Junior Member
Hello again, it seems my computer has run into a bit of trouble once more. One day when I booted up, my theme (i am running XP) was reset to classic, and I could not change it back to XP. Themes were completely shut off in the administrator tools section. I ran a Winsock fix and got the internet working again, only to have a random webpage open up in a new tab every once in a while. Now after a few restarts i cannot connect to my network again, the computer is loading very slowly, and nothing i have tried will work. Malwarebytes and SUPERAntiSpyware find nothing. Hopefully you guys can help me out once again.
Here is my HiJackThis log
Thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:42 PM, on 29/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [ldxpkftb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\twuksklpe\sdvdmsdtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ldxpkftb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\twuksklpe\sdvdmsdtssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://a248.e.akamai.net
O15 - Trusted Zone: http://*.bitdefender.com
O15 - Trusted Zone: http://ssl-hints.netflame.cc
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/st...r_4.0.27.0.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://ladzia.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService. exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Solver for Flow Simulation 2009 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Print Spooler Spoolerxmlprov (Spoolerxmlprov) - Unknown owner - C:\WINDOWS\system32\1031v.exe
--
End of file - 8870 bytes
Senior Member
Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
================================================== ===========
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Junior Member
Alright, gmer managed to run and finish scanning the third time i tried it, here is it's log
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-30 11:23:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Conrad\LOCALS~1\Temp\uwtdqpog.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F21794]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB88AE360, 0x32E00D, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\system32\msvcrt.dll IMAGE_DOS_SIGNATURE not found;
.text C:\WINDOWS\Explorer.EXE[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\SearchIndexer.exe[2132] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F51B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8AEFEEE4
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Here is the ComboFix log
ComboFix 10-05-29.03 - Conrad 30/05/2010 12:16:48.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2602 [GMT -5:00]
Running from: c:\documents and settings\Conrad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Conrad\My Documents\backup.reg
c:\windows\system32\1031v.exe
c:\windows\system32\2600270918.dat
c:\windows\system32\ESQULzxspectrum
c:\windows\wpe pro.INI
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SPOOLERXMLPROV
-------\Service_Spoolerxmlprov
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-28 21:27 . 2010-05-28 21:27 -------- d-----w- c:\documents and settings\Conrad\Application Data\My Games
2010-05-28 21:10 . 2010-05-28 21:10 -------- d-----w- c:\documents and settings\Conrad\Application Data\InstallShield
2010-05-27 18:53 . 2010-05-27 18:53 -------- d-----w- C:\ERDNT
2010-05-26 19:32 . 2010-05-26 19:32 -------- d-----w- c:\windows\system32\NtmsData
2010-05-13 00:31 . 2010-05-13 00:31 96512 ----a-w- c:\windows\system32\drivers\cdmongce.sys
2010-05-12 19:56 . 2010-05-13 00:31 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 16:44 . 2010-05-11 16:44 -------- d-----w- c:\documents and settings\Conrad\Application Data\AnvSoft
2010-05-11 16:44 . 2010-05-11 16:44 -------- d-----w- c:\program files\AnvSoft
2010-05-09 23:33 . 2010-05-10 02:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\twuksklpe
2010-05-09 23:32 . 2010-05-09 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-09 23:32 . 2010-05-09 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-05-29 16:28 . 2009-08-13 03:54 117760 ----a-w- c:\documents and settings\Conrad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2010-05-28 21:11 . 2006-07-29 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 21:11 . 2007-09-21 01:52 -------- d-----w- c:\program files\Firaxis Games
2010-05-28 04:03 . 2010-05-28 04:03 4 ----a-w- c:\windows\system32\config\systemprofile\Applicati on Data\ovczpx.dat
