AV Security Suite annihilated windows

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

AV Security Suite annihilated windows

Post by planetsngalaxies on Thu 17 Jun 2010, 5:22 pm

I have the AV Security Suite virus that a lot of other people seem to be getting. I tried following Doctor Inferno's removal guide but the virus is so persistent I can't get past the first step. I set "no proxy" in firefox and it works for a few seconds, but before I can download HijackThis or go to any other site firefox crashes. It looks like my situation is pretty hopeless.

However, I do have LInux on this machine as well (what I'm using to post this). Would that help in removing the virus from windows? I'm not very familiar with Linux but surely there must be some way to use it to remove the virus from the other OS. I'm willing to try anything. Thank you.

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Fri 18 Jun 2010, 12:26 am

Hello.

We need to use the RKill Tool by Grinler

Rkill.com <--- Download site

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Thank you for your response.

Post by planetsngalaxies on Fri 18 Jun 2010, 1:29 am

OTL logfile created on: 6/17/2010 7:16:57 AM - Run 1

OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\memoirs\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 390.63 Gb Total Space | 82.69 Gb Free Space | 21.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.85% Space Free | Partition Type: FAT

I: Drive not present or media not loaded



Computer Name: ADRIAN-9B9F6298

Current User Name: memoirs

Logged in as Administrator.



Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard



========== Processes (SafeList) ==========



PRC - [2010/06/17 00:12:26 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\OTL.exe

PRC - [2010/06/10 14:44:33 | 001,011,320 | ---- | M] (eBoostr.com) -- C:\Program Files\eBoostr\eBoostrCP.exe

PRC - [2010/06/09 22:02:44 | 001,843,312 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe

PRC - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe

PRC - [2010/01/07 14:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe

PRC - [2009/05/09 21:22:48 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\JDK\bin\jqs.exe

PRC - [2009/05/09 21:22:48 | 000,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\JDK\bin\jusched.exe

PRC - [2008/08/08 05:17:00 | 000,843,384 | ---- | M] (eBoostr.com) -- C:\Program Files\eBoostr\EBstrSvc.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe





========== Modules (SafeList) ==========



MOD - [2010/06/17 00:12:26 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\OTL.exe

MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx





========== Win32 Services (SafeList) ==========



SRV - File not found [Auto | Running] -- -- (WMP54GSSVC)

SRV - [2010/01/07 14:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)

SRV - [2010/01/07 14:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)

SRV - [2010/01/07 14:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)

SRV - [2009/05/09 21:22:48 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\JDK\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2008/08/08 05:17:00 | 000,843,384 | ---- | M] (eBoostr.com) [Auto | Running] -- C:\Program Files\eBoostr\EBstrSvc.exe -- (EBOOSTRSVC)

SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2005/08/02 14:18:49 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)





========== Driver Services (SafeList) ==========



DRV - [2010/06/09 22:02:40 | 000,018,544 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)

DRV - [2010/05/10 18:24:32 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2010/04/03 15:55:31 | 010,232,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2010/01/07 14:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)

DRV - [2009/12/25 08:33:53 | 000,279,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)

DRV - [2009/12/25 08:33:53 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)

DRV - [2008/11/14 21:52:47 | 000,138,520 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)

DRV - [2008/08/08 05:17:00 | 000,096,376 | ---- | M] (eBoostr.com) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\eBoost.sys -- (eBoost)

DRV - [2008/05/07 19:21:40 | 004,739,072 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)

DRV - [2008/04/13 11:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)

DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/03/05 21:27:32 | 000,019,968 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)

DRV - [2007/03/05 21:27:28 | 000,058,752 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)

DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)

DRV - [2005/08/02 14:10:13 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)

DRV - [2004/12/22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2004/12/01 03:46:20 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)

DRV - [2004/12/01 03:46:20 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)

DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)





========== Standard Registry (SafeList) ==========





========== Internet Explorer ==========



IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm



IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1257



========== FireFox ==========



FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 1257



FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\JDK\lib\deploy\jqs\ff [2009/05/09 21:22:50 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 08:25:04 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/15 08:25:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2008/11/03 08:27:55 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/04/25 19:30:09 | 000,000,000 | ---D | M]



[2009/06/12 19:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Extensions

[2010/06/16 15:17:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions

[2010/04/25 16:54:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/06/16 20:17:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions



O1 HOSTS File: ([2010/06/03 14:05:31 | 000,403,830 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 serial.alcohol-soft.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 images.alcohol-soft.com

O1 - Hosts: 127.0.0.1 trial.alcohol-soft.com

O1 - Hosts: 127.0.0.1 alcohol-soft.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

O1 - Hosts: 13969 more lines...

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.

O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\JDK\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\JDK\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [gkynihsnru] c:\Documents and Settings\John Connor\Local Settings\Application Data\fdhwbksk\rjhyfw.exe ()

O4 - HKLM..\Run: [ioqkoule] c:\Documents and Settings\John Connor\Local Settings\Application Data\snoafjp\kqkmurq.exe ()

O4 - HKLM..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()

O4 - HKLM..\Run: [kfvagiulxpu] c:\Documents and Settings\John Connor\Local Settings\Application Data\qvveagw\jqvjyh.exe ()

O4 - HKLM..\Run: [kwnbjtmrfl] c:\Documents and Settings\Adrian\Local Settings\Application Data\qdswimv\pspqqtj.exe ()

O4 - HKLM..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()

O4 - HKLM..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] File not found

O4 - HKLM..\Run: [otmmifppdqrq] c:\Documents and Settings\Adrian\Local Settings\Application Data\tnfaof\scjdrca.exe ()

O4 - HKLM..\Run: [slvjaayibqkuc] c:\Documents and Settings\Adrian\Local Settings\Application Data\jclgsnask\klgiqds.exe ()

O4 - HKLM..\Run: [SunJavaUpdateSched] C:\JDK\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe ()

O4 - HKLM..\Run: [xwepdhcvr] c:\Documents and Settings\Adrian\Local Settings\Application Data\dhaegd\ybsorgx.exe ()

O4 - HKLM..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()

O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)

O4 - HKCU..\Run: [AlcoholAutomount] C:\Program Files\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)

O4 - HKCU..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()

O4 - HKCU..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()

O4 - HKCU..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()

O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)

O4 - HKCU..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe ()

O4 - HKCU..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe (eBoostr.com)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe ()

O24 - Desktop WallPaper: C:\Documents and Settings\memoirs\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\memoirs\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/11/03 06:19:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2007/04/20 00:24:46 | 346,909,029 | ---- | M] () - C:\AutoPatcher_XP_Nov06_ENU_Full2.exe -- [ NTFS ]

O33 - MountPoints2\{8e71ddc7-d4a1-11de-8767-0021978d99d4}\Shell - "" = AutoRun

O33 - MountPoints2\{8e71ddc7-d4a1-11de-8767-0021978d99d4}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{8e71ddc7-d4a1-11de-8767-0021978d99d4}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*



