Inactive Boring rootkits attacking me all day

Status
Not open for further replies.
G

g4mer

Every 20-30 minutes avast!!!! Free AV tells me I got infected with some rootkits called Win32:Confi [Wrm] and Win32:Rootkit-gen [Rtk]. Location is C:\Windows\System32 and infected file is called x. I have no idea what should I do about this. Help!!
I took a screenshot of avast!!!!!!!!!! Virus chest.
 

Attachments

  • xxxxxxxx.JPG
    xxxxxxxx.JPG
    106.9 KB · Views: 6
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, paste the logs for review into your next reply .OK to use multiple posts if needed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
When I scanned with Malwarebytes, 9 threats were found, but I got BSoD before scan was complete (dont know why). I ran scan with Malwarebytes again but it only found 3 threats.
Here are the logs:
 

Attachments

  • mbam-log-2010-10-09 (11-40-30).txt
    1.2 KB · Views: 3
  • GMER.log
    7.4 KB · Views: 2
  • DDS.txt
    12.7 KB · Views: 1
  • Attach.txt
    6.5 KB · Views: 1
Please observe this:
When you have finished, paste the logs for review into your next reply .OK to use multiple posts if needed.
Click to expand...

It is too time consuming for me to have to copy and paste entries that I need to identify into a search. When logs are pasted in, I can searh directly from within my browser.

P2P or 'file sharing Warning':
I notice that you are running uTorrent, LimeWire and eMule These are all file sharing programs.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I encourage you to uninstall all 3 program for these reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

You are 'bored' with continuing attacks by rootkit malware but you are continuing to use file sharing which opens a door to malware.

The entires in Mbam show No Action Taken This means that you did not check the line for removal. Please udate Malwarebytes and rescan, following this: Be sure that everything is checked, and click Remove Selected.
============================================
After the rescan with Malwarebytes:
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
After the Mbam scan and Conbofix:
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste all logs in next reply. Use multiple posts if needed.
 
I removed LimeWIre, uTorrent and eMule long ago. Those are just folders remains.
I selected everything to delete in Mbytes, but after i saved log. Sorry for that.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4784

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/9/2010 8:47:45 PM
mbam-log-2010-10-09 (20-47-45).txt

Scan type: Quick scan
Objects scanned: 130514
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
ComboFix 10-10-09.01 - Srki 10/09/2010 20:59:38.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1149 [GMT 2:00]
Running from: c:\documents and settings\Srki\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Dvbpws.dll
c:\windows\wpe pro.INI

.
((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
.

