Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old September 29th, 2009, 03:05 PM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
I can't seem to visit any AV sites nor Download any Updates

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:13 PM, on 9/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Vtune\TBPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Quincy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Quincy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Quincy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Quincy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingle Instance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BEDFF49-2D25-4402-94D9-20EDD3F8C425}: NameServer = 210.4.2.61 202.78.97.41
O17 - HKLM\System\CCS\Services\Tcpip\..\{402A7D4E-5B1B-4BE1-B14D-1B7FDE7472FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BEDFF49-2D25-4402-94D9-20EDD3F8C425}: NameServer = 210.4.2.61 202.78.97.41
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 7591 bytes
Reply With Quote
  #2  
Old September 30th, 2009, 02:48 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Welcome to CTH itotterz,


No infection showing in this one view. Let's check further.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Reply With Quote
  #3  
Old September 30th, 2009, 03:02 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
I can't seem to download RSIT or visit its website just like what is happening when I am about to open Avira site nor Avast site. Hopefully this virus let me download Gmer and this is the log:



GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-30 10:05:04
Windows 5.1.2600 Service Pack 2
Running: kdpckzbv.exe; Driver: C:\DOCUME~1\Quincy\LOCALS~1\Temp\pxtdipog.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF7513D1C]
SSDT sptd.sys ZwEnumerateValueKey [0xF75140BC]

Code \??\C:\DOCUME~1\Quincy\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A3801D8
Device \FileSystem\Fastfat \Fat 8A00A470

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ctqeaerx <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] evnmrktr <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ewvefk <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nwnsc <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Last edited by itotterz; September 30th, 2009 at 03:10 AM.
Reply With Quote
  #4  
Old September 30th, 2009, 03:22 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
How did the CatchMe driver get there? Did you run ComboFix, and if so, did it complete and create a log you can post?
Reply With Quote
  #5  
Old September 30th, 2009, 03:26 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
Yep I tried to run combofix, what's suprising here is that, it did not run some updates as well, which combofix normally do once you ran it. Here is the log it created:

ComboFix 09-09-28.01 - Quincy 09/29/2009 22:01.7.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2936 [GMT -7:00]
Running from: c:\documents and settings\Quincy\Desktop\123.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 14:42 . 2009-09-29 14:42 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\CAPCOM
2009-09-29 13:34 . 2009-09-29 13:34 -------- d-----w- c:\program files\CAPCOM
2009-09-29 13:33 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-09-29 13:33 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-29 13:33 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-09-29 13:33 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-09-29 13:33 . 2009-09-29 13:33 -------- d-----w- c:\program files\MSBuild
2009-09-29 13:33 . 2009-09-29 13:33 101408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\program files\Reference Assemblies
2009-09-29 13:30 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-09-29 13:28 . 2009-09-29 13:28 -------- d-----w- c:\windows\system32\xlive
2009-09-29 13:28 . 2009-09-29 13:29 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-21 02:14 . 2009-09-21 02:14 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\PCHealth
2009-09-20 18:16 . 2009-09-20 18:16 -------- d-----w- c:\windows\ServicePackFiles
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdpash.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdnepr.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdiultn.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdbhc.dll
2009-09-17 17:46 . 2009-09-30 05:00 -------- d-----w- c:\program files\LimeWire
2009-09-17 16:22 . 2009-09-30 04:58 -------- d-----w- C:\ComboFix
2009-09-14 05:25 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-14 05:25 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-14 05:25 . 2004-08-04 05:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-14 05:25 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-13 20:42 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 20:42 . 2009-09-22 19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 20:42 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:36 . 2009-09-13 16:36 -------- d-----w- c:\documents and settings\Quincy\Application Data\NCH Swift Sound
2009-09-13 16:36 . 2009-09-13 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-13 16:35 . 2009-09-13 20:27 -------- d-----w- c:\program files\NCH Software
2009-09-12 22:17 . 2009-09-21 00:38 -------- d-----w- c:\program files\Paint.NET
2009-09-12 22:17 . 2009-09-26 21:03 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\Paint.NET
2009-09-10 22:52 . 2009-09-27 14:46 -------- d-----w- C:\aw
2009-09-10 19:28 . 2002-07-17 16:20 45056 ----a-w- c:\windows\system32\Wnaspi32.dll
2009-09-10 19:28 . 2002-07-17 15:53 16877 ----a-w- c:\windows\system32\drivers\Aspi32.sys
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\documents and settings\Quincy\Application Data\SUPERAntiSpyware.com
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- C:\logs
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- c:\documents and settings\Quincy\ChikkaDefault
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- c:\program files\Chikka Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-30 04:56 . 2009-02-14 06:29 -------- d-----w- c:\documents and settings\Quincy\Application Data\GetRight
2009-09-30 04:20 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-30 04:18 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\Quincy\Application Data\AVGTOOLBAR
2009-09-28 21:30 . 2009-05-01 12:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-26 20:56 . 2009-07-09 17:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\LimeWire
2009-09-25 08:01 . 2009-07-24 21:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\.purple
2009-09-22 19:43 . 2009-06-20 00:21 -------- d-----w- c:\program files\CCleaner
2009-09-20 18:06 . 2009-08-22 16:50 -------- d-----w- c:\program files\Level Up Games
2009-09-12 21:23 . 2009-01-28 20:37 -------- d-----w- c:\program files\Garena
2009-09-12 21:23 . 2009-01-28 19:49 -------- d-----w- c:\program files\Warcraft III
2009-09-10 04:38 . 2009-01-27 00:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-03 03:08 . 2009-08-24 06:22 -------- d-----w- c:\program files\MYGAME
2009-08-26 13:24 . 2009-06-20 17:22 -------- d-----w- c:\program files\Java
2009-08-13 17:49 . 2009-02-03 23:49 -------- d-----w- c:\program files\OpenDNS Updater
2009-07-30 21:03 . 2009-07-30 21:03 44 ----a-w- c:\documents and settings\Quincy\Aenarion.bat
2009-07-30 21:02 . 2009-07-30 21:02 44 ----a-w- c:\documents and settings\Quincy\multiclient.bat
2009-07-25 12:23 . 2009-06-20 17:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 18:14 . 2009-01-27 00:40 16680 ----a-w- c:\documents and settings\Quincy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-12 04:03 . 2004-08-04 04:56 163025 --sha-r- c:\windows\system32\zlpxrs.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-12-03 2158592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-29 4363504]
"Google Update"="c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-09-26 33517568]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-03 86016]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-03 1630208]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GetRight.lnk - c:\program files\GetRight\GetRight.exe [2009-2-13 4628752]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\RohanOnline\\RohanOnline\\rohanclient.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Quincy\\My Documents\\RohanOnline\\rohanclient.exe"=
"c:\\Program Files\\iAM Interactive\\Exteel\\system\\exteel.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\2nd Client\\rohanclient.exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\3rdClient\\rohanclient. exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\RohanOnline\\RohanOnlin e\\rohanclient.exe"=
"c:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.ex e"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"8831:TCP"= 8831:TCP:gwveo
"4100:UDP"= 4100:UDP:uPNP Router Control Port