========== Files/Folders - Created Within 30 Days ==========



[2010/06/17 07:14:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx

[2010/06/17 07:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk

[2010/06/17 07:14:54 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\OTL.exe

[2010/06/17 07:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih

[2010/06/16 22:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt

[2010/06/16 19:51:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk

[2010/06/16 19:27:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Desktop\Carl Sagan - The Demon-Haunted World - Science as a Candle in the Dark

[2010/06/15 20:49:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\My Documents\Mount&Blade Warband Savegames

[2010/06/15 20:47:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\Mount&Blade Warband

[2010/06/15 16:23:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\SecondLife

[2010/06/15 16:23:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\SecondLife

[2010/06/15 16:20:15 | 000,000,000 | ---D | C] -- C:\Program Files\SecondLifeViewer2

[2010/06/15 14:02:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\My Documents\Downloads

[2010/06/15 13:58:12 | 000,000,000 | --SD | C] -- C:\Documents and Settings\memoirs\UserData

[2010/06/14 21:53:47 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock

[2010/06/14 21:51:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\gtk-2.0

[2010/06/14 21:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\Python-Eggs

[2010/06/14 21:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\GTK2-Runtime

[2010/06/14 21:46:19 | 000,000,000 | ---D | C] -- C:\Program Files\Deluge

[2010/06/14 21:41:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\deluge

[2010/06/14 18:58:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\memoirs\My Documents\My Videos

[2010/06/14 16:44:47 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll

[2010/06/14 16:44:46 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll

[2010/06/14 16:44:44 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll

[2010/06/14 16:44:35 | 000,000,000 | ---D | C] -- C:\Program Files\Mount&Blade Warband

[2010/06/14 15:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Tracing

[2010/06/14 15:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft

[2010/06/14 15:35:04 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive

[2010/06/14 15:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live

[2010/06/14 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Contacts

[2010/06/14 15:28:37 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2010/06/14 15:28:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\My Documents\My Received Files

[2010/06/13 13:36:37 | 000,000,000 | ---D | C] -- C:\ProgramData

[2010/06/13 07:50:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\Xfire

[2010/06/13 07:44:31 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll

[2010/06/13 07:44:14 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll

[2010/06/13 07:44:14 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll

[2010/06/13 07:44:10 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe

[2010/06/13 07:41:30 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/06/10 13:02:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\eboostr

[2010/06/10 13:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\eBoostr

[2010/06/09 14:06:16 | 000,000,000 | ---D | C] -- C:\Program Files\Scanti

[2010/06/09 13:56:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation

[2010/06/09 13:56:26 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation

[2010/06/09 13:55:40 | 000,061,440 | ---- | C] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll

[2010/06/09 13:55:38 | 011,647,592 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcompiler.dll

[2010/06/03 13:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Explorer Suite Signatures

[2010/06/03 13:48:48 | 000,000,000 | ---D | C] -- C:\Program Files\NTCore

[2010/05/24 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mass Effect 2

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files - Modified Within 30 Days ==========



[2010/06/17 07:17:22 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/06/17 07:14:28 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml

[2010/06/17 07:14:20 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/17 07:14:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/17 00:12:26 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\OTL.exe

[2010/06/17 00:12:00 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\eXplorer.exe

[2010/06/17 00:09:44 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\rkill.com

[2010/06/16 22:10:01 | 012,320,768 | -H-- | M] () -- C:\Documents and Settings\memoirs\NTUSER.DAT

[2010/06/16 22:10:01 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\memoirs\ntuser.ini

[2010/06/16 19:52:12 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\memoirs\.recently-used.xbel

[2010/06/15 16:20:43 | 000,000,807 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Second Life Viewer 2.lnk

[2010/06/15 08:25:05 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/06/15 08:21:28 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/15 08:21:28 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/15 08:21:28 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/15 08:19:40 | 000,129,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/06/14 23:51:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/06/14 18:48:21 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\memoirs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/14 18:46:29 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf

[2010/06/14 18:46:26 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

[2010/06/14 15:41:30 | 000,023,304 | ---- | M] () -- C:\Documents and Settings\memoirs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/06/14 15:36:13 | 000,000,907 | ---- | M] () -- C:\Documents and Settings\memoirs\My Documents\My Sharing Folders.lnk

[2010/06/14 08:26:47 | 072,493,310 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\Updated_Leadherheads.zip

[2010/06/13 09:02:29 | 142,848,103 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\Super_Pack.zip

[2010/06/13 07:35:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/10 13:02:42 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eBoostr Control Panel.lnk

[2010/06/10 12:57:16 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/03 14:05:31 | 000,403,830 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/05/27 17:09:00 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll

[2010/05/27 08:23:14 | 000,000,898 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100603-140531.backup

[2010/05/21 14:14:28 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/05/19 00:35:08 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files Created - No Company Name ==========



[2010/06/17 07:14:54 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\rkill.com

[2010/06/17 07:14:54 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\eXplorer.exe

[2010/06/16 19:52:12 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\memoirs\.recently-used.xbel

[2010/06/15 16:20:43 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Second Life Viewer 2.lnk

[2010/06/15 08:25:05 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/06/14 18:46:29 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf

[2010/06/14 18:46:26 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

[2010/06/14 15:36:13 | 000,000,907 | ---- | C] () -- C:\Documents and Settings\memoirs\My Documents\My Sharing Folders.lnk

[2010/06/14 08:17:14 | 072,493,310 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\Updated_Leadherheads.zip

[2010/06/13 08:43:55 | 142,848,103 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\Super_Pack.zip

[2010/06/10 13:02:42 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eBoostr Control Panel.lnk

[2010/06/09 13:55:40 | 000,009,046 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb

[2010/05/27 17:09:00 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll

[2010/02/13 13:58:34 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll

[2010/02/13 13:58:34 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll

[2009/09/29 14:10:25 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll

[2009/08/26 11:16:56 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll

[2009/08/26 11:16:54 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2009/08/26 11:16:54 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

[2009/08/26 11:16:43 | 000,004,254 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI

[2009/06/10 14:16:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat

[2009/03/08 19:19:02 | 000,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys

[2009/03/08 19:19:02 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

[2009/02/22 17:16:59 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2009/02/22 17:16:59 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2009/02/22 17:16:59 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2009/01/09 03:04:40 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2008/12/28 15:51:45 | 000,001,309 | ---- | C] () -- C:\WINDOWS\nwplayer.ini

[2008/11/14 21:52:47 | 000,138,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys

[2008/11/03 15:10:43 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini

[2008/10/07 13:33:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2005/08/02 14:24:01 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

[1997/06/13 18:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll



========== Alternate Data Streams ==========



@Alternate Data Stream - 24 bytes -> C:\WINDOWS:89805D15E679D996

< End of report >

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Fri 18 Jun 2010, 1:29 am

OTL Extras logfile created on: 6/17/2010 7:16:57 AM - Run 1

OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\memoirs\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 390.63 Gb Total Space | 82.69 Gb Free Space | 21.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.85% Space Free | Partition Type: FAT

I: Drive not present or media not loaded



Computer Name: ADRIAN-9B9F6298

Current User Name: memoirs

Logged in as Administrator.



Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard



========== Extra Registry (SafeList) ==========





========== File Associations ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]



[HKEY_CURRENT_USER\SOFTWARE\Classes\]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)



========== Shell Spawning ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)



========== Security Center Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008



========== Authorized Applications List ==========



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)

"C:\Program Files\Age of Empires II\age2_x1\AGE2_X1.ICD" = C:\Program Files\Age of Empires II\age2_x1\AGE2_X1.ICD:*:Enabled:Age of Empires II Expansion -- File not found

"\\GOLLUM\SID MEIER'S CIVILIZATION 4\Beyond the Sword\Civ4BeyondSword.exe" = \\GOLLUM\SID MEIER'S CIVILIZATION 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Civ4BeyondSword.exe

"C:\Program Files\Xfire\xfire.exe" = C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)

"C:\Program Files\Steam\SteamApps\adrianwar\insurgency\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\insurgency\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\SoulseekNS\slsk.exe" = C:\Program Files\SoulseekNS\slsk.exe:*:Enabled:SoulSeek -- ()

"C:\Program Files\Steam\SteamApps\adrianwar\team fortress 2\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\team fortress 2\hl2.exe:*:Disabled:hl2 -- ()

"C:\Program Files\Warcraft III\war3.exe" = C:\Program Files\Warcraft III\war3.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)

"C:\Program Files\Steam\SteamApps\adrianwar\source sdk base 2007\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\source sdk base 2007\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\Steam\SteamApps\adrianwar\age of chivalry\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\age of chivalry\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\Steam\SteamApps\adrianwar\counter-strike\hl.exe" = C:\Program Files\Steam\SteamApps\adrianwar\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)

"C:\Program Files\Steam\SteamApps\adrianwar\half-life 2 deathmatch\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\xchat\xchat.exe" = C:\Program Files\xchat\xchat.exe:*:Enabled:XChat IRC Client -- File not found

"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- File not found

"C:\Program Files\Steam\SteamApps\adrianwar\condition zero deleted scenes\hl.exe" = C:\Program Files\Steam\SteamApps\adrianwar\condition zero deleted scenes\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)

"C:\Program Files\Steam\SteamApps\adrianwar\counter-strike source\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\Steam\SteamApps\adrianwar\day of defeat source\hl2.exe" = C:\Program Files\Steam\SteamApps\adrianwar\day of defeat source\hl2.exe:*:Enabled:hl2 -- ()

"C:\Program Files\Warcraft II BNE\Warcraft II BNE.exe" = C:\Program Files\Warcraft II BNE\Warcraft II BNE.exe:*:Enabled:Warcraft II Battle.net Edition -- (Blizzard Entertainment)

"C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs -- File not found

"C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties -- File not found

"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)

"C:\Program Files\Ubisoft\Heroes of Might and Magic V\bin\H5_Game.exe" = C:\Program Files\Ubisoft\Heroes of Might and Magic V\bin\H5_Game.exe:*:Enabled:Heroes of Might and Magic V -- ()

"C:\JDK\bin\java.exe" = C:\JDK\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)

"C:\xampp\apache\bin\httpd.exe" = C:\xampp\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)

"C:\xampp\mysql\bin\mysqld.exe" = C:\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld -- ()

"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- ([You must be registered and logged in to see this link.]

"C:\Program Files\Sid Meier's Civilization IV Colonization\Colonization.exe" = C:\Program Files\Sid Meier's Civilization IV Colonization\Colonization.exe:*:Enabled:Sid Meier's Civilization IV Colonization -- (Firaxis Games)

"C:\Program Files\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)

"C:\Program Files\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Program Files\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)

"C:\Program Files\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = C:\Program Files\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 : Warlords -- (Firaxis Games)

"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe" = C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2 -- File not found

"C:\Program Files\Mass Effect\Binaries\MassEffect.exe" = C:\Program Files\Mass Effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect Game -- (BioWare)

"C:\Program Files\Mass Effect\MassEffectLauncher.exe" = C:\Program Files\Mass Effect\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher -- (BioWare)

"C:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe" = C:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 Game -- (BioWare)

"C:\Program Files\Mass Effect 2\MassEffect2Launcher.exe" = C:\Program Files\Mass Effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 Launcher -- (BioWare)

"C:\Program Files\EA Games\EADM\Core.exe" = C:\Program Files\EA Games\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Steam\SteamApps\common\empire total war\Empire.exe" = C:\Program Files\Steam\SteamApps\common\empire total war\Empire.exe:*:Enabled:Empire: Total War -- (The Creative Assembly Ltd)

"C:\Program Files\Deluge\Deluge-Python\deluge.exe" = C:\Program Files\Deluge\Deluge-Python\deluge.exe:*:Enabled:deluge -- ()





========== HKEY_LOCAL_MACHINE Uninstall List ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)

"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser

"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0+ (r404)

"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2(TM)

"{05156799-4EC3-4885-864E-E190A429B307}" = FaceGen Modeller 3.4 Free

"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable

"{14AA72DA-DB40-4A34-93A6-401A81D7AF9E}" = Unreal Anthology

"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1

"{1B0FBB9A-995D-47cd-87CD-13E68B676E4F}" = Mass Effect

"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13

"{28101984-0BA6-40FD-9ABE-72F62F80C06C}" = Heroes of Might and Magic V

"{297C7552-BA68-4F73-AB83-82510777421D}_is1" = Fallout 3 - Unofficial Fallout 3 Patch

"{32A3A4F4-B792-11D6-A78A-00B0D0160130}" = Java(TM) SE Development Kit 6 Update 13

"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword

"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion

"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)

"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

"{3E4B349F-10B5-4586-9D99-489A90A8B228}" = Sid Meier's Civilization 4 - Warlords

"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)

"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4

"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{4BD7D570-BF4F-478B-9EEC-E0FDFA2FBE7D}" = FOMS 2 Alpha 1

"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE

"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu

"{66FF4C48-0083-4E60-8556-B883AB200092}" = Heroes of Might and Magic V - Tribes of the East

"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB}" = Mass Effect 2

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{79A2AB22-00D8-4F09-A00A-F1CB7DB3E916}_is1" = Penumbra

"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries

"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder

"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6

"{9580813D-94B1-4C28-9426-A441E2BB29A5}" = Counter-Strike: Source

"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3

"{998D6972-F58E-479D-9248-8F179E55AE38}" = Java DB 10.4.1.3

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4

"{D3F80A98-05AB-4D8C-9272-766CCFA6A48D}" = THE SETTLERS - Rise of an Empire

"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser

"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU

"{DB3C800B-081B-4146-B4E3-EFB5B77AA913}" = TES Construction Set

"{DCB10921-908F-4F15-91C8-3FDB58DCD62D}" = FaceGen Exchange v0.3b

"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX

"{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}" = Counter-Strike(TM)