2010-10-09 09:00 . 2010-10-09 09:00 -------- d-----w- c:\documents and settings\Srki\Application Data\Malwarebytes
2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-09 08:59 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-09 08:59 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-02 13:59 . 2010-10-02 13:59 -------- d--h--w- c:\windows\PIF
2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Opera
2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\program files\Opera
2010-09-28 21:38 . 2010-09-28 21:38 -------- d-----w- C:\Cache
2010-09-28 18:33 . 2010-09-28 18:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-27 14:14 . 2010-09-27 14:14 503808 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\msvcp71.dll
2010-09-27 14:14 . 2010-09-27 14:14 499712 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\jmc.dll
2010-09-27 14:14 . 2010-09-27 14:14 348160 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1ae8e256-n\msvcr71.dll
2010-09-27 14:14 . 2010-09-27 14:14 61440 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4de8c945-n\decora-sse.dll
2010-09-27 14:14 . 2010-09-27 14:14 12800 ----a-w- c:\documents and settings\Srki\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4de8c945-n\decora-d3d.dll
2010-09-26 19:31 . 2010-09-26 19:31 -------- d-----w- c:\program files\Common Files\Java
2010-09-26 19:31 . 2010-09-26 19:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-09-26 19:30 . 2010-09-26 19:30 -------- d-----w- c:\program files\Java
2010-09-24 20:22 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Publish Providers
2010-09-24 20:21 . 2010-09-24 20:21 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Sony
2010-09-24 20:21 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Sony
2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\program files\Sony
2010-09-24 20:17 . 2010-09-26 09:17 -------- d-----w- c:\windows\system32\LogFiles
2010-09-24 20:17 . 2010-09-24 20:17 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-09-24 20:17 . 2006-09-15 23:05 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-24 15:13 . 2010-09-25 10:30 -------- d-----w- c:\documents and settings\Srki\Application Data\Ventrilo
2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Ventrilo
2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-23 19:51 . 2010-09-23 19:51 -------- d-----w- c:\program files\YouTube Downloader
2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\documents and settings\Srki\Application Data\AnvSoft
2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\program files\AnvSoft
2010-09-23 18:12 . 2010-09-23 18:12 -------- d-----w- c:\documents and settings\Srki\Application Data\VMware
2010-09-23 16:17 . 2010-09-23 16:17 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2010-09-23 16:17 . 2010-09-23 16:14 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2010-09-23 16:17 . 2010-09-23 16:14 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2010-09-23 16:17 . 2010-09-23 16:14 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2010-09-23 16:17 . 2010-09-23 16:14 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2010-09-23 16:17 . 2010-09-23 16:14 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2010-09-23 16:17 . 2010-09-23 16:14 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2010-09-23 16:17 . 2010-09-23 16:14 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2010-09-23 16:16 . 2010-01-22 15:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
2010-09-23 16:16 . 2010-01-22 15:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2010-09-23 16:16 . 2010-01-22 19:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2010-09-23 16:16 . 2010-01-22 19:57 395824 ----a-w- c:\windows\system32\vmnat.exe
2010-09-23 16:16 . 2010-01-22 19:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2010-09-23 16:16 . 2010-01-22 15:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2010-09-23 16:16 . 2010-01-22 19:57 760368 ----a-w- c:\windows\system32\vnetlib.dll
2010-09-23 16:16 . 2010-01-22 19:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2010-09-23 16:16 . 2010-10-09 18:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-09-23 16:15 . 2010-09-23 16:15 -------- d-----w- c:\program files\Common Files\VMware
2010-09-23 16:15 . 2010-10-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-09-23 16:15 . 2010-09-23 16:15 -------- d-----w- c:\program files\VMware
2010-09-23 11:56 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-09-21 13:25 . 2010-09-21 17:09 -------- d-----w- c:\program files\SpeedFan
2010-09-19 18:10 . 2010-09-19 18:10 -------- d-----w- c:\documents and settings\Administrator
2010-09-19 15:19 . 2010-09-19 15:19 -------- d-----w- c:\documents and settings\Srki\Application Data\Need for Speed World
2010-09-19 14:47 . 2010-09-19 14:47 10904848 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\nfsw.exe
2010-09-19 14:47 . 2010-09-19 14:47 267536 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\gameplay.dll
