w- c:\program files\75457.dat
    2010-09-16 08:22:58 4 ----a-w- c:\program files\75176.dat
    2010-09-16 07:36:31 192396516 ----a-w- c:\windows\MEMORY.DMP
    2010-09-15 18:54:18 502272 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 18:54:09 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 18:53:59 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 18:53:49 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2010-09-14 20:06:15 0 d-----w- c:\users\marijus\appdata\roaming\RayV
    2010-09-14 20:06:12 0 d-----w- c:\program files\RayV
    2010-09-07 23:59:14 0 d-----w- c:\program files\common files\PX Storage Engine
    2010-09-07 23:57:39 0 d-----w- c:\program files\common files\DivX Shared
    2010-09-07 23:55:07 0 d-----w- c:\program files\DivX
    2010-09-07 23:54:09 0 d-----w- c:\programdata\DivX
    2010-09-06 01:40:51 0 d-----w- c:\program files\iPod
    2010-09-06 01:40:49 0 d-----w- c:\program files\iTunes

    ==================== Find3M ====================

    2010-09-28 16:26:07 37869 ----a-w- c:\programdata\nvModes.dat
    2010-09-22 22:19:33 81984 ----a-w- c:\windows\system32\bdod.bin
    2010-09-22 00:48:18 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-09-22 00:48:17 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-09-22 00:48:13 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-09 22:37:00 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
    2010-07-09 22:37:00 604776 ----a-w- c:\windows\system32\nvudisp.exe
    2010-07-09 22:37:00 1625192 ----a-w- c:\windows\system32\nvapi.dll
    2010-07-09 20:37:10 1469544 ----a-w- c:\windows\system32\nvsvc.dll
    2010-07-09 20:37:10 13939816 ----a-w- c:\windows\system32\nvcpl.dll
    2010-07-09 20:37:10 129640 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-07-09 20:37:10 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-07-07 17:46:46 604776 ----a-w- c:\windows\system32\nvuninst.exe
    2010-01-12 16:12:27 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-01-12 11:57:26 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2010-05-05 19:30:17 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2010-01-15 09:06:31 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2010-01-15 09:06:31 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2010-01-15 09:06:31 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2010-01-12 11:20:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

    ============= FINISH: 13:30:18.41 ===============
  6. Dessicar

    Dessicar Newcomer, in training Topic Starter

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-28 13:25:19
    Windows 6.0.6002 Service Pack 2
    Running: suewyv3b.exe; Driver: C:\Users\Marijus\AppData\Local\Temp\kfldqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenProcess [0xA055DC90]
    SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenThread [0xA055DD7E]
    SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateProcess [0xA055DBF4]
    SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateThread [0xA055DEC4]