"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime

"{EAE4A00B-D290-4B65-8287-B82A80FC0619}" = Linksys Wireless-G PCI Network Adapter with SpeedBooster

"{ECEE0279-785F-4CB3-9F28-E69813234BF8}" = SPORE™ Creature Creator Trial Edition

"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform

"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)

"{EF36A836-BF89-4A4F-B079-057B0C68C1E0}" = Sid Meier's Civilization IV Colonization

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = The Witcher Enhanced Edition

"{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1" = WC3Banlist

"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{FC123EEA-330A-4685-911C-95B8F5E9DE68}" = Thief - Deadly Shadows

"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard

"7-Zip" = 7-Zip 4.57

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11

"Age of Empires 2.0" = Microsoft Age of Empires II

"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion

"Any Audio Converter_is1" = Any Audio Converter 2.0.5

"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE

"BitLord" = BitLord 1.1

"Civitas3" = Grand Ages Rome 1.11

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"comtypes-py2.5" = Python 2.5 comtypes-0.5.2

"Deluge" = Deluge 1.3.0-rc1

"Diablo II" = Diablo II

"EADM" = EA Download Manager

"eBoostr 1" = eBoostr 2

"Explorer Suite_is1" = Explorer Suite III

"Fallout 3 - The Pitt" = Fallout 3 - The Pitt

"Fallout 3: Operation Anchorage™" = Fallout 3: Operation Anchorage™

"Fallout Mod Manager_is1" = Fallout Mod Manager 0.11.9

"FOOK2 v1.0" = FOOK2

"Francesco's leveled creatures-items mod_is1" = Francesco's leveled creatures-items mod 4.5b

"Francesco's optional new items/creatures_is1" = Francesco's optional new items/creatures 4.5

"Free FLV Converter_is1" = Free FLV Converter V 6.32

"Graphical Enhancement Resources" = Graphical Enhancement Resources 2.5

"GTK2-Runtime" = GTK2-Runtime

"Guitar Pro 5_is1" = Guitar Pro 5.2

"Half-Life 2 Riot Act" = Half-Life 2 Riot Act 1.0

"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs

"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III

"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties

"LastFM_is1" = Last.fm 1.5.2.38918

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU

"mIRC" = mIRC

"Mount&Blade Warband" = Mount&Blade Warband

"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)

"Mozilla Thunderbird (2.0.0.17)" = Mozilla Thunderbird (2.0.0.17)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Notepad++" = Notepad++

"NoteWorthy Player" = NoteWorthy Player

"NVIDIA Display Control Panel" = NVIDIA Display Control Panel

"NVIDIA Drivers" = NVIDIA Drivers

"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager

"Oblivion mod manager_is1" = Oblivion mod manager 1.1.12

"OpenAL" = OpenAL

"PIL-py2.5" = Python 2.5 PIL-1.1.6

"PowerShell" = Windows PowerShell(TM) 1.0

"psyco-py2.5" = Python 2.5 psyco-1.6

"pywin32-py2.5" = Python 2.5 pywin32-212

"RevolutionDCM" = RevolutionDCM

"RollerCoaster Tycoon Setup" = Roll

"SecondLifeViewer2" = SecondLifeViewer2 (remove only)

"Soulseek2" = SoulSeek 157 NS 13c

"StarCraft" = StarCraft

"Steam App 10500" = Empire: Total War

"Steam App 17510" = Age of Chivalry

"Steam App 17700" = Insurgency

"Steam App 215" = Source SDK Base

"Steam App 218" = Source SDK Base - Orange Box

"Steam App 220" = Half-Life 2

"Steam App 380" = Half-Life 2: Episode One

"Steam App 400" = Portal

"Steam App 420" = Half-Life 2: Episode Two

"Steam App 440" = Team Fortress 2

"Unofficial Oblivion Patch_is1" = Unofficial Oblivion Patch v3.2.0

"Unofficial Shivering Isles Patch_is1" = Unofficial Shivering Isles Patch v1.4.0

"Warcraft II BNE" = Warcraft II BNE

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

"WIC" = Windows Imaging Component

"Wilderness Sounds 3.0 by Puma Man" = Wilderness Sounds 3.0 by Puma Man

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinMerge_is1" = WinMerge 2.12.4

"WinPcapInst" = WinPcap 3.1

"winusb0100" = Microsoft WinUsb 1.0

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wrye Bash" = Wrye Bash

"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7

"wxPython2.8-ansi-py25_is1" = wxPython 2.8.7.1 (ansi) for Python 2.5

"Xfire" = Xfire (remove only)

"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

"Zune" = Zune



========== HKEY_CURRENT_USER Uninstall List ==========



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]



========== Last 10 Event Log Errors ==========



[ Application Events ]

Error - 6/7/2010 11:11:14 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application fallout3.exe, version 1.7.0.3, faulting module

fallout3.exe, version 1.7.0.3, fault address 0x00227180.



Error - 6/8/2010 12:18:28 AM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application fallout3.exe, version 1.7.0.3, faulting module

fallout3.exe, version 1.7.0.3, fault address 0x007db21b.



Error - 6/8/2010 12:58:22 AM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application fallout3.exe, version 1.7.0.3, faulting module

fallout3.exe, version 1.7.0.3, fault address 0x00227180.



Error - 6/8/2010 6:21:07 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application civ4beyondsword.exe, version 3.1.9.0, faulting

module d3d9.dll, version 5.3.2600.5512, fault address 0x00087676.



Error - 6/9/2010 5:45:26 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Hang | ID = 1002

Description = Hanging application OblivionModManager.exe, version 1.1.12.0, hang

module hungapp, version 0.0.0.0, hang address 0x00000000.



Error - 6/9/2010 6:32:19 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application fallout3.exe, version 1.7.0.3, faulting module

fallout3.exe, version 1.7.0.3, fault address 0x007dc0f1.



Error - 6/16/2010 6:07:47 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.2.3743, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.



Error - 6/16/2010 6:52:31 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application hl2.exe, version 0.0.0.0, faulting module engine.dll,

version 0.0.0.0, fault address 0x000adc47.



Error - 6/16/2010 10:51:11 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application firefox.exe, version 1.9.2.3743, faulting module

unknown, version 0.0.0.0, fault address 0x00000000.



Error - 6/16/2010 11:04:53 PM | Computer Name = ADRIAN-9B9F6298 | Source = Application Error | ID = 1000

Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module

spybotsd.exe, version 1.6.2.46, fault address 0x00004d8a.



[ System Events ]

Error - 6/14/2010 10:43:28 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1001

Description = Your computer was not assigned an address from the network (by the

DHCP Server) for the Network Card with network address 0021978D99D4. The following

error occurred: %%121. Your computer will continue to try and obtain an address on

its own from the network address (DHCP) server.



Error - 6/14/2010 10:44:48 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.100.11

on the Network Card with network address 0021978D99D4.