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/26/2009 5:39 PM 874880]
S2 ctqeaerx;Helper Update;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:56 PM 14336]
S2 evnmrktr;System Manager;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:56 PM 14336]
S2 ewvefk;Image Update;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:56 PM 14336]
S2 nwnsc;Manager Center;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:56 PM 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/27/2009 5:40 PM 17149]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Quincy\Desktop\Ordeal\NtProcDrv.sys --> c:\documents and settings\Quincy\Desktop\Ordeal\NtProcDrv.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
evnmrktr
ewvefk
nwnsc
ctqeaerx
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1788223648-725345543-1003Core.job
- c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 21:05]

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1788223648-725345543-1003UA.job
- c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
TCP: {1BEDFF49-2D25-4402-94D9-20EDD3F8C425} = 210.4.2.61 202.78.97.41
TCP: {402A7D4E-5B1B-4BE1-B14D-1B7FDE7472FB} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Quincy\Application Data\Mozilla\Firefox\Profiles\aegjb7q9.default\
FF - plugin: c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 22:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c tqeaerx]
"ServiceDll"="c:\windows\system32\zlpxrs.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e vnmrktr]
"ServiceDll"="c:\windows\system32\zlpxrs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e wvefk]
"ServiceDll"="c:\windows\system32\zlpxrs.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n wnsc]
"ServiceDll"="c:\windows\system32\zlpxrs.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\nview.dll
.
Completion time: 2009-09-30 22:05
ComboFix-quarantined-files.txt 2009-09-30 05:05
ComboFix2.txt 2009-09-13 15:55

Pre-Run: 162,886,668,288 bytes free
Post-Run: 163,255,713,792 bytes free

198 --- E O F --- 2009-03-10 11:30
Reply With Quote
  #6  
Old September 30th, 2009, 03:40 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Let's work from that for the moment. If you have problems with one step just move to the next, and let me know in your next reply.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.



Click here and download sUBs' SvcQuery.exe to your desktop, then click that file to open that tool. A window will open. When prompted to provide a service name, type in the following, then press Enter:

evnmrktr

Repeat that for these as well:

ewvefk
nwnsc
ctqeaerx


--------------

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
KillAll::
Driver::
evnmrktr
ewvefk
nwnsc
ctqeaerx
File::
c:\windows\system32\zlpxrs.dll
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

--------------

Open SuperAntiSpyware and if possible, update that. Then run a scan with it, being sure to have it remove all the items it locates. SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

---------------

Then download Malwarebytes' Anti-Malware from Here or Here.

Right click to download, select Save Target/File As, and rename that mbam-setup.exe to bami.com as you download and save it to your desktop (don't download and then rename it).