    INT 0x51 ? 8674CBF8
    INT 0x62 ? 8674CBF8
    INT 0x72 ? 8674CBF8
    INT 0x92 ? 85310BF8
    INT 0x92 ? 8674CBF8
    INT 0x92 ? 85310BF8
    INT 0xA2 ? 8674CBF8
    INT 0xB2 ? 84981BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 3F1 81EF6B54 4 Bytes [90, DC, 55, A0] {NOP ; FCOM QWORD [EBP-0x60]}
    .text ntkrnlpa.exe!KeSetEvent + 40D 81EF6B70 4 Bytes [7E, DD, 55, A0]
    .text ntkrnlpa.exe!KeSetEvent + 621 81EF6D84 8 Bytes [F4, DB, 55, A0, C4, DE, 55, ...]
    ? System32\Drivers\spky.sys The system cannot find the path specified. !
    .text USBPORT.SYS!DllUnload 8F3AB41B 5 Bytes JMP 8674C1D8
    .text asfg3agm.SYS 8F76B000 22 Bytes [82, E3, E1, 81, 6C, E2, E1, ...]
    .text asfg3agm.SYS 8F76B017 181 Bytes [00, 32, 17, 79, 80, 3D, 15, ...]
    .text asfg3agm.SYS 8F76B0CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
    .text asfg3agm.SYS 8F76B0DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
    .text asfg3agm.SYS 8F76B0E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!CreateWindowExW 774F1305 5 Bytes JMP 6D91DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxParamW 775110B0 5 Bytes JMP 6D845501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxIndirectParamW 77512EF5 5 Bytes JMP 6DA14B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxParamA 77528152 5 Bytes JMP 6DA14AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxIndirectParamA 7752847D 5 Bytes JMP 6DA14BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxIndirectA 7753D4D9 5 Bytes JMP 6DA14A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxIndirectW 7753D5D3 5 Bytes JMP 6DA14A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxExA 7753D639 5 Bytes JMP 6DA149B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxExW 7753D65D 5 Bytes JMP 6DA14952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!SetWindowsHookExW 774E87AD 5 Bytes JMP 6D919AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!CallNextHookEx 774E8E3B 5 Bytes JMP 6D90D135 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!UnhookWindowsHookEx 774E98DB 5 Bytes JMP 6D884666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!CreateWindowExW 774F1305 5 Bytes JMP 6D91DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxParamW 775110B0 5 Bytes JMP 6D845501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxIndirectParamW 77512EF5 5 Bytes JMP 6DA14B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxParamA 77528152 5 Bytes JMP 6DA14AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxIndirectParamA 7752847D 5 Bytes JMP 6DA14BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxIndirectA 7753D4D9 5 Bytes JMP 6DA14A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxIndirectW 7753D5D3 5 Bytes JMP 6DA14A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxExA 7753D639 5 Bytes JMP 6DA149B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxExW 7753D65D 5 Bytes JMP 6DA14952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] ole32.dll!OleLoadFromStream 75EE1E12 5 Bytes JMP 6DA14ED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6024] ole32.dll!CoCreateInstance 75F19EA6 5 Bytes JMP 6D91DB80 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806956D6] \SystemRoot\System32\Drivers\spky.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80695042] \SystemRoot\System32\Drivers\spky.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80695800] \SystemRoot\System32\Drivers\spky.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806950C0] \SystemRoot\System32\Drivers\spky.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069513E] \SystemRoot\System32\Drivers\spky.sys
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortNotification] CC358B04
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortUchar] 838F791F
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8F78F0
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortStallExecution] 54771129
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortInitialize] B18D0502
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
    IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 853121F8
    Device \FileSystem\fastfat \FatCdrom 8732F1F8
    Device \Driver\netbt \Device\NetBT_Tcpip_{981017F9-DDF0-4273-8B2C-1E755298F939} 869D8500

    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\volmgr \Device\VolMgrControl 849831F8
    Device \Driver\usbuhci \Device\USBPDO-0 869641F8
    Device \Driver\netbt \Device\NetBT_Tcpip_{A0FFE8EE-68C2-47AF-A319-2354DF868FD3} 869D8500
    Device \Driver\usbuhci \Device\USBPDO-1 869641F8
    Device \Driver\PCI_PNP5219 \Device\00000052 spky.sys
    Device \Driver\usbehci \Device\USBPDO-2 869631F8
    Device \Driver\usbuhci \Device\USBPDO-3 869641F8
    Device \Driver\usbuhci \Device\USBPDO-4 869641F8

    AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys

    Device \Driver\usbuhci \Device\USBPDO-5 869641F8
    Device \Driver\usbehci \Device\USBPDO-6 869631F8
    Device \Driver\sptd \Device\1266619233 spky.sys
    Device \Driver\volmgr \Device\HarddiskVolume1 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snman380.sys (Acronis Snapshot API/Acronis)
  7. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Device \Driver\cdrom \Device\CdRom0 8695F1F8
    Device \Driver\volmgr \Device\HarddiskVolume2 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\volmgr \Device\HarddiskVolume3 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\cdrom \Device\CdRom1 8695F1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 853111F8
    Device \Driver\iaStorV \Device\Ide\iaStor0 853101F8
    Device \Driver\atapi \Device\Ide\IdePort0 853111F8
    Device \Driver\atapi \Device\Ide\IdePort1 853111F8
    Device \Driver\iaStorV \Device\Ide\IAAStorageDevice-0 853101F8
    Device \Driver\USBSTOR \Device\00000073 86FF11F8
    Device \Driver\volmgr \Device\HarddiskVolume4 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\USBSTOR \Device\00000074 86FF11F8
    Device \Driver\volmgr \Device\HarddiskVolume5 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\volmgr \Device\HarddiskVolume6 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\volmgr \Device\HarddiskVolume7 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\netbt \Device\NetBt_Wins_Export 869D8500
    Device \Driver\USBSTOR \Device\00000077 86FF11F8
    Device \Driver\volmgr \Device\HarddiskVolume8 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\Smb \Device\NetbiosSmb 8718B1F8
    Device \Driver\volmgr \Device\HarddiskVolume9 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\USBSTOR \Device\00000079 86FF11F8
    Device \Driver\iScsiPrt \Device\RaidPort0 868631F8

    AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys

    Device \Driver\usbuhci \Device\USBFDO-0 869641F8
    Device \Driver\USBSTOR \Device\0000007a 86FF11F8
    Device \Driver\usbuhci \Device\USBFDO-1 869641F8
    Device \Driver\USBSTOR \Device\0000007b 86FF11F8
    Device \Driver\usbehci \Device\USBFDO-2 869631F8
    Device \Driver\USBSTOR \Device\0000007c 86FF11F8
    Device \Driver\usbuhci \Device\USBFDO-3 869641F8
    Device \Driver\usbuhci \Device\USBFDO-4 869641F8
    Device \Driver\netbt \Device\NetBT_Tcpip_{AA912991-30F4-4626-8DEE-632199DB3722} 869D8500
    Device \Driver\usbuhci \Device\USBFDO-5 869641F8
    Device \Driver\usbehci \Device\USBFDO-6 869631F8
    Device \Driver\volmgr \Device\HarddiskVolume10 849831F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 snman380.sys (Acronis Snapshot API/Acronis)

    Device \Driver\asfg3agm \Device\Scsi\asfg3agm1Port4Path0Target0Lun0 869651F8
    Device \Driver\asfg3agm \Device\Scsi\asfg3agm1 869651F8
    Device \FileSystem\fastfat \Fat 8732F1F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\cdfs \Cdfs 87F7A1F8

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 1312
    Process iexplore.exe (*** hidden *** ) 2928
    Process iexplore.exe (*** hidden *** ) 3356
    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 6024

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0xBC 0x09 0xDA ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x52 0xC7 0x31 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x82 0xA3 0x76 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0x41 0xC1 0xAD ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x52 0xC7 0x31 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x82 0xA3 0x76 ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CDD30E69-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DBB4F348-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DBB4F349-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F062E548-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F062E549-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9993988-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9993989-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\errorPageStrings[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\ErrorPageTemplate[2] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\info_48[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MIQBKWIY\ErrorPageTemplate[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WJHWL084\httpErrorPagesScripts[1] 0 bytes
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WJHWL084\background_gradient[2] 0 bytes
    File C:\Windows\Temp\~DFC6C4.tmp 0 bytes

    ---- EOF - GMER 1.0.15 ----
  8. crunchie

    crunchie Malware Helper Posts: 761

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
  9. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Here is the combofix log.



    ComboFix 10-09-27.05 - Marijus 09/28/2010 19:59:33.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.1631 [GMT -4:00]
    Running from: c:\users\Marijus\Desktop\ComboFix.exe
    AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
    SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
    SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\logs
    J:\Autorun.inf

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
    .