Error - 6/15/2010 12:42:17 AM | Computer Name = ADRIAN-9B9F6298 | Source = Service Control Manager | ID = 7034

Description = The eBoostr Service service terminated unexpectedly. It has done

this 1 time(s).



Error - 6/16/2010 11:04:25 PM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1002

Description = The IP address lease 68.0.156.199 for the Network Card with network

address 0021978D99D4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server

sent a DHCPNACK message).



Error - 6/16/2010 11:07:18 PM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.100.11

on the Network Card with network address 0021978D99D4.



Error - 6/17/2010 12:00:49 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1002

Description = The IP address lease 68.0.156.199 for the Network Card with network

address 0021978D99D4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server

sent a DHCPNACK message).



Error - 6/17/2010 12:01:33 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.100.11

on the Network Card with network address 0021978D99D4.



Error - 6/17/2010 1:08:34 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1002

Description = The IP address lease 68.0.156.199 for the Network Card with network

address 0021978D99D4 has been denied by the DHCP server 0.0.0.0 (The DHCP Server

sent a DHCPNACK message).



Error - 6/17/2010 1:09:29 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.100.11

on the Network Card with network address 0021978D99D4.



Error - 6/17/2010 1:10:05 AM | Computer Name = ADRIAN-9B9F6298 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.100.11

on the Network Card with network address 0021978D99D4.





< End of report >

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Fri 18 Jun 2010, 3:09 am

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O4 - HKLM..\Run: [gkynihsnru] c:\Documents and Settings\John Connor\Local Settings\Application Data\fdhwbksk\rjhyfw.exe ()
    O4 - HKLM..\Run: [ioqkoule] c:\Documents and Settings\John Connor\Local Settings\Application Data\snoafjp\kqkmurq.exe ()
    O4 - HKLM..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()
    O4 - HKLM..\Run: [kfvagiulxpu] c:\Documents and Settings\John Connor\Local Settings\Application Data\qvveagw\jqvjyh.exe ()
    O4 - HKLM..\Run: [kwnbjtmrfl] c:\Documents and Settings\Adrian\Local Settings\Application Data\qdswimv\pspqqtj.exe ()
    O4 - HKLM..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()
    O4 - HKLM..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()
    O4 - HKLM..\Run: [otmmifppdqrq] c:\Documents and Settings\Adrian\Local Settings\Application Data\tnfaof\scjdrca.exe ()
    O4 - HKLM..\Run: [slvjaayibqkuc] c:\Documents and Settings\Adrian\Local Settings\Application Data\jclgsnask\klgiqds.exe ()
    O4 - HKLM..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe ()
    O4 - HKLM..\Run: [xwepdhcvr] c:\Documents and Settings\Adrian\Local Settings\Application Data\dhaegd\ybsorgx.exe ()
    O4 - HKLM..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()
    O4 - HKCU..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()
    O4 - HKCU..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()
    O4 - HKCU..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()
    O4 - HKCU..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe ()
    O4 - HKCU..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()
    [2010/06/17 07:14:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx
    [2010/06/17 07:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk
    [2010/06/17 07:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih
    [2010/06/16 22:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt
    [2010/06/16 19:51:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk
    [2010/05/27 08:23:14 | 000,000,898 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100603-140531.backup

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Fri 18 Jun 2010, 8:23 am

It seems like this step worked okay. However, as I was saving the log to my flash the AV Security Suite pop-up appeared again! I ran rkill to stop it -- I'll paste that log after the OTL log.

All processes killed
Error: Unable to interpret <:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O4 - HKLM..\Run: [gkynihsnru] c:\Documents and Settings\John Connor\Local Settings\Application Data\fdhwbksk\rjhyfw.exe ()
O4 - HKLM..\Run: [ioqkoule] c:\Documents and Settings\John Connor\Local Settings\Application Data\snoafjp\kqkmurq.exe ()
O4 - HKLM..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()
O4 - HKLM..\Run: [kfvagiulxpu] c:\Documents and Settings\John Connor\Local Settings\Application Data\qvveagw\jqvjyh.exe ()
O4 - HKLM..\Run: [kwnbjtmrfl] c:\Documents and Settings\Adrian\Local Settings\Application Data\qdswimv\pspqqtj.exe ()
O4 - HKLM..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()
O4 - HKLM..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()
O4 - > in the current context!
Error: Unable to interpret O4 - HKLM..\Run: [slvjaayibqkuc] c:\Documents and Settings\Adrian\Local Settings\Application Data\jclgsnask\klgiqds.exe ()
O4 - HKLM..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe ()
O4 - HKLM..\Run: [xwepdhcvr] c:\Documents and Settings\Adrian\Local Settings\Application Data\dhaegd\ybsorgx.exe ()
O4 - HKLM..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()
O4 - HKCU..\Run: [ircijcaybwo] c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe ()
O4 - HKCU..\Run: [llsakkfvhq] c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe ()
O4 - HKCU..\Run: [mlgbjfypytrp] c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe ()
O4 - HKCU..\Run: [xqeyrcsjcfsdb] c:\Documents and Settings\memoirs\Loca> in the current context!
Error: Unable to interpret O4 - HKCU..\Run: [yfqxaybmlad] c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe ()
[2010/06/17 07:14:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx
[2010/06/17 07:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk
[2010/06/17 07:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih
[2010/06/16 22:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt
[2010/06/16 19:51:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk
[2010/05/27 08:23:14 | 000,000,898 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100603-140531.backup

:commands
[emptytemp]
[resethosts]
[reboot]
> in the current context!

OTL by OldTimer - Version 3.2.6.0 log created on 06172010_211047

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

======================================
OTL log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as memoirs on 06/17/2010 at 21:13:14.


Processes terminated by Rkill or while it was running:


C:\documents and settings\memoirs\local settings\application data\ddgymqcrk\vawxad.exe
C:\Documents and Settings\memoirs\Desktop\rkill.com


Rkill completed on 06/17/2010 at 21:13:16.

=========================================

I notice the \ddgymqrck\ folder in both logs. DId it somehow re-create itself after I ran OTL.exe?

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Fri 18 Jun 2010, 11:04 am

Hello.
I think something didn't work correctly, please read my instructions carefully, the script is the bolded text, what you posted above is an exact copy of my script, not the report.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Fri 18 Jun 2010, 12:19 pm

Very sorry about that, Belahzur. I figured out what I was doing wrong. Is this the correct log?