Double Click bami.com to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

-------

Post the C:\ComboFix.txt log the SuperAntiSpyware log and the Malwarebytes log please.
Reply With Quote
  #7  
Old September 30th, 2009, 04:41 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
ComboFix 09-09-29.01 - Quincy 09/30/2009 10:59.8.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2722 [GMT -7:00]
Running from: c:\documents and settings\Quincy\Desktop\123.exe
Command switches used :: c:\documents and settings\Quincy\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\zlpxrs.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\zlpxrs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CTQEAERX
-------\Legacy_EVNMRKTR
-------\Legacy_EWVEFK
-------\Legacy_NWNSC
-------\Service_ctqeaerx
-------\Service_evnmrktr
-------\Service_ewvefk
-------\Service_nwnsc


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 05:00 . 2009-09-30 05:05 -------- d-----w- C:\123
2009-09-29 14:42 . 2009-09-29 14:42 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\CAPCOM
2009-09-29 13:34 . 2009-09-29 13:34 -------- d-----w- c:\program files\CAPCOM
2009-09-29 13:33 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-09-29 13:33 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-29 13:33 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-09-29 13:33 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-09-29 13:33 . 2009-09-29 13:33 -------- d-----w- c:\program files\MSBuild
2009-09-29 13:33 . 2009-09-29 13:33 101408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\program files\Reference Assemblies
2009-09-29 13:30 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-09-29 13:28 . 2009-09-29 13:28 -------- d-----w- c:\windows\system32\xlive
2009-09-29 13:28 . 2009-09-29 13:29 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-21 02:14 . 2009-09-21 02:14 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\PCHealth
2009-09-20 18:16 . 2009-09-20 18:16 -------- d-----w- c:\windows\ServicePackFiles
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdpash.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdnepr.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdiultn.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdbhc.dll
2009-09-17 17:46 . 2009-09-30 05:00 -------- d-----w- c:\program files\LimeWire
2009-09-17 16:22 . 2009-09-30 04:58 -------- d-----w- C:\ComboFix
2009-09-14 05:25 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-14 05:25 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-14 05:25 . 2004-08-04 05:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-14 05:25 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-13 20:42 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 20:42 . 2009-09-22 19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 20:42 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:36 . 2009-09-13 16:36 -------- d-----w- c:\documents and settings\Quincy\Application Data\NCH Swift Sound
2009-09-13 16:36 . 2009-09-13 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-09-13 16:35 . 2009-09-13 20:27 -------- d-----w- c:\program files\NCH Software
2009-09-12 22:17 . 2009-09-21 00:38 -------- d-----w- c:\program files\Paint.NET
2009-09-12 22:17 . 2009-09-26 21:03 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\Paint.NET
2009-09-10 22:52 . 2009-09-27 14:46 -------- d-----w- C:\aw
2009-09-10 19:28 . 2002-07-17 16:20 45056 ----a-w- c:\windows\system32\Wnaspi32.dll
2009-09-10 19:28 . 2002-07-17 15:53 16877 ----a-w- c:\windows\system32\drivers\Aspi32.sys
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-10 04:39 . 2009-09-10 04:39 -------- d-----w- c:\documents and settings\Quincy\Application Data\SUPERAntiSpyware.com
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- C:\logs
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- c:\documents and settings\Quincy\ChikkaDefault
2009-09-07 05:18 . 2009-09-07 05:18 -------- d-----w- c:\program files\Chikka Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-30 06:10 . 2009-07-24 21:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\.purple
2009-09-30 04:56 . 2009-02-14 06:29 -------- d-----w- c:\documents and settings\Quincy\Application Data\GetRight
2009-09-30 04:20 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-30 04:18 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\Quincy\Application Data\AVGTOOLBAR
2009-09-28 21:30 . 2009-05-01 12:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-26 20:56 . 2009-07-09 17:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\LimeWire
2009-09-22 19:43 . 2009-06-20 00:21 -------- d-----w- c:\program files\CCleaner
2009-09-20 18:06 . 2009-08-22 16:50 -------- d-----w- c:\program files\Level Up Games
2009-09-12 21:23 . 2009-01-28 20:37 -------- d-----w- c:\program files\Garena
2009-09-12 21:23 . 2009-01-28 19:49 -------- d-----w- c:\program files\Warcraft III
2009-09-10 04:38 . 2009-01-27 00:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-03 03:08 . 2009-08-24 06:22 -------- d-----w- c:\program files\MYGAME
2009-08-26 13:24 . 2009-06-20 17:22 -------- d-----w- c:\program files\Java
2009-08-13 17:49 . 2009-02-03 23:49 -------- d-----w- c:\program files\OpenDNS Updater
2009-07-30 21:03 . 2009-07-30 21:03 44 ----a-w- c:\documents and settings\Quincy\Aenarion.bat
2009-07-30 21:02 . 2009-07-30 21:02 44 ----a-w- c:\documents and settings\Quincy\multiclient.bat
2009-07-25 12:23 . 2009-06-20 17:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 18:14 . 2009-01-27 00:40 16680 ----a-w- c:\documents and settings\Quincy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-12-03 2158592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-29 4363504]
"Google Update"="c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-09-26 33517568]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-03 86016]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-03 1630208]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GetRight.lnk - c:\program files\GetRight\GetRight.exe [2009-2-13 4628752]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\RohanOnline\\RohanOnline\\rohanclient.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Quincy\\My Documents\\RohanOnline\\rohanclient.exe"=
"c:\\Program Files\\iAM Interactive\\Exteel\\system\\exteel.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\2nd Client\\rohanclient.exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\3rdClient\\rohanclient. exe"=
"c:\\Documents and Settings\\Quincy\\Desktop\\RohanOnline\\RohanOnlin e\\rohanclient.exe"=
"c:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.ex e"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"8831:TCP"= 8831:TCP:gwveo
"4100:UDP"= 4100:UDP:uPNP Router Control Port

