Solved Random adverts playing in the background!

[Dessicar]

Hey a few weeks ago I picked up what I am sure is a virus now, that will play random sounds and audio advertisements in the background of my pc. I have ran my anti-virus stuff loads of times and they all come back clean. I have no Idea what to do to get rid of this tricky little guy, any help would be welcomed.

Thanks in advance.

 

[crunchie]

Hi and welcome to TechSpot forums .

====

Please read the directions given here and when done, post the requested logs.
Please do not attach the logs unless requested, or unless they are to large to paste.

 

[Dessicar]

Alright here are the logs you guy asked for. I think I did it all right let me know if I didn't or what you require if I left something out. ( it was all a little big to copy past it all so I just put the three logs that don't fit as attachments but I did break them up into muti posts )



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4712

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

9/28/2010 12:38:36 PM
mbam-log-2010-09-28 (12-38-36).txt

Scan type: Quick scan
Objects scanned: 138854
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Dessicar]

DDS (Ver_10-03-17.01) - NTFSx86
Run by Marijus at 13:29:12.92 on Tue 09/28/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.1728 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
svchost.exe 4
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
svchost.exe 4
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Users\Marijus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://blizzard.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "j:\steam\steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\marijus\appdata\roaming\mozilla\firefox\profiles\8feo2crc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\rayv\rayv\plugins\nprayvplugin.dll
FF - plugin: c:\users\marijus\appdata\roaming\mozilla\firefox\profiles\8feo2crc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-11 64160]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104456]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 22784]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-12-13 21504]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2008-1-18 16128]
R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2008-11-26 333824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\dragon age origins\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-12 25832]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

 

[Dessicar]

=============== Created Last 30 ================

2010-09-22 00:48:43 0 d-----w- c:\programdata\NVIDIA Corporation
2010-09-22 00:46:47 56936 ----a-w- c:\windows\system32\OpenCL.dll
2010-09-22 00:46:47 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-09-22 00:46:47 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-09-22 00:46:47 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-09-22 00:46:43 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
2010-09-22 00:46:42 4553832 ----a-w- c:\windows\system32\nvcuda.dll
2010-09-22 00:46:42 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
2010-09-22 00:46:42 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-09-22 00:46:38 236136 ----a-w- c:\windows\system32\nvcod1922.dll
2010-09-22 00:46:38 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-09-22 00:46:38 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-16 23:29:51 0 d-----w- c:\users\marijus\appdata\roaming\LucasArts
2010-09-16 08:46:27 4 ----a-w- c:\program files\75457.dat
2010-09-16 08:22:58 4 ----a-w- c:\program files\75176.dat
2010-09-16 07:36:31 192396516 ----a-w- c:\windows\MEMORY.DMP
2010-09-15 18:54:18 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:54:09 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:53:59 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:53:49 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-14 20:06:15 0 d-----w- c:\users\marijus\appdata\roaming\RayV
2010-09-14 20:06:12 0 d-----w- c:\program files\RayV
2010-09-07 23:59:14 0 d-----w- c:\program files\common files\PX Storage Engine
2010-09-07 23:57:39 0 d-----w- c:\program files\common files\DivX Shared
2010-09-07 23:55:07 0 d-----w- c:\program files\DivX
2010-09-07 23:54:09 0 d-----w- c:\programdata\DivX
2010-09-06 01:40:51 0 d-----w- c:\program files\iPod
2010-09-06 01:40:49 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-09-28 16:26:07 37869 ----a-w- c:\programdata\nvModes.dat
2010-09-22 22:19:33 81984 ----a-w- c:\windows\system32\bdod.bin
2010-09-22 00:48:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-09-22 00:48:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-09-22 00:48:13 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 22:37:00 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
2010-07-09 22:37:00 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:37:00 1625192 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 20:37:10 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37:10 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37:10 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37:10 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 17:46:46 604776 ----a-w- c:\windows\system32\nvuninst.exe
2010-01-12 16:12:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-12 11:57:26 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-05-05 19:30:17 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-15 09:06:31 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-15 09:06:31 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-15 09:06:31 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-12 11:20:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 13:30:18.41 ===============

 