All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gkynihsnru deleted successfully.

c:\Documents and Settings\John Connor\Local Settings\Application Data\fdhwbksk\rjhyfw.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ioqkoule deleted successfully.

c:\Documents and Settings\John Connor\Local Settings\Application Data\snoafjp\kqkmurq.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ircijcaybwo deleted successfully.

c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\kfvagiulxpu deleted successfully.

c:\Documents and Settings\John Connor\Local Settings\Application Data\qvveagw\jqvjyh.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\kwnbjtmrfl deleted successfully.

c:\Documents and Settings\Adrian\Local Settings\Application Data\qdswimv\pspqqtj.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\llsakkfvhq deleted successfully.

c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\mlgbjfypytrp deleted successfully.

c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\otmmifppdqrq deleted successfully.

c:\Documents and Settings\Adrian\Local Settings\Application Data\tnfaof\scjdrca.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\slvjaayibqkuc deleted successfully.

c:\Documents and Settings\Adrian\Local Settings\Application Data\jclgsnask\klgiqds.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\xqeyrcsjcfsdb deleted successfully.

c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\xwepdhcvr deleted successfully.

c:\Documents and Settings\Adrian\Local Settings\Application Data\dhaegd\ybsorgx.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yfqxaybmlad deleted successfully.

c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ircijcaybwo deleted successfully.

File c:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\llsakkfvhq deleted successfully.

File c:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\mlgbjfypytrp deleted successfully.

File c:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\xqeyrcsjcfsdb deleted successfully.

File c:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\yfqxaybmlad deleted successfully.

File c:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe not found.

C:\Documents and Settings\memoirs\Local Settings\Application Data\xebdbx folder moved successfully.

C:\Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk folder moved successfully.

C:\Documents and Settings\memoirs\Local Settings\Application Data\whcdawih folder moved successfully.

C:\Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt folder moved successfully.

C:\Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk folder moved successfully.

C:\WINDOWS\system32\drivers\etc\hosts.20100603-140531.backup moved successfully.

========== COMMANDS ==========



[EMPTYTEMP]



User: Adrian

->Temp folder emptied: 2734883748 bytes

->Temporary Internet Files folder emptied: 19417558 bytes

->Java cache emptied: 13572540 bytes

->FireFox cache emptied: 3437770 bytes

->Flash cache emptied: 287844 bytes



User: All Users



User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes



User: Guest

->Temp folder emptied: 73245898 bytes

->Temporary Internet Files folder emptied: 40210987 bytes

->FireFox cache emptied: 57374894 bytes

->Flash cache emptied: 6135 bytes



User: John Connor

->Temp folder emptied: 15665473 bytes

->Temporary Internet Files folder emptied: 790348 bytes

->Java cache emptied: 10680381 bytes

->FireFox cache emptied: 26328395 bytes

->Flash cache emptied: 592 bytes



User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes



User: memoirs

->Temp folder emptied: 1999489763 bytes

->Temporary Internet Files folder emptied: 56544612 bytes

->Java cache emptied: 22799213 bytes

->FireFox cache emptied: 48725738 bytes

->Flash cache emptied: 66467 bytes



User: NetworkService

->Temp folder emptied: 1485322 bytes

->Temporary Internet Files folder emptied: 33170 bytes



%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2162283 bytes

%systemroot%\System32 .tmp files removed: 1146897 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3312958 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 25538714 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 3876737555 bytes



Total Files Cleaned = 8,616.00 mb



C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully



OTL by OldTimer - Version 3.2.6.0 log created on 06182010_002522



Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 9 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 05 - Laboratories of the Invisible World (Rollerskating the Cosmic Palmistric Postborder).m not found!

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 8 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 05 - Laboratories of the Invisible World (Rollerskating the Cosmic Palmistric Postborder).m not found!

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 5 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 05 - Laboratories of the Invisible World (Rollerskating the Cosmic Palmistric Postborder).m not found!

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 3 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 01 - Excerpt from 6,000,000,000,000 Miles Before the First, Or, the Revisitation of the Blu not found!

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 2 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 01 - Excerpt from 6,000,000,000,000 Miles Before the First, Or, the Revisitation of the Blu not found!

File\Folder C:\Documents and Settings\memoirs\Local Settings\Temp\Temporary Directory 17 for motw-pts-mp3.zip\maudlin of the Well - Part The Second (2009) - MP3\maudlin of the Well - Part the Second - 01 - Excerpt from 6,000,000,000,000 Miles Before the First, Or, the Revisitation of the Bl not found!



Registry entries deleted on Reboot...

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Sat 19 Jun 2010, 10:16 am

I went ahead and ran Malwarebytes' Anti-Malware because I assume that's the next step and I thought it'd save us some time. It doesn't look like it got rid of all the random.exe's that are listed in the earlier posts. Here's the log:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4213

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

6/18/2010 8:48:05 PM
mbam-log-2010-06-18 (20-48-05).txt

Scan type: Quick scan
Objects scanned: 146683
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrantmgj (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrantmgj (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elgohxcqhmdrcf (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elgohxcqhmdrcf (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\memoirs\local settings\application data\hnekrik\eqdjjf.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
c:\documents and settings\memoirs\local settings\application data\hadkdjvi\taawiy.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\memoirs\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Sat 19 Jun 2010, 11:15 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Sat 19 Jun 2010, 12:11 pm