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/26/2009 5:39 PM 874880]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/27/2009 5:40 PM 17149]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Quincy\Desktop\Ordeal\NtProcDrv.sys --> c:\documents and settings\Quincy\Desktop\Ordeal\NtProcDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1788223648-725345543-1003Core.job
- c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 21:05]

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1788223648-725345543-1003UA.job
- c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-11 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
TCP: {402A7D4E-5B1B-4BE1-B14D-1B7FDE7472FB} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Quincy\Application Data\Mozilla\Firefox\Profiles\aegjb7q9.default\
FF - plugin: c:\documents and settings\Quincy\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 11:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
************************************************** ************************
.
Completion time: 2009-09-30 11:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 18:05
ComboFix2.txt 2009-09-30 05:05
ComboFix3.txt 2009-09-13 15:55

Pre-Run: 163,107,348,480 bytes free
Post-Run: 163,018,973,184 bytes free

212 --- E O F --- 2009-03-10 11:30
Reply With Quote
  #8  
Old September 30th, 2009, 04:43 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/30/2009 at 11:25 AM

Application Version : 4.28.1010

Core Rules Database Version : 4135
Trace Rules Database Version: 2068

Scan type : Complete Scan
Total Scan Time : 00:13:11

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 4854
Registry threats detected : 0
File items scanned : 14556
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Quincy\Cookies\quincy@serving-sys[1].txt
C:\Documents and Settings\Quincy\Cookies\quincy@bs.serving-sys[2].txt
C:\Documents and Settings\Quincy\Cookies\quincy@adinterax[1].txt
C:\Documents and Settings\Quincy\Cookies\quincy@ak[2].txt
C:\Documents and Settings\Quincy\Cookies\quincy@atdmt[2].txt
C:\Documents and Settings\Quincy\Cookies\quincy@ad.yieldmanager[2].txt

Trojan.Agent/Gen
C:\WINDOWS\SYSTEM32\ZLPXRS.DLL
Reply With Quote
  #9  
Old September 30th, 2009, 04:43 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
Malwarebytes' Anti-Malware 1.41
Database version: 2874
Windows 5.1.2600 Service Pack 2

9/30/2009 11:44:31 AM
mbam-log-2009-09-30 (11-44-31).txt

Scan type: Quick Scan
Objects scanned: 96169
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Reply With Quote
  #10  
Old October 1st, 2009, 12:59 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Improved, but very much wondering why SuperAntiSpyware picked up that file ComboFix should have removed. Reboot, and run a new ComboFix scan, and then a new SuperAntiSpyware scan, and post those logs please.
Reply With Quote
  #11  
Old October 1st, 2009, 01:09 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
Hi jintan, while you were out, I downloaded Avast on my computer, after it did some updates, it automatically did something upon startup just left it what its doing since I thought it is part of the update. Unfortunately, I have to go to work that time so I'm not sure what it did and once I get back home (today) I just noticed that it deleted some files (infected files) and after the computer rebooted. Some nasty error message shows up on my screen and it is giving me some message that it Unable to Locate Components. It is telling me that COMRes.dll was not found. I'm not sure what happened here.


I tried to run superantispyware but it never loaded, also combofix. I shouldn't have downloaded Avast if it will just ruin my system.

Last edited by itotterz; October 1st, 2009 at 01:39 AM.
Reply With Quote
  #12  
Old October 1st, 2009, 02:10 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Yes, it truly is much better all around if you just stay the course with only what we do here for now.

Run new RSIT and Gmer scans and post those logs please.
Reply With Quote
  #13  
Old October 1st, 2009, 02:38 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
Hello Jintan,