    2010-09-29 00:13 . 2010-09-29 00:14 -------- d-----w- c:\users\Marijus\AppData\Local\temp
    2010-09-29 00:13 . 2010-09-29 00:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-22 00:48 . 2010-09-22 00:48 -------- d-----w- c:\programdata\NVIDIA Corporation
    2010-09-22 00:46 . 2010-07-09 22:37 56936 ----a-w- c:\windows\system32\OpenCL.dll
    2010-09-22 00:46 . 2010-07-09 22:37 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
    2010-09-22 00:46 . 2010-07-09 22:37 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2010-09-22 00:46 . 2010-07-09 22:37 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
    2010-09-22 00:46 . 2010-07-09 22:37 4553832 ----a-w- c:\windows\system32\nvcuda.dll
    2010-09-22 00:46 . 2010-07-09 22:37 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-09-22 00:46 . 2010-07-09 22:37 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod1922.dll
    2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod.dll
    2010-09-22 00:46 . 2010-07-09 22:37 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-21 19:03 . 2010-09-21 19:03 47876 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
    2010-09-16 23:29 . 2010-09-16 23:29 -------- d-----w- c:\users\Marijus\AppData\Roaming\LucasArts
    2010-09-16 08:46 . 2010-09-16 08:46 4 ----a-w- c:\program files\75457.dat
    2010-09-16 08:22 . 2010-09-16 08:22 4 ----a-w- c:\program files\75176.dat
    2010-09-15 18:54 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 18:54 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 18:53 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 18:53 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\users\Marijus\AppData\Roaming\RayV
    2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\program files\RayV
    2010-09-08 00:02 . 2010-09-08 00:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-09-08 00:01 . 2010-09-07 23:54 185640 ----a-w- c:\programdata\DivX\Setup\finishPlugin.dll
    2010-09-08 00:01 . 2010-09-07 23:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
    2010-09-08 00:01 . 2010-09-07 23:53 850200 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
    2010-09-08 00:01 . 2010-09-08 00:01 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
    2010-09-08 00:01 . 2010-09-08 00:01 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
    2010-09-08 00:00 . 2010-09-08 00:00 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
    2010-09-08 00:00 . 2010-09-08 00:00 57691 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-09 15:04 -------- d-----w- c:\users\Marijus\AppData\Roaming\DivX
    2010-09-07 23:59 . 2010-09-07 23:59 84063 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-07 23:59 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2010-09-07 23:59 . 2010-09-07 23:59 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-07 23:59 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-09-07 23:57 . 2010-09-07 23:57 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
    2010-09-07 23:57 . 2010-09-07 23:57 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-09-07 23:57 . 2010-09-07 23:57 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
    2010-09-07 23:55 . 2010-09-08 00:01 -------- d-----w- c:\program files\DivX
    2010-09-07 23:54 . 2010-09-07 23:54 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-09-07 23:54 . 2010-09-08 00:01 -------- d-----w- c:\programdata\DivX
    2010-09-06 01:40 . 2010-09-06 01:40 -------- d-----w- c:\program files\iPod
    2010-09-06 01:40 . 2010-09-06 01:41 -------- d-----w- c:\program files\iTunes
    2010-09-06 01:37 . 2010-09-06 01:37 -------- d-----w- c:\program files\QuickTime
    2010-09-06 01:31 . 2010-09-06 01:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-28 23:56 . 2009-12-12 21:40 -------- d-----w- c:\programdata\NVIDIA
    2010-09-28 23:51 . 2009-12-14 08:43 81984 ----a-w- c:\windows\system32\bdod.bin
    2010-09-28 16:29 . 2010-02-06 20:18 -------- d-----w- c:\users\Marijus\AppData\Roaming\Skype
    2010-09-28 16:26 . 2010-02-06 20:27 -------- d-----w- c:\users\Marijus\AppData\Roaming\skypePM
    2010-09-28 16:26 . 2009-12-12 21:40 37869 ----a-w- c:\programdata\nvModes.dat
    2010-09-28 06:05 . 2010-07-27 13:04 -------- d-----w- c:\program files\StarCraft II
    2010-09-27 16:45 . 2010-04-23 17:56 -------- d-----w- c:\program files\TeamSpeak 3 Client
    2010-09-22 01:37 . 2009-12-12 21:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-09-22 00:50 . 2009-12-12 21:39 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-09-16 23:30 . 2010-06-03 21:13 -------- d-----w- c:\users\Marijus\AppData\Roaming\Petroglyph
    2010-09-16 07:05 . 2009-12-11 05:01 -------- d-----w- c:\programdata\Microsoft Help
    2010-09-16 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-09-13 20:43 . 2009-12-20 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-06 01:40 . 2009-12-23 20:22 -------- d-----w- c:\program files\Common Files\Apple
    2010-08-29 05:41 . 2009-12-26 00:51 -------- d-----w- c:\users\Marijus\AppData\Roaming\BitTorrent
    2010-08-10 15:55 . 2010-03-21 16:10 -------- d-----w- c:\program files\Java
    2010-08-10 04:45 . 2010-08-10 04:45 -------- d-----w- c:\users\Marijus\AppData\Roaming\NetSarang
    2010-08-05 07:55 . 2010-08-05 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-05 07:34 . 2010-08-05 07:34 388096 ----a-r- c:\users\Marijus\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-05 07:34 . 2010-08-05 07:34 -------- d-----w- c:\program files\Trend Micro
    2010-08-03 00:50 . 2010-08-03 00:50 -------- d-----w- c:\users\Marijus\AppData\Roaming\dvdcss
    2010-08-02 04:37 . 2010-08-02 04:37 100432 ----a-w- c:\users\Marijus\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-07-17 09:00 . 2010-08-05 07:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-09 22:37 . 2009-12-12 21:37 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
    2010-07-09 22:37 . 2009-12-12 21:37 1625192 ----a-w- c:\windows\system32\nvapi.dll
    2010-07-09 22:37 . 2009-09-28 04:12 604776 ----a-w- c:\windows\system32\nvudisp.exe
    2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
    2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
    2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-07-07 17:46 . 2009-12-11 04:15 604776 ----a-w- c:\windows\system32\nvuninst.exe
    2009-12-12 23:20 . 2008-08-14 00:02 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Steam"="j:\steam\steam.exe" [2010-08-23 1242448]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-06-28 2561320]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-22 4352832]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-22 960528]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-22 165144]
    "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-12-12 782336]
    "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-12-12 69632]
    "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
    "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2163585369-2416861267-2377926666-1000]
    "EnableNotificationsRef"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\Dragon Age Origins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-11 691696]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-11 64160]
    S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2009-12-12 82696]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
    S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2009-12-12 111112]
    S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-12-12 104456]
    S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
    S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128]
    S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
    S3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bdx REG_MULTI_SZ scan
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://blizzard.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
    FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
    FF - plugin: c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    AddRemove-Half-Life Dedicated Server Update Tool - c:\progra~1\Valve\HLServer\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-28 20:13
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,b3,91,6d,86,4a,10,4d,94,3d,85,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,b3,91,6d,86,4a,10,4d,94,3d,85,\