2010-05-22 21:22 . 2008-01-12 16:23 -------- d-----w- c:\program files\World of Warcraft
2010-05-20 03:03 . 2009-08-11 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-13 03:10 . 2010-04-05 03:16 52224 ----a-w- c:\documents and settings\Conrad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
2010-05-13 03:05 . 2009-08-13 03:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-10 17:10 . 2009-08-12 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 21:36 . 2007-10-27 00:40 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-08 21:36 . 2007-10-27 00:35 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-08 02:43 . 2007-12-19 23:12 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-08 02:14 . 2006-08-30 01:11 -------- d-----w- c:\program files\EA GAMES
2010-04-29 20:39 . 2009-08-12 01:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-08-12 01:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 02:30 . 2008-12-15 03:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 02:30 . 2008-03-06 21:57 38784 ----a-w- c:\documents and settings\Conrad\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-04-24 20:06 . 2007-08-07 16:32 -------- d-----w- c:\documents and settings\Conrad\Application Data\Xfire
2010-04-23 16:56 . 2007-08-07 16:32 -------- d-----w- c:\program files\Xfire
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-12 23:20 . 2009-12-10 23:35 75 ----a-w- c:\documents and settings\Conrad\jagex_runescape_preferences2.dat
2010-04-12 23:14 . 2009-12-10 23:34 41 ----a-w- c:\documents and settings\Conrad\jagex_runescape_preferences.dat
2010-04-06 01:30 . 2009-11-06 01:41 -------- d-----w- c:\documents and settings\Conrad\Application Data\IM
2010-04-05 03:04 . 2006-08-30 00:07 85488 ----a-w- c:\documents and settings\Conrad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-05 00:14 . 2006-07-29 02:52 -------- d-----w- c:\program files\Common Files\Java
2010-04-05 00:14 . 2010-04-05 00:14 503808 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\msvcp71.dll
2010-04-05 00:14 . 2010-04-05 00:14 499712 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\jmc.dll
2010-04-05 00:14 . 2010-04-05 00:14 348160 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\msvcr71.dll
2010-04-05 00:14 . 2010-04-05 00:14 61440 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad3 91-624e9dec-n\decora-sse.dll
2010-04-05 00:14 . 2010-04-05 00:14 12800 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad3 91-624e9dec-n\decora-d3d.dll
2010-04-05 00:13 . 2009-08-14 02:34 -------- d-----w- c:\program files\Java
2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2009-01-21 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2006-08-30 18:18 . 2006-08-30 18:18 251 ----a-w- c:\program files\wt3d.ini
2009-07-27 18:42 . 2006-08-30 00:07 4288 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-10-07 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-29 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 01:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Conrad^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Conrad\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 01:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2001-07-25 15:00 184376 ----a-w- c:\program files\Microsoft Money\System\Money Express.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-07-29 02:58 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Westwood\\RA2\\Register.exe"=
"c:\\Westwood\\Internet\\Register.exe"=
"c:\\Westwood\\RA2\\Ra2.exe"=
"c:\\Westwood\\RA2\\RA2MD.exe"=
"c:\\Westwood\\RA2\\gamemd.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\therat4\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/08/2009 8:10 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/08/2009 8:10 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 4:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/08/2009 8:10 PM 297752]
R2 Remote Solver for Flow Simulation 2009;Remote Solver for Flow Simulation 2009;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [05/02/2009 6:12 PM 214312]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService. exe [19/03/2009 12:31 PM 83240]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\Mu sCAudio.sys [23/12/2008 11:48 PM 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\Mu sCVideo.sys [23/12/2008 11:48 PM 3768]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 4:06 PM 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [31/12/2004 6:46 PM 217600]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 AM 2799808]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: akamai.net\a248.e