I was able to recover the missing dll file and was able to run ComboFix and SuperAntiSpyware. After that I ran a new RSIT GMER scans, here are the logs:
Reply With Quote
  #14  
Old October 1st, 2009, 02:38 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
ComboFix 09-09-30.01 - Quincy 10/01/2009 9:09.9.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2821 [GMT -7:00]
Running from: c:\documents and settings\Quincy\Desktop\123.exe
AV: avast! antivirus 4.8.1356 [VPS 090930-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\ming9df16.ini
c:\documents and settings\All Users\ming9df32.ini
c:\windows\cc16.ini
c:\windows\Downloaded Program Files\BcHCMJEEXFxaCm3q.Ttf
c:\windows\Downloaded Program Files\DdrDVWV49HPgHP9kh.Ttf
c:\windows\Downloaded Program Files\dGRbFvvXexA8MsPnW.Ttf
c:\windows\Downloaded Program Files\eVaMpZ3AmmmbCPjX.Ttf
c:\windows\Downloaded Program Files\fZKkTmDAwTdKqXn8.Ttf
c:\windows\Downloaded Program Files\jEDR2jykhSujaMqF.Ttf
c:\windows\Downloaded Program Files\NFesCyNNswv2Crfru.Ttf
c:\windows\Downloaded Program Files\sFTeYEwVMFwRyW7hr.Ttf
c:\windows\Downloaded Program Files\skF72DppdVCUzqhF.Ttf
c:\windows\Downloaded Program Files\SvS2DJAqqTvtTYEU.Ttf
c:\windows\Downloaded Program Files\u8w23uRSuevxt2VP.Ttf
c:\windows\Downloaded Program Files\uMub3WCE6aZ3nFgrYRX.Ttf
c:\windows\Downloaded Program Files\vyUD66dJ999myu4W.Ttf
c:\windows\Downloaded Program Files\WD2B9pAnWGBjB2sz.Ttf
c:\windows\Downloaded Program Files\WQKrDGnXQQb3Mgjk.Ttf
c:\windows\Downloaded Program Files\XqCj7sp8EBTaYJBb.Ttf
c:\windows\Fonts\cD9KArZZUHxCqnyM.Ttf
c:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttf
c:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttf
c:\windows\Fonts\eCgMhGRkPUcdutd0.Ttf
c:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttf
c:\windows\Fonts\G8qZ5hBX7H.Ttf
c:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttf
c:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttf
c:\windows\Fonts\RCZbVbjCY6wYszD3.Ttf
c:\windows\system32\dfc8ac3ed7da.dll
c:\windows\system32\drivers\dcwjh.sys
c:\windows\system32\homrunsrv.dll
c:\windows\system32\YfXZ.dll
c:\windows\Tasks\dcV3RyyQqPxNf2bd.ico
c:\windows\Tasks\gBuDCU6XjBAEHzzrg.ico
c:\windows\Tasks\kTS4JJGUYtVagxPs.ico
c:\windows\Tasks\kZdWDEpQcNC2NwDe.ico
c:\windows\Tasks\ThGkkhVnR6Dhf3eN.ico
c:\windows\Tasks\vC6ykXbjUGCVeCJa.ico
c:\windows\temp\14.exe

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\qmgr.dll

Infected copy of c:\windows\system32\xmlprov.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\xmlprov.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TXPLATFORM
-------\Service_Txplatform
-------\Legacy_HomeListen
-------\Legacy_yrha
-------\Service_HomeListen
-------\Service_yrha