2010-09-19 14:47 . 2010-09-19 14:47 1789200 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\gameplay.native.dll
2010-09-19 14:47 . 2010-09-19 14:47 4068624 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\eawebkit.dll
2010-09-19 14:47 . 2010-09-19 14:47 462864 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\d3dx10_37.dll
2010-09-19 14:47 . 2010-09-19 14:47 3786760 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\d3dx9_37.dll
2010-09-19 14:31 . 2010-09-19 14:31 -------- d-----w- c:\documents and settings\Srki\Application Data\Nero
2010-09-19 14:30 . 2010-09-19 14:30 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Ahead
2010-09-19 14:28 . 2010-09-19 14:29 -------- d-----w- c:\program files\Common Files\Nero
2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\program files\Nero
2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-09-19 13:28 . 2010-09-19 13:28 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Identities
2010-09-19 12:58 . 2010-09-19 12:58 883670 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\pb\pbcl.dll
2010-09-19 12:58 . 2010-09-19 12:58 57344 ----a-w- c:\documents and settings\All Users\Application Data\Electronic Arts\Need For Speed World\Data\pb\pbag.dll
2010-09-19 12:03 . 2010-09-19 12:03 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Electronic_Arts_Inc
2010-09-19 12:02 . 2010-09-19 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-09-19 08:06 . 2010-09-28 17:42 -------- d-----w- c:\windows\Logs
2010-09-18 18:12 . 2010-09-18 18:12 -------- d-----w- c:\program files\OCCT
2010-09-18 18:10 . 2010-09-18 18:10 -------- d-----w- c:\documents and settings\Srki\Application Data\NVIDIA
2010-09-18 17:11 . 2010-09-18 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-09-18 11:46 . 2010-09-18 11:46 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Blizzard Entertainment
2010-09-18 10:45 . 2010-09-18 20:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-18 10:44 . 2010-09-18 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-09-18 06:37 . 2010-09-18 06:37 -------- d-----w- c:\documents and settings\Srki\Application Data\GRETECH
2010-09-18 06:36 . 2010-09-18 06:36 -------- d-----w- c:\program files\GRETECH
2010-09-17 20:52 . 2010-09-18 07:51 -------- d-----w- C:\totalcmd
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\UC.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\RAR.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKZIP.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKUNZIP.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\NOCLOSE.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\LHA.PIF
2010-09-17 20:52 . 2008-08-08 05:04 545 ----a-w- c:\windows\ARJ.PIF
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\windows\SHELLNEW
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft.NET
2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\Adobe Mini Bridge CS5
2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-09-14 16:39 . 2010-09-14 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-09-14 15:17 . 2010-09-18 08:56 238888 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-09-14 15:17 . 2010-09-18 08:56 238888 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-14 15:17 . 2010-09-18 08:56 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-14 15:16 . 2010-09-11 06:46 887912 ----a-w- c:\windows\system32\nvdispco32.dll
2010-09-14 15:16 . 2010-09-11 06:46 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-09-14 15:16 . 2010-09-11 06:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-09-14 15:16 . 2010-09-11 06:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-09-14 15:16 . 2010-09-11 06:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-09-14 15:16 . 2010-09-11 06:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-09-14 15:16 . 2010-09-11 06:46 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-09-14 15:16 . 2010-09-11 06:46 14528512 ----a-w- c:\windows\system32\nvoglnt.dll
2010-09-14 15:16 . 2010-09-11 06:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-09-14 15:16 . 2010-09-11 06:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-14 15:15 . 2010-09-14 15:15 -------- d-----w- C:\NVIDIA
2010-09-14 15:15 . 2010-09-28 18:33 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Adobe
2010-09-14 15:12 . 2010-09-14 15:12 -------- d-----w- c:\program files\Phyxion.net
2010-09-14 14:59 . 2010-09-24 15:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-14 12:35 . 2010-09-14 12:37 -------- d-----w- c:\documents and settings\Srki\Application Data\Auslogics
2010-09-14 12:34 . 2010-09-14 12:34 -------- d-----w- c:\program files\Auslogics
2010-09-14 12:32 . 2004-08-03 21:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-09-14 12:32 . 2004-08-03 21:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