ComboFix 10-06-17.03 - memoirs 06/18/2010 18:01:22.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2920 [GMT -7:00]
Running from: c:\documents and settings\memoirs\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\memoirs\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 23:07 . 2010-06-18 23:11 -------- d-----w- c:\documents and settings\memoirs\Application Data\vlc
2010-06-18 04:10 . 2010-06-18 04:10 -------- d-----w- C:\_OTL
2010-06-18 04:09 . 2010-06-19 03:48 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\hadkdjvi
2010-06-18 04:09 . 2010-06-19 03:48 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\hnekrik
2010-06-17 05:10 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\tnfaof
2010-06-17 05:07 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\dhaegd
2010-06-17 05:04 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\qdswimv
2010-06-17 05:00 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\jclgsnask
2010-06-17 04:00 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\snoafjp
2010-06-17 03:55 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\qvveagw
2010-06-17 03:18 . 2010-06-17 05:56 -------- d-----w- c:\documents and settings\John Connor\Tracing
2010-06-17 03:02 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\fdhwbksk
2010-06-16 03:47 . 2010-06-16 03:48 -------- d-----w- c:\documents and settings\memoirs\Application Data\Mount&Blade Warband
2010-06-15 23:23 . 2010-06-16 01:23 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\SecondLife
2010-06-15 23:23 . 2010-06-15 23:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\SecondLife
2010-06-15 23:20 . 2010-06-15 23:20 -------- d-----w- c:\program files\SecondLifeViewer2
2010-06-15 20:58 . 2010-06-15 20:58 -------- d-s---w- c:\documents and settings\memoirs\UserData
2010-06-15 04:53 . 2010-06-19 00:30 -------- d-----w- c:\program files\PeerBlock
2010-06-15 04:51 . 2010-06-15 05:00 -------- d-----w- c:\documents and settings\memoirs\Application Data\gtk-2.0
2010-06-15 04:51 . 2010-06-15 04:51 -------- d-----w- c:\documents and settings\memoirs\Application Data\Python-Eggs
2010-06-15 04:48 . 2010-06-15 04:48 -------- d-----w- c:\program files\GTK2-Runtime
2010-06-15 04:46 . 2010-06-15 04:47 -------- d-----w- c:\program files\Deluge
2010-06-15 04:41 . 2010-06-17 02:52 -------- d-----w- c:\documents and settings\memoirs\Application Data\deluge
2010-06-14 23:44 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-06-14 23:44 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-14 23:44 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-06-14 23:44 . 2010-06-16 03:48 -------- d-----w- c:\program files\Mount&Blade Warband
2010-06-14 22:41 . 2010-06-19 04:04 -------- d-----w- c:\documents and settings\memoirs\Tracing
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Microsoft
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-14 22:32 . 2010-06-14 22:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-14 22:30 . 2010-06-14 22:30 -------- d-----w- c:\documents and settings\memoirs\Contacts
2010-06-13 20:37 . 2010-06-13 20:37 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\My Games
2010-06-13 20:36 . 2010-06-13 20:36 -------- d-----w- C:\ProgramData
2010-06-13 14:50 . 2010-06-17 02:16 -------- d-----w- c:\documents and settings\memoirs\Application Data\Xfire
2010-06-13 14:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-13 14:44 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-13 14:44 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-13 14:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-13 14:41 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-10 20:02 . 2010-06-19 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-06-10 20:02 . 2010-06-10 21:44 -------- d-----w- c:\program files\eBoostr
2010-06-09 21:06 . 2010-06-09 21:06 -------- d-----w- c:\program files\Scanti
2010-06-09 20:56 . 2010-06-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-09 20:56 . 2010-06-09 20:57 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-09 20:55 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-09 20:55 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-03 20:48 . 2010-06-03 20:48 -------- d-----w- c:\program files\NTCore
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 02:35 . 2010-06-02 19:04 -------- d-----w- c:\program files\Mass Effect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 20:26 . 2008-11-15 02:48 -------- d-----w- c:\program files\Steam
2010-06-17 05:07 . 2008-11-03 14:25 23304 ----a-w- c:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 03:01 . 2009-12-30 00:32 23304 ----a-w- c:\documents and settings\John Connor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 01:47 . 2008-11-14 23:05 -------- d-----w- c:\program files\Xfire
2010-06-15 01:47 . 2008-11-15 05:43 -------- d-----w- c:\program files\Zune
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-14 22:41 . 2009-06-04 21:19 23304 ----a-w- c:\documents and settings\memoirs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 22:34 . 2008-11-14 19:53 -------- d-----w- c:\program files\Windows Live
2010-06-13 14:42 . 2008-11-27 05:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-10 20:12 . 2009-11-22 22:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\U3
2010-06-09 21:09 . 2010-05-10 23:21 -------- d-----w- c:\program files\FaceGen Modeller 3.4 Free
2010-06-06 04:30 . 2008-11-03 17:31 -------- d-----w- c:\program files\Bethesda Softworks
2010-06-04 17:24 . 2008-11-19 02:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-04 17:15 . 2009-02-06 04:57 -------- d-----w- c:\program files\Paradox Interactive
2010-06-04 17:12 . 2008-11-03 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 16:58 . 2009-02-19 15:53 -------- d-----w- c:\program files\Maxis
2010-06-04 16:43 . 2009-03-03 04:17 -------- d-----w- c:\program files\AOE II & III
2010-06-03 23:04 . 2009-09-11 23:26 -------- d-----w- c:\documents and settings\memoirs\Application Data\dvdcss
2010-05-30 19:58 . 2010-04-06 05:02 -------- d-----w- c:\documents and settings\memoirs\Application Data\Grand Ages Rome
2010-05-29 18:37 . 2010-02-03 23:38 -------- d-----w- c:\documents and settings\memoirs\Application Data\Any Audio Converter
2010-05-25 02:54 . 2010-04-25 23:18 -------- d-----w- c:\program files\Common Files\BioWare
2010-05-19 07:35 . 2009-07-07 01:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 22:04 . 2010-04-25 22:54 -------- d-----w- c:\program files\Mass Effect
2010-05-16 15:15 . 2008-11-03 21:26 -------- d-----w- c:\program files\Warcraft III
2010-05-12 21:31 . 2010-05-12 21:31 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 21:31 . 2010-05-12 21:31 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-11 22:38 . 2010-05-11 01:30 -------- d-----w- c:\program files\Alcohol 120
2010-05-11 21:55 . 2010-05-10 23:01 -------- d-----w- c:\program files\roms
2010-05-11 01:24 . 2009-01-09 10:04 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-10 23:22 . 2010-05-10 23:22 -------- d-----w- c:\documents and settings\memoirs\Application Data\FaceGen
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_6FEFF9B68218417F98F549.exe
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_061D43A5181EFECA1957E0.exe
2010-05-02 05:22 . 2004-08-03 23:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 00:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-08 01:58 . 2008-11-03 13:54 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-04 02:23 . 2010-04-04 02:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 02:23 . 2010-04-04 02:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 02:23 . 2010-04-04 02:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 02:23 . 2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 02:23 . 2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 02:22 . 2010-04-04 02:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-03 22:55 . 2009-05-01 05:02 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2009-05-01 05:02 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 22:55 . 2009-05-01 05:02 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2008-11-03 14:07 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55 . 2008-10-07 20:33 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55 . 2008-10-07 20:33 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2008-10-07 20:33 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55 . 2008-10-07 20:33 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 22:55 . 2008-10-07 20:33 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-06-10 1843312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\jdk\bin\jusched.exe" [2009-05-10 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-8-8 1011320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"\\\\GOLLUM\\SID MEIER'S CIVILIZATION 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\JDK\\bin\\java.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\EA Games\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Deluge\\Deluge-Python\\deluge.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [8/8/2008 5:17 AM 96376]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [8/8/2008 5:17 AM 843384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/9/2009 3:04 AM 721904]
S3 jatmlano;jatmlano;\??\c:\docume~1\memoirs\LOCALS~1\Temp\jatmlano.sys --> c:\docume~1\memoirs\LOCALS~1\Temp\jatmlano.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:1032
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
FF - plugin: c:\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\jdk\bin\new_plugin\npjp2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-Age of Empires 2.0 - c:\program files\Microsoft Games\Age of Empires II\UNINSTAL.EXE
AddRemove-Age of Empires II: The Conquerors Expansion 1.0 - c:\program files\Microsoft Games\Age of Empires II\UNINSTALX.EXE
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-OpenAL - c:\program files\OpenAL\oalinst.exe
AddRemove-Wilderness Sounds 3.0 by Puma Man - c:\program files\Bethesda Softworks\Morrowind\Data Files\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-18 18:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\COMRes.dll
.
Completion time: 2010-06-18 18:08:28
ComboFix-quarantined-files.txt 2010-06-19 01:08

Pre-Run: 97,680,326,656 bytes free
Post-Run: 97,776,287,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 197C71DBEFDABFD60275F7FD8A783C3B