[Dessicar]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-28 13:25:19
Windows 6.0.6002 Service Pack 2
Running: suewyv3b.exe; Driver: C:\Users\Marijus\AppData\Local\Temp\kfldqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenProcess [0xA055DC90]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenThread [0xA055DD7E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateProcess [0xA055DBF4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateThread [0xA055DEC4]

INT 0x51 ? 8674CBF8
INT 0x62 ? 8674CBF8
INT 0x72 ? 8674CBF8
INT 0x92 ? 85310BF8
INT 0x92 ? 8674CBF8
INT 0x92 ? 85310BF8
INT 0xA2 ? 8674CBF8
INT 0xB2 ? 84981BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EF6B54 4 Bytes [90, DC, 55, A0] {NOP ; FCOM QWORD [EBP-0x60]}
.text ntkrnlpa.exe!KeSetEvent + 40D 81EF6B70 4 Bytes [7E, DD, 55, A0]
.text ntkrnlpa.exe!KeSetEvent + 621 81EF6D84 8 Bytes [F4, DB, 55, A0, C4, DE, 55, ...]
? System32\Drivers\spky.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8F3AB41B 5 Bytes JMP 8674C1D8
.text asfg3agm.SYS 8F76B000 22 Bytes [82, E3, E1, 81, 6C, E2, E1, ...]
.text asfg3agm.SYS 8F76B017 181 Bytes [00, 32, 17, 79, 80, 3D, 15, ...]
.text asfg3agm.SYS 8F76B0CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text asfg3agm.SYS 8F76B0DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text asfg3agm.SYS 8F76B0E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!CreateWindowExW 774F1305 5 Bytes JMP 6D91DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxParamW 775110B0 5 Bytes JMP 6D845501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxIndirectParamW 77512EF5 5 Bytes JMP 6DA14B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxParamA 77528152 5 Bytes JMP 6DA14AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!DialogBoxIndirectParamA 7752847D 5 Bytes JMP 6DA14BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxIndirectA 7753D4D9 5 Bytes JMP 6DA14A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxIndirectW 7753D5D3 5 Bytes JMP 6DA14A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxExA 7753D639 5 Bytes JMP 6DA149B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1312] USER32.dll!MessageBoxExW 7753D65D 5 Bytes JMP 6DA14952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!SetWindowsHookExW 774E87AD 5 Bytes JMP 6D919AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!CallNextHookEx 774E8E3B 5 Bytes JMP 6D90D135 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!UnhookWindowsHookEx 774E98DB 5 Bytes JMP 6D884666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!CreateWindowExW 774F1305 5 Bytes JMP 6D91DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxParamW 775110B0 5 Bytes JMP 6D845501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxIndirectParamW 77512EF5 5 Bytes JMP 6DA14B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxParamA 77528152 5 Bytes JMP 6DA14AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!DialogBoxIndirectParamA 7752847D 5 Bytes JMP 6DA14BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxIndirectA 7753D4D9 5 Bytes JMP 6DA14A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxIndirectW 7753D5D3 5 Bytes JMP 6DA14A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxExA 7753D639 5 Bytes JMP 6DA149B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] USER32.dll!MessageBoxExW 7753D65D 5 Bytes JMP 6DA14952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] ole32.dll!OleLoadFromStream 75EE1E12 5 Bytes JMP 6DA14ED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6024] ole32.dll!CoCreateInstance 75F19EA6 5 Bytes JMP 6D91DB80 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806956D6] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80695042] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80695800] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806950C0] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069513E] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortUchar] 838F791F
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8F78F0
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\asfg3agm.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 853121F8
Device \FileSystem\fastfat \FatCdrom 8732F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{981017F9-DDF0-4273-8B2C-1E755298F939} 869D8500

AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\volmgr \Device\VolMgrControl 849831F8
Device \Driver\usbuhci \Device\USBPDO-0 869641F8
Device \Driver\netbt \Device\NetBT_Tcpip_{A0FFE8EE-68C2-47AF-A319-2354DF868FD3} 869D8500
Device \Driver\usbuhci \Device\USBPDO-1 869641F8
Device \Driver\PCI_PNP5219 \Device\00000052 spky.sys
Device \Driver\usbehci \Device\USBPDO-2 869631F8
Device \Driver\usbuhci \Device\USBPDO-3 869641F8
Device \Driver\usbuhci \Device\USBPDO-4 869641F8

AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys

Device \Driver\usbuhci \Device\USBPDO-5 869641F8
Device \Driver\usbehci \Device\USBPDO-6 869631F8
Device \Driver\sptd \Device\1266619233 spky.sys
Device \Driver\volmgr \Device\HarddiskVolume1 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snman380.sys (Acronis Snapshot API/Acronis)

 

[Dessicar]

Device \Driver\cdrom \Device\CdRom0 8695F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume3 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\cdrom \Device\CdRom1 8695F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 853111F8
Device \Driver\iaStorV \Device\Ide\iaStor0 853101F8
Device \Driver\atapi \Device\Ide\IdePort0 853111F8
Device \Driver\atapi \Device\Ide\IdePort1 853111F8
Device \Driver\iaStorV \Device\Ide\IAAStorageDevice-0 853101F8
Device \Driver\USBSTOR \Device\00000073 86FF11F8
Device \Driver\volmgr \Device\HarddiskVolume4 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\USBSTOR \Device\00000074 86FF11F8
Device \Driver\volmgr \Device\HarddiskVolume5 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume6 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume7 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\netbt \Device\NetBt_Wins_Export 869D8500
Device \Driver\USBSTOR \Device\00000077 86FF11F8
Device \Driver\volmgr \Device\HarddiskVolume8 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\Smb \Device\NetbiosSmb 8718B1F8
Device \Driver\volmgr \Device\HarddiskVolume9 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\USBSTOR \Device\00000079 86FF11F8
Device \Driver\iScsiPrt \Device\RaidPort0 868631F8

AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys

Device \Driver\usbuhci \Device\USBFDO-0 869641F8
Device \Driver\USBSTOR \Device\0000007a 86FF11F8
Device \Driver\usbuhci \Device\USBFDO-1 869641F8
Device \Driver\USBSTOR \Device\0000007b 86FF11F8
Device \Driver\usbehci \Device\USBFDO-2 869631F8
Device \Driver\USBSTOR \Device\0000007c 86FF11F8
Device \Driver\usbuhci \Device\USBFDO-3 869641F8
Device \Driver\usbuhci \Device\USBFDO-4 869641F8
Device \Driver\netbt \Device\NetBT_Tcpip_{AA912991-30F4-4626-8DEE-632199DB3722} 869D8500
Device \Driver\usbuhci \Device\USBFDO-5 869641F8
Device \Driver\usbehci \Device\USBFDO-6 869631F8
Device \Driver\volmgr \Device\HarddiskVolume10 849831F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\asfg3agm \Device\Scsi\asfg3agm1Port4Path0Target0Lun0 869651F8
Device \Driver\asfg3agm \Device\Scsi\asfg3agm1 869651F8
Device \FileSystem\fastfat \Fat 8732F1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 87F7A1F8

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 1312
Process iexplore.exe (*** hidden *** ) 2928
Process iexplore.exe (*** hidden *** ) 3356
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 6024

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0xBC 0x09 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x52 0xC7 0x31 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x82 0xA3 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0x41 0xC1 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x52 0xC7 0x31 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x82 0xA3 0x76 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CDD30E69-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DBB4F348-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DBB4F349-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F062E548-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F062E549-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9993988-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9993989-CB21-11DF-AF58-0019D150CB3D}.dat 4608 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\errorPageStrings[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\ErrorPageTemplate[2] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRNTA0C3\info_48[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MIQBKWIY\ErrorPageTemplate[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WJHWL084\httpErrorPagesScripts[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WJHWL084\background_gradient[2] 0 bytes
File C:\Windows\Temp\~DFC6C4.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

 

[crunchie]

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[Dessicar]

Here is the combofix log.