2010-09-14 12:32 . 2004-08-03 22:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-09-14 12:32 . 2004-08-03 22:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2010-09-14 12:32 . 2004-08-03 21:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-09-14 12:32 . 2004-08-03 21:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Srki\Application Data\InstallShield
2010-09-14 01:16 . 2010-09-14 01:24 -------- d-----w- C:\Boot
2010-09-13 21:13 . 2010-09-13 21:13 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-09-13 21:13 . 2010-10-02 08:13 -------- d-----w- c:\program files\WinFast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-09 09:27 . 2010-09-13 14:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-10-08 19:54 . 2010-09-13 14:12 -------- d-----w- c:\documents and settings\Srki\Application Data\uTorrent
2010-10-07 20:39 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\Srki\Application Data\Skype
2010-10-07 20:38 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\Srki\Application Data\skypePM
2010-09-26 15:18 . 2010-09-13 14:13 -------- d-----w- c:\program files\uTorrent
2010-09-19 14:59 . 2010-09-13 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-09-18 07:58 . 2010-09-13 14:05 35544 ----a-w- c:\documents and settings\Srki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-15 20:16 . 2010-09-13 14:16 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 5
2010-09-15 16:41 . 2010-09-13 13:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-15 12:22 . 2010-09-13 14:20 -------- d-----w- c:\documents and settings\Srki\Application Data\Winamp
2010-09-14 15:17 . 2010-09-13 14:02 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-13 20:55 . 2010-09-13 14:20 -------- d-----w- c:\program files\Winamp
2010-09-13 15:00 . 2010-09-13 14:48 -------- d-----w- c:\program files\NeoSmart Technologies
2010-09-13 14:19 . 2010-09-13 14:19 0 ----a-w- c:\windows\nsreg.dat
2010-09-13 14:14 . 2010-09-13 14:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----r- c:\program files\Skype
2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----w- c:\program files\Common Files\Skype
2010-09-13 14:14 . 2010-09-13 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-13 14:11 . 2010-09-13 14:11 -------- d-----w- c:\program files\Alwil Software
2010-09-13 14:11 . 2010-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-13 14:07 . 2010-09-13 14:07 -------- d-----w- c:\program files\Realtek AC97
2010-09-13 14:07 . 2010-09-13 14:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-13 13:55 . 2010-09-13 13:55 -------- d-----w- c:\program files\microsoft frontpage
2010-09-13 13:51 . 2010-09-13 13:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-11 06:46 . 2010-09-13 14:01 9586016 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-09-11 06:46 . 2010-09-13 14:01 6358912 ----a-w- c:\windows\system32\nv4_disp.dll
2010-09-10 21:23 . 2010-09-10 21:23 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-09-10 21:23 . 2010-09-10 21:23 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-09-10 21:23 . 2010-09-10 21:23 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-09-10 21:23 . 2010-09-10 21:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-09-10 21:23 . 2010-09-10 21:23 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-09-10 21:23 . 2010-09-10 21:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-09-07 15:12 . 2010-09-13 14:21 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-09-13 14:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-09-13 14:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-09-13 14:12 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-09-13 14:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-09-13 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-09-13 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-09-13 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-09-13 14:12 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"NvMediaCenter"="NvMCTray.dll" [2010-09-10 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-09-10 13851752]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\Games\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"e:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/13/2010 4:12 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2010 4:12 PM 17744]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 9:57 PM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 9:00 PM 563760]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS --> c:\program files\WinFast\WFDTV\WFIOCTL.SYS [?]
S3 WFLR6654;WinFast TV2000 XP Global/Global TV (XC2028);c:\windows\system32\drivers\wfeaglxt.sys --> c:\windows\system32\drivers\wfeaglxt.sys [?]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - c:\documents and settings\Srki\Application Data\Mozilla\Firefox\Profiles\ehk57e6w.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NBKey - c:\documents and settings\Srki\My Documents\Downloads\Exp hacker 3.0.8.exe