    [HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:bc,2c,0c,73,19,90,e9,96,01,cb,b7,5e,61,78,e0,4e,4f,da,22,32,6e,99,f5,
    c7,17,ec,33,fe,30,59,b5,d6,4b,30,bf,bb,c4,53,93,35,14,ac,c4,03,bc,f8,e8,04,\
    "??"=hex:18,21,db,9b,42,82,55,92,68,34,1c,ef,81,9b,0e,e3

    [HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\License information*]
    "datasecu"=hex:85,92,3b,75,01,f9,99,07,59,55,03,9b,32,1b,2c,74,9e,3d,7b,ab,ba,
    f2,b7,ca,ed,2d,a4,e9,8b,30,d7,e6,42,59,4c,cc,f7,44,73,5c,ac,c3,be,81,06,6c,\
    "rkeysecu"=hex:e2,b5,0b,06,cb,4c,8b,f9,dc,9e,45,f7,9f,5a,41,b8
    .
    Completion time: 2010-09-28 20:18:34
    ComboFix-quarantined-files.txt 2010-09-29 00:18

    Pre-Run: 26,456,289,280 bytes free
    Post-Run: 26,407,981,056 bytes free

    - - End Of File - - 63DA4B052590AD0CFE4056630330D24F
  10. crunchie

    crunchie Malware Helper Posts: 761

    How are things now?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM]
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  11. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Things seem to be in working order but normally takes a bit after a restart for the adverts to kick in. I have however been messing around and so far no sighs of it. I am going to your next step with combo fix and I will post a reply shortly. :)
  12. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Here you are :)


    ComboFix 10-09-27.05 - Marijus 09/28/2010 21:43:57.2.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.2030 [GMT -4:00]
    Running from: c:\users\Marijus\Desktop\ComboFix.exe
    Command switches used :: c:\users\Marijus\Desktop\CFScript.txt
    AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
    SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
    SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
    .