((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-10-01 16:08 . 2009-10-01 16:09 -------- d-----w- c:\windows\system32\2W59Z402GF
2009-10-01 16:07 . 2009-10-01 16:08 -------- d-----w- c:\windows\system32\1JM5DFP28Y
2009-10-01 16:06 . 2009-10-01 16:07 -------- d-----w- c:\windows\system32\18TZ5L1OP9
2009-10-01 16:06 . 2009-10-01 16:07 -------- d-----w- c:\windows\system32\1T7HDYKV02
2009-10-01 16:05 . 2009-10-01 16:06 -------- d-----w- c:\windows\system32\1EKYKB32CW
2009-10-01 16:04 . 2009-10-01 16:05 -------- d-----w- c:\windows\system32\1NEPGKJD5W
2009-10-01 16:03 . 2009-10-01 16:04 -------- d-----w- c:\windows\system32\171MKNN1HL
2009-10-01 16:03 . 2009-10-01 15:58 792064 -c--a-w- c:\windows\system32\dllcache\comres.dll
2009-10-01 16:03 . 2009-10-01 15:58 792064 ----a-w- c:\windows\system32\comres.dll
2009-10-01 15:59 . 2009-10-01 15:59 -------- d-----w- c:\windows\system32\0N74MXQFXT
2009-10-01 15:58 . 2009-10-01 15:59 -------- d-----w- c:\windows\system32\0K5C5FCJRG
2009-10-01 15:57 . 2009-10-01 15:58 -------- d-----w- c:\windows\system32\ZUCW3BI320
2009-10-01 15:57 . 2009-10-01 15:57 -------- d-----w- c:\windows\system32\Z2TUXX83DG
2009-10-01 15:56 . 2009-10-01 15:57 -------- d-----w- c:\windows\system32\ZZQ2GEV773
2009-10-01 15:55 . 2009-10-01 15:56 -------- d-----w- c:\windows\system32\ZTGIM17P3C
2009-10-01 15:54 . 2009-10-01 15:55 -------- d-----w- c:\windows\system32\Z8X82PSOSZ
2009-10-01 15:53 . 2009-10-01 15:54 -------- d-----w- c:\windows\system32\Y7BNTRAVKV
2009-10-01 15:50 . 2009-10-01 15:50 97 ----a-w- c:\windows\system32\dzvbbsk.bat
2009-10-01 15:50 . 2009-10-01 15:50 48 ----a-w- c:\windows\system32\cnqzdeua.bat
2009-10-01 15:50 . 2009-10-01 15:50 35747 ----a-w- c:\windows\system32\ipklwiv.exe
2009-10-01 15:49 . 2009-10-01 15:50 -------- d-----w- c:\windows\system32\Y23OOOT1O9
2009-10-01 15:49 . 2009-10-01 15:49 -------- d-----w- c:\windows\system32\XA7UGNTTI5
2009-10-01 15:48 . 2009-10-01 15:48 -------- d-----w- c:\windows\system32\XNUYXO2IHN
2009-10-01 15:48 . 2009-10-01 15:48 -------- d-----w- c:\windows\system32\XKR6G6PMBA
2009-10-01 15:47 . 2009-10-01 15:48 -------- d-----w- c:\windows\system32\XSVC84PD55
2009-10-01 15:46 . 2009-10-01 15:47 -------- d-----w- c:\windows\system32\XD9TGI8KGZ
2009-10-01 15:45 . 2009-10-01 15:46 -------- d-----w- c:\windows\system32\XLCZ8H9BAU
2009-10-01 15:45 . 2009-10-01 15:45 -------- d-----w- c:\windows\system32\XV6Q4PPM4V
2009-10-01 15:44 . 2009-10-01 15:45 -------- d-----w- c:\windows\system32\WT7CT4HJE6
2009-10-01 15:43 . 2009-10-01 15:44 -------- d-----w- c:\windows\system32\WXE45ZR5BK
2009-10-01 15:42 . 2009-10-01 15:43 -------- d-----w- c:\windows\system32\WMB6QTB72B
2009-10-01 15:41 . 2009-10-01 15:42 -------- d-----w- c:\windows\system32\WKCSF834CM
2009-10-01 15:41 . 2009-10-01 15:41 -------- d-----w- c:\windows\system32\W2IHARBPQ2
2009-10-01 15:40 . 2009-10-01 15:41 -------- d-----w- c:\windows\system32\WQQYSBF9HP
2009-10-01 15:39 . 2009-10-01 15:40 -------- d-----w- c:\windows\system32\VP3DIDXF9L
2009-10-01 15:39 . 2009-10-01 15:39 -------- d-----w- c:\windows\system32\VRKKQXSI8U
2009-10-01 15:38 . 2009-10-01 15:39 -------- d-----w- c:\windows\system32\V4YW0O8OGS
2009-10-01 15:37 . 2009-10-01 15:38 -------- d-----w- c:\windows\system32\VS5DI8C77F
2009-10-01 15:36 . 2009-10-01 15:36 -------- d-----w- c:\windows\system32\V88O7UG046
2009-10-01 15:35 . 2009-10-01 15:36 -------- d-----w- c:\windows\system32\V9296GS9VB
2009-10-01 15:34 . 2009-10-01 15:35 -------- d-----w- c:\windows\system32\UPXSOQ3H1I
2009-10-01 15:33 . 2009-10-01 15:34 -------- d-----w- c:\windows\system32\UD495B71T5
2009-10-01 15:32 . 2009-10-01 15:32 -------- d-----w- c:\windows\system32\UB4VUQZX3G
2009-10-01 15:31 . 2009-10-01 15:32 -------- d-----w- c:\windows\system32\UAIALSH4VC
2009-10-01 15:30 . 2009-10-01 15:31 -------- d-----w- c:\windows\system32\T9WOCTZBN8
2009-10-01 15:30 . 2009-10-01 15:30 -------- d-----w- c:\windows\system32\TBZ2IQ433W
2009-10-01 15:29 . 2009-10-01 15:30 -------- d-----w- c:\windows\system32\TMW7KXP7DL
2009-10-01 15:27 . 2009-10-01 15:29 -------- d-----w- c:\windows\system32\T005YXKWLO
2009-10-01 15:27 . 2009-10-01 15:27 -------- d-----w- c:\windows\system32\TIKNV3JRGO
2009-10-01 15:26 . 2009-10-01 15:27 -------- d-----w- c:\windows\system32\TTISX94UQD
2009-10-01 15:25 . 2009-10-01 15:26 -------- d-----w- c:\windows\system32\SI21HHYNZK
2009-10-01 15:24 . 2009-10-01 15:25 -------- d-----w- c:\windows\system32\STZ6JNJR99
2009-10-01 15:23 . 2009-10-01 15:24 -------- d-----w- c:\windows\system32\SGTVYKX0JC
2009-10-01 15:22 . 2009-10-01 15:23 -------- d-----w- c:\windows\system32\S3NJEIBATE
2009-10-01 15:21 . 2009-10-01 15:22 -------- d-----w- c:\windows\system32\SRI7TFQK2H
2009-10-01 15:20 . 2009-10-01 15:21 -------- d-----w- c:\windows\system32\RYVRH4BSX8
2009-10-01 15:19 . 2009-10-01 15:20 -------- d-----w- c:\windows\system32\RKCNVEZSPQ
2009-10-01 15:19 . 2009-10-01 15:19 -------- d-----w- c:\windows\system32\R7TJ8POSI8
2009-10-01 15:18 . 2009-10-01 15:18 -------- d-----w- c:\windows\system32\REJVY0Y9UK
2009-10-01 15:17 . 2009-10-01 15:18 -------- d-----w- c:\windows\system32\RPH107JD49
2009-10-01 15:16 . 2009-10-01 15:17 -------- d-----w- c:\windows\system32\QCYWEH8DWR
2009-10-01 15:16 . 2009-10-01 15:16 -------- d-----w- c:\windows\system32\Q4LYE7F2CB
2009-10-01 15:15 . 2009-10-01 15:16 -------- d-----w- c:\windows\system32\Q5FJDTSB2G
2009-10-01 15:14 . 2009-10-01 15:15 -------- d-----w- c:\windows\system32\Q4TY4V9HUC
2009-10-01 15:13 . 2009-10-01 15:13 -------- d-----w- c:\windows\system32\QYJEAILZQL
2009-10-01 15:12 . 2009-10-01 15:13 -------- d-----w- c:\windows\system32\QK09OSAZI3
2009-10-01 15:11 . 2009-10-01 15:12 -------- d-----w- c:\windows\system32\P7H513Z0AM
2009-10-01 15:10 . 2009-10-01 15:11 -------- d-----w- c:\windows\system32\P6IRQIQWKX
2009-10-01 15:09 . 2009-10-01 15:10 -------- d-----w- c:\windows\system32\P5V5HJ83CT
2009-10-01 15:08 . 2009-10-01 15:09 -------- d-----w- c:\windows\system32\PHWPPNYZ37
2009-10-01 15:02 . 2009-10-01 15:03 -------- d-----w- c:\windows\system32\N3GE40EIOH
2009-10-01 15:01 . 2009-10-01 15:02 -------- d-----w- c:\windows\system32\NR0NN87BXO
2009-10-01 14:16 . 2009-10-01 14:18 -------- d-----w- c:\windows\system32\EN8ZYS87IE
2009-10-01 14:11 . 2009-10-01 14:13 -------- d-----w- c:\windows\system32\DAR2ORVSTD
2009-10-01 14:11 . 2009-10-01 14:11 17920 ----a-w- c:\windows\system32\Txplatform.dll
2009-10-01 14:07 . 2009-10-01 14:07 -------- d-----w- c:\windows\system32\config\systemprofile\Applicati on Data\Yahoo!
2009-10-01 14:07 . 2009-10-01 14:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-10-01 14:07 . 2009-10-01 14:07 25600 -c--a-w- c:\windows\system32\dllcache\lsasvc.dll
2009-10-01 14:06 . 2009-10-01 14:54 -------- d-----w- c:\windows\system32\BQB0H3FD0H
2009-10-01 01:04 . 2009-10-01 01:04 -------- d-----w- c:\windows\system32\NXP6YZE8BJ
2009-10-01 01:00 . 2009-10-01 01:00 -------- d-----w- c:\windows\system32\MLVUYXJOUN
2009-10-01 00:59 . 2009-10-01 00:59 -------- d-----w- c:\windows\system32\M7M57XS4N0
2009-10-01 00:49 . 2009-10-01 00:49 -------- d-----w- c:\windows\system32\KTV8XCHZ98
2009-10-01 00:48 . 2009-10-01 00:48 -------- d-----w- c:\windows\system32\KRWUMR9WJJ
2009-10-01 00:47 . 2009-10-01 00:47 -------- d-----w- c:\windows\system32\J2TZOXUZT8
2009-09-30 23:38 . 2009-09-30 23:38 -------- d-----w- c:\windows\system32\436KKGB36K
2009-09-30 23:37 . 2009-09-30 23:37 -------- d-----w- c:\windows\system32\4Q08ZDPDGM
2009-09-30 23:36 . 2009-09-30 23:36 -------- d-----w- c:\windows\system32\4LG9ABHEB0
2009-09-30 23:36 . 2009-09-30 23:36 -------- d-----w- c:\windows\system32\4FXBL89F6E
2009-09-30 23:35 . 2009-09-30 23:35 -------- d-----w- c:\windows\system32\4P4UJ4E0HY
2009-09-30 23:35 . 2009-09-30 23:35 12136 ----a-w- c:\windows\system32\drivers\tcpz-x86d.sys
2009-09-30 23:35 . 2009-10-01 14:06 430080 --sh--r- c:\windows\system32\BtSrv.exe
2009-09-30 23:34 . 2009-09-30 23:35 -------- d-----w- c:\windows\system32\i
2009-09-30 19:38 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-30 19:38 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-30 19:38 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-30 19:38 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-30 19:38 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-30 19:38 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-30 19:38 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-30 19:38 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-30 19:38 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-30 19:38 . 2009-09-30 19:38 -------- d-----w- c:\program files\Alwil Software
2009-09-30 17:58 . 2009-09-30 18:05 -------- d-----w- C:\12325291
2009-09-30 05:00 . 2009-09-30 05:05 -------- d-----w- C:\123
2009-09-29 14:42 . 2009-09-29 14:42 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\CAPCOM
2009-09-29 13:34 . 2009-09-29 13:34 -------- d-----w- c:\program files\CAPCOM
2009-09-29 13:33 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-09-29 13:33 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-29 13:33 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-09-29 13:33 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-09-29 13:33 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-09-29 13:33 . 2009-09-29 13:33 -------- d-----w- c:\program files\MSBuild
2009-09-29 13:33 . 2009-09-29 13:33 101408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-29 13:31 . 2009-09-29 13:31 -------- d-----w- c:\program files\Reference Assemblies
2009-09-29 13:30 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-09-29 13:28 . 2009-09-29 13:28 -------- d-----w- c:\windows\system32\xlive
2009-09-29 13:28 . 2009-10-01 15:08 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-21 02:14 . 2009-09-21 02:14 -------- d-----w- c:\documents and settings\Quincy\Local Settings\Application Data\PCHealth
2009-09-20 18:16 . 2009-09-20 18:16 -------- d-----w- c:\windows\ServicePackFiles
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdpash.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdnepr.dll
2009-09-20 18:16 . 2006-05-12 04:03 6144 ------w- c:\windows\system32\kbdiultn.dll
Reply With Quote
  #15  
Old October 1st, 2009, 02:39 AM
itotterz itotterz is offline
New Member
 