.
Completion time: 2010-10-09 21:03:07
ComboFix-quarantined-files.txt 2010-10-09 19:03

Pre-Run: 43,940,098,048 bytes free
Post-Run: 43,904,434,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
; This boot.ini was automatically generated by NeoSmart Technologies' BootGrabber.exe
; Use EasyBCD from http://neosmart.net/dl.php?id=1 to manage your bootloader
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP on D:\" /fastdetect

- - End Of File - - C168E1243251237ABF6EF0A3ADA377BB
 
Have you had a change to run the Eset online scan yet? Please leave the log.

If the Win32.Rootkit-gen[RTK] is anywhere on the system, I will see it here. It could be in a restore point or quarantined but still showing in Avast- although it wouldn't be active in the system. Some AV programs continue to give warnings, even though an entry may have already been handled.

Check Avast and see if it has a option not to alert you.

I will have a few removals in script to run through Combofix, but I'd like to see the Eset log first.

Edit: Are you still using WinFast? Combofix is showing 2 drivers for it as a ?
 
ESET Log:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9357091c5ff13d4e94ecb011eb3d2879
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-10 07:28:49
# local_time=2010-10-10 09:28:49 (+0100, Central Europe Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 2350263 2350263 0 0
# compatibility_mode=8192 67108863 100 0 441 441 0 0
# scanned=38007
# found=0
# cleaned=0
# scan_time=1559

Im not using WinFast. I have 2 drivers that need to be updated.
BTW im not getting virus alert anymore. Avast and MBAM probably removed it.
 
Okay, we have made progress!

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
KillAll::
File::
c:\program files\winfast\wfdtv\wfioctl.sys
c:\windows\system32\drivers\wfeaglxt.sys
c:\windows\UC.PIF
c:\windows\RAR.PIF
c:\windows\PKZIP.PIF
c:\windows\PKUNZIP.PIF
c:\windows\NOCLOSE.PIF
c:\windows\LHA.PIF
c:\windows\ARJ.PIF
Folder::
c:\program files\LimeWire
c:\program files\eMule

DirLook::
C:\Boot
C:\Cache
C:\bootmgr

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Driver::
WFIOCTL
WFLR6654
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Are you aware of all the Globally Open Ports for League of Legends Launcher?
Please update Java to v6u21:
=====================
Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
FILE ::
"c:\program files\winfast\wfdtv\wfioctl.sys"
"c:\windows\ARJ.PIF"
"c:\windows\LHA.PIF"
"c:\windows\NOCLOSE.PIF"
"c:\windows\PKUNZIP.PIF"
"c:\windows\PKZIP.PIF"
"c:\windows\RAR.PIF"
"c:\windows\system32\drivers\wfeaglxt.sys"
"c:\windows\UC.PIF"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\ARJ.PIF
c:\windows\LHA.PIF
c:\windows\NOCLOSE.PIF
c:\windows\PKUNZIP.PIF
c:\windows\PKZIP.PIF
c:\windows\RAR.PIF
c:\windows\UC.PIF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WFIOCTL
-------\Service_WFIOCTL
-------\Service_WFLR6654