Trusted Zone: bitdefender.com
Trusted Zone: netflame.cc\ssl-hints
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\
FF - prefs.js: browser.startup.homepage - hxxp://by122fd.bay122.hotmail.msn.com/cgi-bin/hmhome?fti=yes&curmbox=00000000%2d0000%2d0000%2d00 00%2d000000000001&a=e91ecea5d375073b2f7ee959f2e2d0 27b0bec0650a8bfc82196b1a0b8cc5cf36
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\piclens@cooliris.com\components\coolirisst ub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\battlefieldheroespatcher@ea.com\platform\W INNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\piclens@cooliris.com\plugins\npcoolirisplu gin.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-30 12:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3317755511-3694508122-2613844412-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,94,5f,fc,84,01,e8,9a,b3,80,0b,7a,aa,bf ,10,e4,1d,34,69,12,da,ac,a9,
6c,44,7c,28,b2,2c,35,ba,38,18,c1,ff,8c,cb,f8,bb,a4 ,62,92,8c,3a,0e,c7,83,d2,\
"??"=hex:16,cc,9d,02,3b,88,2a,5a,74,54,9e,b1,94,c8 ,03,7b
[HKEY_USERS\S-1-5-21-3317755511-3694508122-2613844412-1005\Software\SecuROM\License information*]
"datasecu"=hex:7e,eb,02,1d,04,4b,70,3c,13,4d,03,24 ,1d,ab,f5,56,49,f7,29,18,6d,
5a,47,57,ca,9f,02,14,94,f0,42,bc,4c,3f,3a,3f,07,ac ,cd,0c,0b,f8,05,11,70,5d,\
"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef ,c4,ac,6c,b4
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Elements\1.0\DefaultPreset]
@DACL=(02 0000)
@="c:\\Program Files\\Adobe\\Premiere Elements 1.0\\Settings\\en_US\\DV - NTSC\\Standard 48kHz.prpreset"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\RUNDLL32.EXE
.
************************************************** ************************
.
Completion time: 2010-05-30 12:34:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 17:33
ComboFix2.txt 2010-04-05 23:15
Pre-Run: 117,180,911,616 bytes free
Post-Run: 118,094,872,576 bytes free
- - End Of File - - D71E9720BB5FBDC1E34DF1175682C003
Senior Member
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:File:: c:\windows\system32\drivers\cdmongce.sys c:\windows\system32\config\systemprofile\Application Data\ovczpx.dat Folder:: c:\documents and settings\NetworkService\Local Settings\Application Data\twuksklpe DDS:: Trusted Zone: akamai.net\a248.e Trusted Zone: netflame.cc\ssl-hints
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
Junior Member
Awesome! Most of the issues I had before seem to have been resolved. Thank you! The computer may still be running a little slow but I am unsure. Here is the new ComboFix log
ComboFix 10-05-29.03 - Conrad 30/05/2010 13:50:24.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2523 [GMT -5:00]
Running from: c:\documents and settings\Conrad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Conrad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\system32\config\systemprofile\Applicat ion Data\ovczpx.dat"
"c:\windows\system32\drivers\cdmongce.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Local Settings\Application Data\twuksklpe
c:\windows\system32\config\systemprofile\Applicati on Data\ovczpx.dat
c:\windows\system32\drivers\cdmongce.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-28 21:27 . 2010-05-28 21:27 -------- d-----w- c:\documents and settings\Conrad\Application Data\My Games
2010-05-28 21:10 . 2010-05-28 21:10 -------- d-----w- c:\documents and settings\Conrad\Application Data\InstallShield
2010-05-27 18:53 . 2010-05-27 18:53 -------- d-----w- C:\ERDNT
2010-05-26 19:32 . 2010-05-26 19:32 -------- d-----w- c:\windows\system32\NtmsData
2010-05-12 19:56 . 2010-05-13 00:31 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 16:44 . 2010-05-11 16:44 -------- d-----w- c:\documents and settings\Conrad\Application Data\AnvSoft
2010-05-11 16:44 . 2010-05-11 16:44 -------- d-----w- c:\program files\AnvSoft
2010-05-09 23:32 . 2010-05-09 23:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-09 23:32 . 2010-05-09 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-05-29 16:28 . 2009-08-13 03:54 117760 ----a-w- c:\documents and settings\Conrad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2010-05-28 21:11 . 2006-07-29 02:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 21:11 . 2007-09-21 01:52 -------- d-----w- c:\program files\Firaxis Games
2010-05-22 21:22 . 2008-01-12 16:23 -------- d-----w- c:\program files\World of Warcraft
2010-05-20 03:03 . 2009-08-11 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-13 03:10 . 2010-04-05 03:16 52224 ----a-w- c:\documents and settings\Conrad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