Join Date: Sep 2009
Posts: 27
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-01 16:02 . 2009-02-14 06:29 -------- d-----w- c:\documents and settings\Quincy\Application Data\GetRight
2009-10-01 15:36 . 2009-01-27 00:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-01 00:46 . 2009-01-27 00:40 16680 ----a-w- c:\documents and settings\Quincy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 06:10 . 2009-07-24 21:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\.purple
2009-09-30 04:20 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-30 04:18 . 2009-01-28 20:31 -------- d-----w- c:\documents and settings\Quincy\Application Data\AVGTOOLBAR
2009-09-28 21:30 . 2009-05-01 12:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-26 20:56 . 2009-07-09 17:56 -------- d-----w- c:\documents and settings\Quincy\Application Data\LimeWire
2009-09-22 19:43 . 2009-06-20 00:21 -------- d-----w- c:\program files\CCleaner
2009-09-20 18:06 . 2009-08-22 16:50 -------- d-----w- c:\program files\Level Up Games
2009-09-12 21:23 . 2009-01-28 20:37 -------- d-----w- c:\program files\Garena
2009-09-12 21:23 . 2009-01-28 19:49 -------- d-----w- c:\program files\Warcraft III
2009-09-03 03:08 . 2009-08-24 06:22 -------- d-----w- c:\program files\MYGAME
2009-08-26 13:24 . 2009-06-20 17:22 -------- d-----w- c:\program files\Java
2009-08-13 17:49 . 2009-02-03 23:49 -------- d-----w- c:\program files\OpenDNS Updater
2009-07-30 21:03 . 2009-07-30 21:03 44 ----a-w- c:\documents and settings\Quincy\Aenarion.bat
2009-07-30 21:02 . 2009-07-30 21:02 44 ----a-w- c:\documents and settings\Quincy\multiclient.bat
2009-07-25 12:23 . 2009-06-20 17:22 411368 ----a-w- c:\windows\system32\deploytk.dll
.