((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-12 22:05 . 2010-10-12 22:14 240124 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-12 22:05 . 2010-10-12 22:14 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-12 22:05 . 2010-10-12 22:14 240124 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-12 22:05 . 2010-10-08 08:30 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-12 22:05 . 2010-10-08 08:30 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-12 22:05 . 2010-10-08 08:30 14528512 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-10 20:42 . 2010-10-10 20:43 -------- d-----w- C:\DXFiles
2010-10-10 17:51 . 2010-10-10 17:51 60416 ----a-w- c:\windows\ALCFDRTM.VER
2010-10-10 17:51 . 2010-10-10 17:51 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2010-10-10 17:51 . 2010-10-10 17:51 -------- d-----w- c:\windows\system32\Lang
2010-10-09 09:00 . 2010-10-09 09:00 -------- d-----w- c:\documents and settings\Srki\Application Data\Malwarebytes
2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-09 08:59 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-09 08:59 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-09 08:59 . 2010-10-09 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 00:28 . 2010-10-08 00:28 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-08 00:28 . 2010-10-08 00:28 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-08 00:28 . 2010-10-08 00:28 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-08 00:28 . 2010-10-08 00:28 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-08 00:28 . 2010-10-08 00:28 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-08 00:28 . 2010-10-08 00:28 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-02 13:59 . 2010-10-02 13:59 -------- d--h--w- c:\windows\PIF
2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Opera
2010-09-29 16:57 . 2010-09-29 16:57 -------- d-----w- c:\program files\Opera
2010-09-28 18:33 . 2010-09-28 18:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-26 19:31 . 2010-09-26 19:31 -------- d-----w- c:\program files\Common Files\Java
2010-09-26 19:31 . 2010-09-26 19:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-26 19:31 . 2010-09-26 19:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-09-26 19:30 . 2010-09-26 19:30 -------- d-----w- c:\program files\Java
2010-09-24 20:22 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Publish Providers
2010-09-24 20:21 . 2010-09-24 20:21 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Sony
2010-09-24 20:21 . 2010-09-24 20:22 -------- d-----w- c:\documents and settings\Srki\Application Data\Sony
2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-09-24 20:18 . 2010-09-24 20:18 -------- d-----w- c:\program files\Sony
2010-09-24 20:17 . 2010-09-26 09:17 -------- d-----w- c:\windows\system32\LogFiles
2010-09-24 20:17 . 2010-09-24 20:17 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-09-24 20:17 . 2006-09-15 23:05 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-24 15:13 . 2010-09-25 10:30 -------- d-----w- c:\documents and settings\Srki\Application Data\Ventrilo
2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Ventrilo
2010-09-24 15:12 . 2010-09-24 15:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-23 19:47 . 2010-09-23 19:47 -------- d-----w- c:\documents and settings\Srki\Application Data\AnvSoft
2010-09-23 18:12 . 2010-09-23 18:12 -------- d-----w- c:\documents and settings\Srki\Application Data\VMware
2010-09-23 16:16 . 2010-10-10 09:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-09-23 16:15 . 2010-10-10 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-09-23 11:56 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-09-19 18:10 . 2010-09-19 18:10 -------- d-----w- c:\documents and settings\Administrator
2010-09-19 15:19 . 2010-09-19 15:19 -------- d-----w- c:\documents and settings\Srki\Application Data\Need for Speed World
2010-09-19 14:31 . 2010-09-19 14:31 -------- d-----w- c:\documents and settings\Srki\Application Data\Nero
2010-09-19 14:30 . 2010-09-19 14:30 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Ahead
2010-09-19 14:28 . 2010-09-19 14:29 -------- d-----w- c:\program files\Common Files\Nero
2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\program files\Nero
2010-09-19 14:28 . 2010-09-19 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-09-19 14:27 . 2006-11-01 16:31 1669120 ----a-w- c:\program files\Windows Media Player\wmsetsdk.exe
2010-09-19 14:27 . 2004-08-10 23:45 47616 ----a-w- c:\program files\Windows Media Player\msoobci.dll
2010-09-19 13:28 . 2010-09-19 13:28 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Identities
2010-09-19 12:03 . 2010-09-19 12:03 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Electronic_Arts_Inc
2010-09-19 08:06 . 2010-09-28 17:42 -------- d-----w- c:\windows\Logs
2010-09-18 18:10 . 2010-09-18 18:10 -------- d-----w- c:\documents and settings\Srki\Application Data\NVIDIA
2010-09-18 17:11 . 2010-09-18 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-09-18 11:46 . 2010-09-18 11:46 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Blizzard Entertainment