ComboFix 10-09-27.05 - Marijus 09/28/2010 19:59:33.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.1631 [GMT -4:00]
Running from: c:\users\Marijus\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\logs
J:\Autorun.inf

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 00:13 . 2010-09-29 00:14 -------- d-----w- c:\users\Marijus\AppData\Local\temp
2010-09-29 00:13 . 2010-09-29 00:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-22 00:48 . 2010-09-22 00:48 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-22 00:46 . 2010-07-09 22:37 56936 ----a-w- c:\windows\system32\OpenCL.dll
2010-09-22 00:46 . 2010-07-09 22:37 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-09-22 00:46 . 2010-07-09 22:37 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-09-22 00:46 . 2010-07-09 22:37 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
2010-09-22 00:46 . 2010-07-09 22:37 4553832 ----a-w- c:\windows\system32\nvcuda.dll
2010-09-22 00:46 . 2010-07-09 22:37 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
2010-09-22 00:46 . 2010-07-09 22:37 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod1922.dll
2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-09-22 00:46 . 2010-07-09 22:37 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-21 19:03 . 2010-09-21 19:03 47876 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-09-16 23:29 . 2010-09-16 23:29 -------- d-----w- c:\users\Marijus\AppData\Roaming\LucasArts
2010-09-16 08:46 . 2010-09-16 08:46 4 ----a-w- c:\program files\75457.dat
2010-09-16 08:22 . 2010-09-16 08:22 4 ----a-w- c:\program files\75176.dat
2010-09-15 18:54 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:54 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:53 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:53 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\users\Marijus\AppData\Roaming\RayV
2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\program files\RayV
2010-09-08 00:02 . 2010-09-08 00:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-08 00:01 . 2010-09-07 23:54 185640 ----a-w- c:\programdata\DivX\Setup\finishPlugin.dll
2010-09-08 00:01 . 2010-09-07 23:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-09-08 00:01 . 2010-09-07 23:53 850200 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-09-08 00:01 . 2010-09-08 00:01 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-09-08 00:01 . 2010-09-08 00:01 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-09-08 00:00 . 2010-09-08 00:00 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-09-08 00:00 . 2010-09-08 00:00 57691 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-09-07 23:59 . 2010-09-09 15:04 -------- d-----w- c:\users\Marijus\AppData\Roaming\DivX
2010-09-07 23:59 . 2010-09-07 23:59 84063 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-09-07 23:59 . 2010-09-07 23:59 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-09-07 23:59 . 2010-09-07 23:59 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-09-07 23:59 . 2010-09-07 23:59 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-09-07 23:57 . 2010-09-07 23:57 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-09-07 23:57 . 2010-09-07 23:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-09-07 23:57 . 2010-09-07 23:57 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-09-07 23:55 . 2010-09-08 00:01 -------- d-----w- c:\program files\DivX
2010-09-07 23:54 . 2010-09-07 23:54 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-07 23:54 . 2010-09-08 00:01 -------- d-----w- c:\programdata\DivX
2010-09-06 01:40 . 2010-09-06 01:40 -------- d-----w- c:\program files\iPod
2010-09-06 01:40 . 2010-09-06 01:41 -------- d-----w- c:\program files\iTunes
2010-09-06 01:37 . 2010-09-06 01:37 -------- d-----w- c:\program files\QuickTime
2010-09-06 01:31 . 2010-09-06 01:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 23:56 . 2009-12-12 21:40 -------- d-----w- c:\programdata\NVIDIA
2010-09-28 23:51 . 2009-12-14 08:43 81984 ----a-w- c:\windows\system32\bdod.bin
2010-09-28 16:29 . 2010-02-06 20:18 -------- d-----w- c:\users\Marijus\AppData\Roaming\Skype
2010-09-28 16:26 . 2010-02-06 20:27 -------- d-----w- c:\users\Marijus\AppData\Roaming\skypePM
2010-09-28 16:26 . 2009-12-12 21:40 37869 ----a-w- c:\programdata\nvModes.dat
2010-09-28 06:05 . 2010-07-27 13:04 -------- d-----w- c:\program files\StarCraft II
2010-09-27 16:45 . 2010-04-23 17:56 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-09-22 01:37 . 2009-12-12 21:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-22 00:50 . 2009-12-12 21:39 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-16 23:30 . 2010-06-03 21:13 -------- d-----w- c:\users\Marijus\AppData\Roaming\Petroglyph
2010-09-16 07:05 . 2009-12-11 05:01 -------- d-----w- c:\programdata\Microsoft Help
2010-09-16 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-13 20:43 . 2009-12-20 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-06 01:40 . 2009-12-23 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-08-29 05:41 . 2009-12-26 00:51 -------- d-----w- c:\users\Marijus\AppData\Roaming\BitTorrent
2010-08-10 15:55 . 2010-03-21 16:10 -------- d-----w- c:\program files\Java
2010-08-10 04:45 . 2010-08-10 04:45 -------- d-----w- c:\users\Marijus\AppData\Roaming\NetSarang
2010-08-05 07:55 . 2010-08-05 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 07:34 . 2010-08-05 07:34 388096 ----a-r- c:\users\Marijus\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 07:34 . 2010-08-05 07:34 -------- d-----w- c:\program files\Trend Micro
2010-08-03 00:50 . 2010-08-03 00:50 -------- d-----w- c:\users\Marijus\AppData\Roaming\dvdcss
2010-08-02 04:37 . 2010-08-02 04:37 100432 ----a-w- c:\users\Marijus\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-17 09:00 . 2010-08-05 07:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 22:37 . 2009-12-12 21:37 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
2010-07-09 22:37 . 2009-12-12 21:37 1625192 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:37 . 2009-09-28 04:12 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 17:46 . 2009-12-11 04:15 604776 ----a-w- c:\windows\system32\nvuninst.exe
2009-12-12 23:20 . 2008-08-14 00:02 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="j:\steam\steam.exe" [2010-08-23 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-06-28 2561320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-22 4352832]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-22 960528]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-22 165144]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-12-12 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-12-12 69632]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2163585369-2416861267-2377926666-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\Dragon Age Origins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-11 691696]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-11 64160]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2009-12-12 82696]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2009-12-12 111112]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-12-12 104456]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
S3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bdx REG_MULTI_SZ scan
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blizzard.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Half-Life Dedicated Server Update Tool - c:\progra~1\Valve\HLServer\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 20:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,b3,91,6d,86,4a,10,4d,94,3d,85,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,b3,91,6d,86,4a,10,4d,94,3d,85,\

[HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bc,2c,0c,73,19,90,e9,96,01,cb,b7,5e,61,78,e0,4e,4f,da,22,32,6e,99,f5,
c7,17,ec,33,fe,30,59,b5,d6,4b,30,bf,bb,c4,53,93,35,14,ac,c4,03,bc,f8,e8,04,\
"??"=hex:18,21,db,9b,42,82,55,92,68,34,1c,ef,81,9b,0e,e3

[HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\License information*]
"datasecu"=hex:85,92,3b,75,01,f9,99,07,59,55,03,9b,32,1b,2c,74,9e,3d,7b,ab,ba,
f2,b7,ca,ed,2d,a4,e9,8b,30,d7,e6,42,59,4c,cc,f7,44,73,5c,ac,c3,be,81,06,6c,\
"rkeysecu"=hex:e2,b5,0b,06,cb,4c,8b,f9,dc,9e,45,f7,9f,5a,41,b8
.
Completion time: 2010-09-28 20:18:34
ComboFix-quarantined-files.txt 2010-09-29 00:18

Pre-Run: 26,456,289,280 bytes free
Post-Run: 26,407,981,056 bytes free

- - End Of File - - 63DA4B052590AD0CFE4056630330D24F

 

[crunchie]

How are things now?

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[Dessicar]

Things seem to be in working order but normally takes a bit after a restart for the adverts to kick in. I have however been messing around and so far no sighs of it. I am going to your next step with combo fix and I will post a reply shortly.