2010-05-13 03:05 . 2009-08-13 03:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-10 17:10 . 2009-08-12 01:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 21:36 . 2007-10-27 00:40 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-08 21:36 . 2007-10-27 00:35 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-08 02:43 . 2007-12-19 23:12 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-08 02:14 . 2006-08-30 01:11 -------- d-----w- c:\program files\EA GAMES
2010-04-29 20:39 . 2009-08-12 01:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-08-12 01:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 02:30 . 2008-12-15 03:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-26 02:30 . 2008-03-06 21:57 38784 ----a-w- c:\documents and settings\Conrad\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-04-24 20:06 . 2007-08-07 16:32 -------- d-----w- c:\documents and settings\Conrad\Application Data\Xfire
2010-04-23 16:56 . 2007-08-07 16:32 -------- d-----w- c:\program files\Xfire
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-12 23:20 . 2009-12-10 23:35 75 ----a-w- c:\documents and settings\Conrad\jagex_runescape_preferences2.dat
2010-04-12 23:14 . 2009-12-10 23:34 41 ----a-w- c:\documents and settings\Conrad\jagex_runescape_preferences.dat
2010-04-06 01:30 . 2009-11-06 01:41 -------- d-----w- c:\documents and settings\Conrad\Application Data\IM
2010-04-05 03:04 . 2006-08-30 00:07 85488 ----a-w- c:\documents and settings\Conrad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-05 00:14 . 2006-07-29 02:52 -------- d-----w- c:\program files\Common Files\Java
2010-04-05 00:14 . 2010-04-05 00:14 503808 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\msvcp71.dll
2010-04-05 00:14 . 2010-04-05 00:14 499712 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\jmc.dll
2010-04-05 00:14 . 2010-04-05 00:14 348160 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a2098 76-1fc3e3f4-n\msvcr71.dll
2010-04-05 00:14 . 2010-04-05 00:14 61440 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad3 91-624e9dec-n\decora-sse.dll
2010-04-05 00:14 . 2010-04-05 00:14 12800 ----a-w- c:\documents and settings\Conrad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad3 91-624e9dec-n\decora-d3d.dll
2010-04-05 00:13 . 2009-08-14 02:34 -------- d-----w- c:\program files\Java
2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2009-01-21 02:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2006-08-30 18:18 . 2006-08-30 18:18 251 ----a-w- c:\program files\wt3d.ini
2009-07-27 18:42 . 2006-08-30 00:07 4288 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-10-07 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-29 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 01:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Conrad^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Conrad\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 01:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2001-07-25 15:00 184376 ----a-w- c:\program files\Microsoft Money\System\Money Express.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-07-29 02:58 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Westwood\\RA2\\Register.exe"=
"c:\\Westwood\\Internet\\Register.exe"=
"c:\\Westwood\\RA2\\Ra2.exe"=
"c:\\Westwood\\RA2\\RA2MD.exe"=
"c:\\Westwood\\RA2\\gamemd.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\therat4\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/08/2009 8:10 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/08/2009 8:10 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 4:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/08/2009 8:10 PM 297752]
R2 Remote Solver for Flow Simulation 2009;Remote Solver for Flow Simulation 2009;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [05/02/2009 6:12 PM 214312]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService. exe [19/03/2009 12:31 PM 83240]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\Mu sCAudio.sys [23/12/2008 11:48 PM 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\Mu sCVideo.sys [23/12/2008 11:48 PM 3768]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 4:06 PM 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [31/12/2004 6:46 PM 217600]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 AM 2799808]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: bitdefender.com
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath - c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\