2010-09-18 10:45 . 2010-09-18 20:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-18 10:44 . 2010-09-18 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-09-18 06:37 . 2010-09-18 06:37 -------- d-----w- c:\documents and settings\Srki\Application Data\GRETECH
2010-09-18 06:36 . 2010-09-18 06:36 -------- d-----w- c:\program files\GRETECH
2010-09-17 20:52 . 2010-09-18 07:51 -------- d-----w- C:\totalcmd
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\windows\SHELLNEW
2010-09-17 20:50 . 2010-09-17 20:50 -------- d-----w- c:\program files\Microsoft.NET
2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\Adobe Mini Bridge CS5
2010-09-15 13:57 . 2010-09-15 13:57 -------- d-----w- c:\documents and settings\Srki\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-09-14 16:39 . 2010-09-14 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-09-14 15:16 . 2010-10-08 08:30 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-09-14 15:16 . 2010-10-08 08:30 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-09-14 15:16 . 2010-10-08 08:30 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-09-14 15:16 . 2010-10-08 08:30 2666088 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-09-14 15:16 . 2010-10-08 08:30 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-09-14 15:16 . 2010-10-08 08:30 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-09-14 15:16 . 2010-10-08 08:30 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-14 15:15 . 2010-09-14 15:15 -------- d-----w- C:\NVIDIA
2010-09-14 15:15 . 2010-09-28 18:33 -------- d-----w- c:\documents and settings\Srki\Local Settings\Application Data\Adobe
2010-09-14 15:12 . 2010-09-14 15:12 -------- d-----w- c:\program files\Phyxion.net
2010-09-14 14:59 . 2010-09-24 15:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-14 12:35 . 2010-09-14 12:37 -------- d-----w- c:\documents and settings\Srki\Application Data\Auslogics
2010-09-14 12:34 . 2010-09-14 12:34 -------- d-----w- c:\program files\Auslogics
2010-09-14 12:32 . 2004-08-03 21:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-09-14 12:32 . 2004-08-03 21:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys
2010-09-14 12:32 . 2004-08-03 22:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-09-14 12:32 . 2004-08-03 22:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2010-09-14 12:32 . 2004-08-03 22:56 56832 ----a-w- c:\windows\system32\MSDvbNP.ax
2010-09-14 12:32 . 2004-08-03 22:56 33280 ----a-w- c:\windows\system32\PsisRndr.ax
2010-09-14 12:32 . 2004-08-03 21:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-09-14 12:32 . 2004-08-03 21:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2010-09-14 12:32 . 2004-08-03 22:56 18432 ----a-w- c:\windows\system32\BdaPlgIn.ax
2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Srki\Application Data\InstallShield
2010-09-14 01:16 . 2010-09-14 01:24 -------- d-----w- C:\Boot
2010-09-13 21:13 . 2010-09-13 21:13 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-09-13 21:13 . 2002-12-05 12:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2010-09-13 21:13 . 2002-12-02 11:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2010-09-13 21:13 . 2010-09-13 21:13 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-09-13 21:13 . 2003-02-27 14:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2010-09-13 21:13 . 2002-12-02 13:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-09-13 21:13 . 2002-12-02 11:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2010-09-13 21:13 . 2010-09-13 21:13 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-09-13 21:13 . 2010-10-02 08:13 -------- d-----w- c:\program files\WinFast
2010-09-13 20:58 . 2004-08-03 22:56 90624 ----a-w- c:\windows\system32\kswdmcap.ax
2010-09-13 20:58 . 2004-08-03 22:56 61952 ----a-w- c:\windows\system32\kstvtune.ax
2010-09-13 20:58 . 2004-08-03 22:56 28672 ----a-w- c:\windows\system32\vidcap.ax
2010-09-13 20:58 . 2004-08-03 22:56 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-09-13 20:58 . 2004-08-03 22:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-09-13 20:58 . 2004-08-03 22:56 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-09-13 20:57 . 2010-10-02 08:13 -------- d-----w- c:\windows\system32\WinFast
2010-09-13 20:57 . 2010-09-13 20:57 -------- d-----w- c:\windows\system32\WinFox
2010-09-13 20:57 . 2003-09-05 07:57 9469 ----a-w- c:\windows\system32\drivers\WINFOXIO.sys
2010-09-13 20:57 . 2004-04-18 21:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2010-09-13 20:57 . 2004-04-18 21:39 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2010-09-13 20:57 . 2004-04-18 21:39 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2010-09-13 20:57 . 2004-04-18 21:39 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2010-09-13 20:57 . 2010-09-13 20:57 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2010-09-13 20:57 . 2004-04-18 21:42 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2010-09-13 20:57 . 2010-09-13 20:57 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Boot ----