    2010-09-29 01:54 . 2010-09-29 01:54 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-09-29 01:54 . 2010-09-29 01:54 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-29 00:18 . 2010-09-29 01:54 -------- d-----w- c:\users\Marijus\AppData\Local\temp
    2010-09-22 00:48 . 2010-09-22 00:48 -------- d-----w- c:\programdata\NVIDIA Corporation
    2010-09-22 00:46 . 2010-07-09 22:37 56936 ----a-w- c:\windows\system32\OpenCL.dll
    2010-09-22 00:46 . 2010-07-09 22:37 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
    2010-09-22 00:46 . 2010-07-09 22:37 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2010-09-22 00:46 . 2010-07-09 22:37 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
    2010-09-22 00:46 . 2010-07-09 22:37 4553832 ----a-w- c:\windows\system32\nvcuda.dll
    2010-09-22 00:46 . 2010-07-09 22:37 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-09-22 00:46 . 2010-07-09 22:37 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod1922.dll
    2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod.dll
    2010-09-22 00:46 . 2010-07-09 22:37 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-21 19:03 . 2010-09-21 19:03 47876 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
    2010-09-16 23:29 . 2010-09-16 23:29 -------- d-----w- c:\users\Marijus\AppData\Roaming\LucasArts
    2010-09-16 08:46 . 2010-09-16 08:46 4 ----a-w- c:\program files\75457.dat
    2010-09-16 08:22 . 2010-09-16 08:22 4 ----a-w- c:\program files\75176.dat
    2010-09-15 18:54 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 18:54 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 18:53 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 18:53 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\users\Marijus\AppData\Roaming\RayV
    2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\program files\RayV
    2010-09-08 00:02 . 2010-09-08 00:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-09-08 00:01 . 2010-09-07 23:54 185640 ----a-w- c:\programdata\DivX\Setup\finishPlugin.dll
    2010-09-08 00:01 . 2010-09-07 23:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
    2010-09-08 00:01 . 2010-09-07 23:53 850200 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
    2010-09-08 00:01 . 2010-09-08 00:01 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
    2010-09-08 00:01 . 2010-09-08 00:01 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
    2010-09-08 00:00 . 2010-09-08 00:00 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
    2010-09-08 00:00 . 2010-09-08 00:00 57691 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-09 15:04 -------- d-----w- c:\users\Marijus\AppData\Roaming\DivX
    2010-09-07 23:59 . 2010-09-07 23:59 84063 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-07 23:59 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2010-09-07 23:59 . 2010-09-07 23:59 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
    2010-09-07 23:59 . 2010-09-07 23:59 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
    2010-09-07 23:58 . 2010-09-07 23:58 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-09-07 23:57 . 2010-09-07 23:57 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
    2010-09-07 23:57 . 2010-09-07 23:57 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-09-07 23:57 . 2010-09-07 23:57 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
    2010-09-07 23:55 . 2010-09-08 00:01 -------- d-----w- c:\program files\DivX
    2010-09-07 23:54 . 2010-09-07 23:54 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
    2010-09-07 23:54 . 2010-09-08 00:01 -------- d-----w- c:\programdata\DivX
    2010-09-06 01:40 . 2010-09-06 01:40 -------- d-----w- c:\program files\iPod
    2010-09-06 01:40 . 2010-09-06 01:41 -------- d-----w- c:\program files\iTunes
    2010-09-06 01:37 . 2010-09-06 01:37 -------- d-----w- c:\program files\QuickTime
    2010-09-06 01:31 . 2010-09-06 01:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-29 00:18 . 2009-12-12 21:40 37869 ----a-w- c:\programdata\nvModes.dat
    2010-09-28 23:56 . 2009-12-12 21:40 -------- d-----w- c:\programdata\NVIDIA
    2010-09-28 23:51 . 2009-12-14 08:43 81984 ----a-w- c:\windows\system32\bdod.bin
    2010-09-28 16:29 . 2010-02-06 20:18 -------- d-----w- c:\users\Marijus\AppData\Roaming\Skype
    2010-09-28 16:26 . 2010-02-06 20:27 -------- d-----w- c:\users\Marijus\AppData\Roaming\skypePM
    2010-09-28 06:05 . 2010-07-27 13:04 -------- d-----w- c:\program files\StarCraft II
    2010-09-27 16:45 . 2010-04-23 17:56 -------- d-----w- c:\program files\TeamSpeak 3 Client
    2010-09-22 01:37 . 2009-12-12 21:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2010-09-22 00:50 . 2009-12-12 21:39 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-09-16 23:30 . 2010-06-03 21:13 -------- d-----w- c:\users\Marijus\AppData\Roaming\Petroglyph
    2010-09-16 07:05 . 2009-12-11 05:01 -------- d-----w- c:\programdata\Microsoft Help
    2010-09-16 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-09-13 20:43 . 2009-12-20 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-06 01:40 . 2009-12-23 20:22 -------- d-----w- c:\program files\Common Files\Apple
    2010-08-29 05:41 . 2009-12-26 00:51 -------- d-----w- c:\users\Marijus\AppData\Roaming\BitTorrent
    2010-08-10 15:55 . 2010-03-21 16:10 -------- d-----w- c:\program files\Java
    2010-08-10 04:45 . 2010-08-10 04:45 -------- d-----w- c:\users\Marijus\AppData\Roaming\NetSarang
    2010-08-05 07:55 . 2010-08-05 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-05 07:34 . 2010-08-05 07:34 388096 ----a-r- c:\users\Marijus\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-05 07:34 . 2010-08-05 07:34 -------- d-----w- c:\program files\Trend Micro
    2010-08-03 00:50 . 2010-08-03 00:50 -------- d-----w- c:\users\Marijus\AppData\Roaming\dvdcss
    2010-08-02 04:37 . 2010-08-02 04:37 100432 ----a-w- c:\users\Marijus\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-07-17 09:00 . 2010-08-05 07:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-09 22:37 . 2009-12-12 21:37 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
    2010-07-09 22:37 . 2009-12-12 21:37 1625192 ----a-w- c:\windows\system32\nvapi.dll
    2010-07-09 22:37 . 2009-09-28 04:12 604776 ----a-w- c:\windows\system32\nvudisp.exe
    2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
    2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
    2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-07-07 17:46 . 2009-12-11 04:15 604776 ----a-w- c:\windows\system32\nvuninst.exe
    2009-12-12 23:20 . 2008-08-14 00:02 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Steam"="j:\steam\steam.exe" [2010-08-23 1242448]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-06-28 2561320]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-22 4352832]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-22 960528]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-22 165144]
    "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-12-12 782336]
    "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-12-12 69632]
    "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
    "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2163585369-2416861267-2377926666-1000]
    "EnableNotificationsRef"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
    R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\Dragon Age Origins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-11 691696]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-11 64160]
    S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2009-12-12 82696]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
    S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2009-12-12 111112]
    S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-12-12 104456]
    S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
    S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128]
    S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
    S3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bdx REG_MULTI_SZ scan
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://blizzard.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
    FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
    FF - plugin: c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-28 21:54
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:bc,2c,0c,73,19,90,e9,96,01,cb,b7,5e,61,78,e0,4e,4f,da,22,32,6e,99,f5,
    c7,17,ec,33,fe,30,59,b5,d6,4b,30,bf,bb,c4,53,93,35,14,ac,c4,03,bc,f8,e8,04,\
    "??"=hex:18,21,db,9b,42,82,55,92,68,34,1c,ef,81,9b,0e,e3