 

[Dessicar]

Here you are


ComboFix 10-09-27.05 - Marijus 09/28/2010 21:43:57.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3061.2030 [GMT -4:00]
Running from: c:\users\Marijus\Desktop\ComboFix.exe
Command switches used :: c:\users\Marijus\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 01:54 . 2010-09-29 01:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-29 01:54 . 2010-09-29 01:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-29 00:18 . 2010-09-29 01:54 -------- d-----w- c:\users\Marijus\AppData\Local\temp
2010-09-22 00:48 . 2010-09-22 00:48 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-22 00:46 . 2010-07-09 22:37 56936 ----a-w- c:\windows\system32\OpenCL.dll
2010-09-22 00:46 . 2010-07-09 22:37 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-09-22 00:46 . 2010-07-09 22:37 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-09-22 00:46 . 2010-07-09 22:37 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
2010-09-22 00:46 . 2010-07-09 22:37 4553832 ----a-w- c:\windows\system32\nvcuda.dll
2010-09-22 00:46 . 2010-07-09 22:37 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
2010-09-22 00:46 . 2010-07-09 22:37 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod1922.dll
2010-09-22 00:46 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-09-22 00:46 . 2010-07-09 22:37 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-21 19:03 . 2010-09-21 19:03 47876 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-09-16 23:29 . 2010-09-16 23:29 -------- d-----w- c:\users\Marijus\AppData\Roaming\LucasArts
2010-09-16 08:46 . 2010-09-16 08:46 4 ----a-w- c:\program files\75457.dat
2010-09-16 08:22 . 2010-09-16 08:22 4 ----a-w- c:\program files\75176.dat
2010-09-15 18:54 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 18:54 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 18:53 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 18:53 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\users\Marijus\AppData\Roaming\RayV
2010-09-14 20:06 . 2010-09-14 20:06 -------- d-----w- c:\program files\RayV
2010-09-08 00:02 . 2010-09-08 00:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-08 00:01 . 2010-09-07 23:54 185640 ----a-w- c:\programdata\DivX\Setup\finishPlugin.dll
2010-09-08 00:01 . 2010-09-07 23:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-09-08 00:01 . 2010-09-07 23:53 850200 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-09-08 00:01 . 2010-09-08 00:01 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-09-08 00:01 . 2010-09-08 00:01 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-09-08 00:00 . 2010-09-08 00:00 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-09-08 00:00 . 2010-09-08 00:00 57691 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-09-07 23:59 . 2010-09-09 15:04 -------- d-----w- c:\users\Marijus\AppData\Roaming\DivX
2010-09-07 23:59 . 2010-09-07 23:59 84063 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-09-07 23:59 . 2010-09-07 23:59 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-09-07 23:59 . 2010-09-07 23:59 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-09-07 23:59 . 2010-09-07 23:59 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-09-07 23:58 . 2010-09-07 23:58 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-09-07 23:57 . 2010-09-07 23:57 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-09-07 23:57 . 2010-09-07 23:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-09-07 23:57 . 2010-09-07 23:57 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-09-07 23:55 . 2010-09-08 00:01 -------- d-----w- c:\program files\DivX
2010-09-07 23:54 . 2010-09-07 23:54 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-07 23:54 . 2010-09-08 00:01 -------- d-----w- c:\programdata\DivX
2010-09-06 01:40 . 2010-09-06 01:40 -------- d-----w- c:\program files\iPod
2010-09-06 01:40 . 2010-09-06 01:41 -------- d-----w- c:\program files\iTunes
2010-09-06 01:37 . 2010-09-06 01:37 -------- d-----w- c:\program files\QuickTime
2010-09-06 01:31 . 2010-09-06 01:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 00:18 . 2009-12-12 21:40 37869 ----a-w- c:\programdata\nvModes.dat
2010-09-28 23:56 . 2009-12-12 21:40 -------- d-----w- c:\programdata\NVIDIA
2010-09-28 23:51 . 2009-12-14 08:43 81984 ----a-w- c:\windows\system32\bdod.bin
2010-09-28 16:29 . 2010-02-06 20:18 -------- d-----w- c:\users\Marijus\AppData\Roaming\Skype
2010-09-28 16:26 . 2010-02-06 20:27 -------- d-----w- c:\users\Marijus\AppData\Roaming\skypePM
2010-09-28 06:05 . 2010-07-27 13:04 -------- d-----w- c:\program files\StarCraft II
2010-09-27 16:45 . 2010-04-23 17:56 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-09-22 01:37 . 2009-12-12 21:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-22 00:50 . 2009-12-12 21:39 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-16 23:30 . 2010-06-03 21:13 -------- d-----w- c:\users\Marijus\AppData\Roaming\Petroglyph
2010-09-16 07:05 . 2009-12-11 05:01 -------- d-----w- c:\programdata\Microsoft Help
2010-09-16 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-13 20:43 . 2009-12-20 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-06 01:40 . 2009-12-23 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-08-29 05:41 . 2009-12-26 00:51 -------- d-----w- c:\users\Marijus\AppData\Roaming\BitTorrent
2010-08-10 15:55 . 2010-03-21 16:10 -------- d-----w- c:\program files\Java
2010-08-10 04:45 . 2010-08-10 04:45 -------- d-----w- c:\users\Marijus\AppData\Roaming\NetSarang
2010-08-05 07:55 . 2010-08-05 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 07:34 . 2010-08-05 07:34 388096 ----a-r- c:\users\Marijus\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 07:34 . 2010-08-05 07:34 -------- d-----w- c:\program files\Trend Micro
2010-08-03 00:50 . 2010-08-03 00:50 -------- d-----w- c:\users\Marijus\AppData\Roaming\dvdcss
2010-08-02 04:37 . 2010-08-02 04:37 100432 ----a-w- c:\users\Marijus\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-17 09:00 . 2010-08-05 07:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 22:37 . 2009-12-12 21:37 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
2010-07-09 22:37 . 2009-12-12 21:37 1625192 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:37 . 2009-09-28 04:12 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 17:46 . 2009-12-11 04:15 604776 ----a-w- c:\windows\system32\nvuninst.exe
2009-12-12 23:20 . 2008-08-14 00:02 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="j:\steam\steam.exe" [2010-08-23 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"RayV"="c:\program files\RayV\RayV\RayV.exe" [2010-06-28 2561320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-22 4352832]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-22 960528]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-22 165144]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-12-12 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-12-12 69632]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2163585369-2416861267-2377926666-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;j:\games\Dragon Age Origins\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-11 691696]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-11 64160]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2009-12-12 82696]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2009-12-12 111112]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-12-12 104456]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
S3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2008-11-26 333824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bdx REG_MULTI_SZ scan
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blizzard.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Marijus\AppData\Roaming\Mozilla\Firefox\Profiles\8feo2crc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 21:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:bc,2c,0c,73,19,90,e9,96,01,cb,b7,5e,61,78,e0,4e,4f,da,22,32,6e,99,f5,
c7,17,ec,33,fe,30,59,b5,d6,4b,30,bf,bb,c4,53,93,35,14,ac,c4,03,bc,f8,e8,04,\
"??"=hex:18,21,db,9b,42,82,55,92,68,34,1c,ef,81,9b,0e,e3