2010-09-14 01:24 . 2009-06-10 21:15 47452 ----a-w- c:\boot\Fonts\wgl4_boot.ttf
2010-09-14 01:24 . 2009-06-10 21:15 2371360 ----a-w- c:\boot\Fonts\kor_boot.ttf
2010-09-14 01:24 . 2009-06-10 21:15 1984228 ----a-w- c:\boot\Fonts\jpn_boot.ttf
2010-09-14 01:24 . 2009-06-10 21:15 3876772 ----a-w- c:\boot\Fonts\cht_boot.ttf
2010-09-14 01:24 . 2009-06-10 21:15 3694080 ----a-w- c:\boot\Fonts\chs_boot.ttf
2010-09-14 01:24 . 2010-09-14 01:24 65536 --sha-w- c:\boot\BOOTSTAT.DAT
2010-09-14 01:24 . 2009-07-14 01:17 70224 ----a-w- c:\boot\zh-HK\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 70208 ----a-w- c:\boot\zh-TW\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 87104 ----a-w- c:\boot\tr-TR\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 70720 ----a-w- c:\boot\zh-CN\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 87616 ----a-w- c:\boot\sv-SE\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90192 ----a-w- c:\boot\ru-RU\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\pl-PL\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90176 ----a-w- c:\boot\pt-BR\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 89664 ----a-w- c:\boot\pt-PT\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 88144 ----a-w- c:\boot\nb-NO\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\nl-NL\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:20 485440 ----a-w- c:\boot\memtest.exe
2010-09-14 01:24 . 2009-07-14 01:17 76352 ----a-w- c:\boot\ja-JP\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 75344 ----a-w- c:\boot\ko-KR\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90688 ----a-w- c:\boot\hu-HU\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90704 ----a-w- c:\boot\it-IT\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 89152 ----a-w- c:\boot\fi-FI\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 93248 ----a-w- c:\boot\fr-FR\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 90192 ----a-w- c:\boot\es-ES\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 02:11 43600 ----a-w- c:\boot\en-US\memtest.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 94800 ----a-w- c:\boot\el-GR\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 85056 ----a-w- c:\boot\en-US\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 91712 ----a-w- c:\boot\de-DE\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 87616 ----a-w- c:\boot\da-DK\bootmgr.exe.mui
2010-09-14 01:24 . 2009-07-14 01:17 89168 ----a-w- c:\boot\cs-CZ\bootmgr.exe.mui
2010-09-14 01:16 . 2010-10-10 17:54 1024 --sha-w- c:\boot\BCD.LOG
2010-09-14 01:16 . 2010-10-10 17:55 262144 --sha-w- c:\boot\BCD

---- Directory of C:\bootmgr ----


---- Directory of C:\Cache ----



((((((((((((((((((((((((((((( SnapShot@2010-10-13_18.59.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-13 19:22 . 2010-10-13 19:22 16384 c:\windows\temp\Perflib_Perfdata_1a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\Games\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"e:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/13/2010 4:12 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2010 4:12 PM 17744]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Srki\Application Data\Mozilla\Firefox\Profiles\ehk57e6w.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\imapi.exe
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:31:52 PM, on 10/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 3757 bytes
 
Status
Not open for further replies.

Similar threads

C
Solved Win32-Malware-gen
Replies
17
Views
6K
Broni
Broni
Matthew DeCarlo
Apple is dead to me... I'm switching to Windows
2 3
Replies
58
Views
7K
Squid Surprise
Squid Surprise
Cal Jeffrey
Five scary games that you should play tonight for Halloween
Replies
3
Views
1K
Cal Jeffrey
Cal Jeffrey

Latest posts

Back