FF - prefs.js: browser.startup.homepage - hxxp://by122fd.bay122.hotmail.msn.com/cgi-bin/hmhome?fti=yes&curmbox=00000000%2d0000%2d0000%2d00 00%2d000000000001&a=e91ecea5d375073b2f7ee959f2e2d0 27b0bec0650a8bfc82196b1a0b8cc5cf36
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\piclens@cooliris.com\components\coolirisst ub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\battlefieldheroespatcher@ea.com\platform\W INNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\Firefox\Profiles\vkbhxncm.default\ext ensions\piclens@cooliris.com\plugins\npcoolirisplu gin.dll
FF - plugin: c:\documents and settings\Conrad\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-30 13:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3317755511-3694508122-2613844412-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,94,5f,fc,84,01,e8,9a,b3,80,0b,7a,aa,bf ,10,e4,1d,34,69,12,da,ac,a9,
6c,44,7c,28,b2,2c,35,ba,38,18,c1,ff,8c,cb,f8,bb,a4 ,62,92,8c,3a,0e,c7,83,d2,\
"??"=hex:16,cc,9d,02,3b,88,2a,5a,74,54,9e,b1,94,c8 ,03,7b
[HKEY_USERS\S-1-5-21-3317755511-3694508122-2613844412-1005\Software\SecuROM\License information*]
"datasecu"=hex:7e,eb,02,1d,04,4b,70,3c,13,4d,03,24 ,1d,ab,f5,56,49,f7,29,18,6d,
5a,47,57,ca,9f,02,14,94,f0,42,bc,4c,3f,3a,3f,07,ac ,cd,0c,0b,f8,05,11,70,5d,\
"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef ,c4,ac,6c,b4
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Elements\1.0\DefaultPreset]
@DACL=(02 0000)
@="c:\\Program Files\\Adobe\\Premiere Elements 1.0\\Settings\\en_US\\DV - NTSC\\Standard 48kHz.prpreset"
.
Completion time: 2010-05-30 1327
ComboFix-quarantined-files.txt 2010-05-30 18:56
ComboFix2.txt 2010-05-30 17:34
ComboFix3.txt 2010-04-05 23:15
Pre-Run: 118,108,499,968 bytes free
Post-Run: 118,090,604,544 bytes free
- - End Of File - - 989B1F0FB6B91B5EFF5CE7AD9F947FE8
Senior Member
Very good
We need few more steps to make sure all crap is gone...
Delete your GMER file, download fresh one and post new log, please.
Junior Member
Ok so GMER ran for over 12 hours, is this normal? The computer ran really slowly after the scan, but better after a reboot. Here is the log,
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-05-31 12:04:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Conrad\LOCALS~1\Temp\uwtdqpog.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8FD0360, 0x32E00D, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[2096] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F21B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
Senior Member
It happens.Ok so GMER ran for over 12 hours, is this normal?
The log looks good
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
================================================== ============
1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
2. Go to Kaspersky website and perform an online antivirus scan.
1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Post fresh HijackThis log as well.
Junior Member
Kaspersky found nothing it seems, but here is the log anyways, and a new hijackthis log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 31, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 31, 2010 11:02:54
Records in database: 4193808
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 143846
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:36:17
No threats found. Scanned area is clean.
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:09 PM, on 31/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.bitdefender.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/st...r_4.0.27.0.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://ladzia.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService. exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Solver for Flow Simulation 2009 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 8174 bytes
Senior Member
Re-run HJT and checkmark:
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Click "Fix checked" button.
When done...
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.
Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
2. Restart computer.
3. Turn System Restore on.
4. Make sure, Windows Updates are current.
5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
6. Download, and install WOT (Web OF Trust): Safe Browsing Tool | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.
7. Run defrag at your convenience.
8. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?
9. Please, let me know, how is your computer doing.