[HKEY_USERS\S-1-5-21-2163585369-2416861267-2377926666-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:85,92,3b,75,01,f9,99,07,59,55,03,9b,32,1b,2c,74,9e,3d,7b,ab,ba,
f2,b7,ca,ed,2d,a4,e9,8b,30,d7,e6,42,59,4c,cc,f7,44,73,5c,ac,c3,be,81,06,6c,\
"rkeysecu"=hex:e2,b5,0b,06,cb,4c,8b,f9,dc,9e,45,f7,9f,5a,41,b8
.
Completion time: 2010-09-28 21:58:28
ComboFix-quarantined-files.txt 2010-09-29 01:58
ComboFix2.txt 2010-09-29 00:18

Pre-Run: 26,239,139,840 bytes free
Post-Run: 26,210,537,472 bytes free

- - End Of File - - C943AAF10FAC3BB0ECE2DE812F3387BE

 

[crunchie]

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[Dessicar]

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Business Edition Service Pack 2 (build 6002)
, 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`cc400000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[crunchie]

Ok. That looks ok.

Everything still good?

 

[Dessicar]

Yes, everything is running nice and smooth, thanks a bunch!!! is there anything left?

 

[crunchie]

Only this;

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

----

Should be good to go .

 

[Dessicar]

Alright then I will give that a go and post back in a few days to let you know how everything is running. Again thanks alot!!

 

[crunchie]

No worries .

 

[Dessicar]

Everything is still running nice and smooth! Thanks a bunch for all your awesome help and quick replies !

 

[crunchie]

You are welcome .