------- Sigcheck -------

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\appmgmts.dll
[7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\appmgmts.dll
[-] 2004-08-04 04:56 . 3FB13DFEC78EF8A22C64980A6CF1AF50 . 17408 . . [------] . . c:\windows\system32\appmgmts.dll
[7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\appmgmts.dll

[7] 2004-08-11 09:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\ERDNT\cache\MsPMSNSv.dll
[7] 2004-08-11 09:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-11 09:45 . CAAC5C1A725D6FCD90D86612582133EB . 42496 . . [------] . . c:\windows\system32\MsPMSNSv.dll
[7] 2004-08-11 09:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\mspmsnsv.dll
[7] 2004-08-04 04:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ntmssvc.dll
[7] 2004-08-04 04:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\ERDNT\cache\ntmssvc.dll
[-] 2004-08-04 04:56 . 3FB13DFEC78EF8A22C64980A6CF1AF50 . 17408 . . [------] . . c:\windows\system32\ntmssvc.dll
[7] 2004-08-04 04:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\dllcache\ntmssvc.dll
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Cannot visit certain sites after ip adress conflict. 00smita Networking 1 October 8th, 2010 11:12 PM
any videos or links on the sites i visit have X's esturner420 Internet / Browsers 0 February 4th, 2008 06:50 PM
can't visit web sites or up date radioman Windows XP 4 May 2nd, 2007 02:29 AM
Connected to net, can't visit sites COMPZACK Internet / Browsers 0 September 21st, 2006 01:45 AM
when i visit some sites i get an error.... anti-flag Windows 98 1 July 19th, 2004 05:18 PM


All times are GMT +1. The time now is 07:52 PM.