    [HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:85,92,3b,75,01,f9,99,07,59,55,03,9b,32,1b,2c,74,9e,3d,7b,ab,ba,
    f2,b7,ca,ed,2d,a4,e9,8b,30,d7,e6,42,59,4c,cc,f7,44,73,5c,ac,c3,be,81,06,6c,\
    "rkeysecu"=hex:e2,b5,0b,06,cb,4c,8b,f9,dc,9e,45,f7,9f,5a,41,b8
    .
    Completion time: 2010-09-28 21:58:28
    ComboFix-quarantined-files.txt 2010-09-29 01:58
    ComboFix2.txt 2010-09-29 00:18

    Pre-Run: 26,239,139,840 bytes free
    Post-Run: 26,210,537,472 bytes free

    - - End Of File - - C943AAF10FAC3BB0ECE2DE812F3387BE
  13. crunchie

    crunchie Malware Helper Posts: 761

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  14. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Business Edition Service Pack 2 (build 6002)
    , 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`cc400000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  15. crunchie

    crunchie Malware Helper Posts: 761

    Ok. That looks ok.

    Everything still good?
  16. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Yes, everything is running nice and smooth, thanks a bunch!!! :) is there anything left?
  17. crunchie

    crunchie Malware Helper Posts: 761

    Only this;

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

    ----

    Should be good to go :).
  18. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Alright then I will give that a go and post back in a few days to let you know how everything is running. Again thanks alot!! :)
  19. crunchie

    crunchie Malware Helper Posts: 761

    No worries :).
  20. Dessicar

    Dessicar Newcomer, in training Topic Starter

    Everything is still running nice and smooth! Thanks a bunch for all your awesome help and quick replies ! :)
  21. crunchie

    crunchie Malware Helper Posts: 761

    You are welcome :).
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.