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Sun 20 Jun 2010, 4:00 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Folder::
    c:\documents and settings\memoirs\Local Settings\Application Data\hadkdjvi
    c:\documents and settings\memoirs\Local Settings\Application Data\hnekrik
    c:\documents and settings\Adrian\Local Settings\Application Data\tnfaof
    c:\documents and settings\Adrian\Local Settings\Application Data\dhaegd
    c:\documents and settings\Adrian\Local Settings\Application Data\qdswimv
    c:\documents and settings\Adrian\Local Settings\Application Data\jclgsnask
    c:\documents and settings\John Connor\Local Settings\Application Data\snoafjp
    c:\documents and settings\John Connor\Local Settings\Application Data\qvveagw
    c:\documents and settings\John Connor\Local Settings\Application Data\fdhwbksk

    Driver::
    jatmlano

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:1032
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Tue 22 Jun 2010, 4:41 am

ComboFix 10-06-17.03 - memoirs 06/20/2010 11:03:30.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2927 [GMT -7:00]
Running from: c:\documents and settings\memoirs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\memoirs\Desktop\CFscript.txt.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-19 04:46 . 2010-06-19 04:46 -------- d-----w- c:\documents and settings\memoirs\Application Data\The Creative Assembly
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\memoirs\Application Data\Unity
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\memoirs\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\Unity
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\program files\Unity
2010-06-18 23:07 . 2010-06-19 19:01 -------- d-----w- c:\documents and settings\memoirs\Application Data\vlc
2010-06-18 04:10 . 2010-06-18 04:10 -------- d-----w- C:\_OTL
2010-06-18 04:09 . 2010-06-19 03:48 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\hadkdjvi
2010-06-18 04:09 . 2010-06-19 03:48 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\hnekrik
2010-06-17 05:10 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\tnfaof
2010-06-17 05:07 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\dhaegd
2010-06-17 05:04 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\qdswimv
2010-06-17 05:00 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\jclgsnask
2010-06-17 04:00 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\snoafjp
2010-06-17 03:55 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\qvveagw
2010-06-17 03:18 . 2010-06-17 05:56 -------- d-----w- c:\documents and settings\John Connor\Tracing
2010-06-17 03:02 . 2010-06-18 07:25 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\fdhwbksk
2010-06-16 03:47 . 2010-06-16 03:48 -------- d-----w- c:\documents and settings\memoirs\Application Data\Mount&Blade Warband
2010-06-15 23:23 . 2010-06-16 01:23 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\SecondLife
2010-06-15 23:23 . 2010-06-15 23:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\SecondLife
2010-06-15 23:20 . 2010-06-15 23:20 -------- d-----w- c:\program files\SecondLifeViewer2
2010-06-15 20:58 . 2010-06-15 20:58 -------- d-s---w- c:\documents and settings\memoirs\UserData
2010-06-15 04:53 . 2010-06-20 17:57 -------- d-----w- c:\program files\PeerBlock
2010-06-15 04:51 . 2010-06-15 05:00 -------- d-----w- c:\documents and settings\memoirs\Application Data\gtk-2.0
2010-06-15 04:51 . 2010-06-15 04:51 -------- d-----w- c:\documents and settings\memoirs\Application Data\Python-Eggs
2010-06-15 04:48 . 2010-06-15 04:48 -------- d-----w- c:\program files\GTK2-Runtime
2010-06-15 04:46 . 2010-06-15 04:47 -------- d-----w- c:\program files\Deluge
2010-06-15 04:41 . 2010-06-17 02:52 -------- d-----w- c:\documents and settings\memoirs\Application Data\deluge
2010-06-14 23:44 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-06-14 23:44 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-14 23:44 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-06-14 23:44 . 2010-06-16 03:48 -------- d-----w- c:\program files\Mount&Blade Warband
2010-06-14 22:41 . 2010-06-20 17:56 -------- d-----w- c:\documents and settings\memoirs\Tracing
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Microsoft
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-14 22:32 . 2010-06-14 22:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-14 22:30 . 2010-06-14 22:30 -------- d-----w- c:\documents and settings\memoirs\Contacts
2010-06-13 20:37 . 2010-06-13 20:37 -------- d-----w- c:\documents and settings\John Connor\Local Settings\Application Data\My Games
2010-06-13 20:36 . 2010-06-13 20:36 -------- d-----w- C:\ProgramData
2010-06-13 14:50 . 2010-06-19 07:33 -------- d-----w- c:\documents and settings\memoirs\Application Data\Xfire
2010-06-13 14:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-13 14:44 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-13 14:44 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-13 14:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-13 14:41 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-10 20:02 . 2010-06-20 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-06-10 20:02 . 2010-06-10 21:44 -------- d-----w- c:\program files\eBoostr
2010-06-09 21:06 . 2010-06-09 21:06 -------- d-----w- c:\program files\Scanti
2010-06-09 20:56 . 2010-06-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-09 20:56 . 2010-06-09 20:57 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-09 20:55 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-09 20:55 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-03 20:48 . 2010-06-03 20:48 -------- d-----w- c:\program files\NTCore
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 02:35 . 2010-06-02 19:04 -------- d-----w- c:\program files\Mass Effect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-06-19 04:50 . 2008-11-15 02:48 -------- d-----w- c:\program files\Steam
2010-06-19 02:03 . 2008-11-14 23:05 -------- d-----w- c:\program files\Xfire
2010-06-17 05:07 . 2008-11-03 14:25 23304 ----a-w- c:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 03:01 . 2009-12-30 00:32 23304 ----a-w- c:\documents and settings\John Connor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 01:47 . 2008-11-15 05:43 -------- d-----w- c:\program files\Zune
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-14 22:41 . 2009-06-04 21:19 23304 ----a-w- c:\documents and settings\memoirs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 22:34 . 2008-11-14 19:53 -------- d-----w- c:\program files\Windows Live
2010-06-13 14:42 . 2008-11-27 05:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-10 20:12 . 2009-11-22 22:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\U3
2010-06-09 21:09 . 2010-05-10 23:21 -------- d-----w- c:\program files\FaceGen Modeller 3.4 Free
2010-06-06 04:30 . 2008-11-03 17:31 -------- d-----w- c:\program files\Bethesda Softworks
2010-06-04 17:24 . 2008-11-19 02:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-04 17:15 . 2009-02-06 04:57 -------- d-----w- c:\program files\Paradox Interactive
2010-06-04 17:12 . 2008-11-03 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 16:58 . 2009-02-19 15:53 -------- d-----w- c:\program files\Maxis
2010-06-04 16:43 . 2009-03-03 04:17 -------- d-----w- c:\program files\AOE II & III
2010-06-03 23:04 . 2009-09-11 23:26 -------- d-----w- c:\documents and settings\memoirs\Application Data\dvdcss
2010-05-30 19:58 . 2010-04-06 05:02 -------- d-----w- c:\documents and settings\memoirs\Application Data\Grand Ages Rome
2010-05-29 18:37 . 2010-02-03 23:38 -------- d-----w- c:\documents and settings\memoirs\Application Data\Any Audio Converter
2010-05-25 02:54 . 2010-04-25 23:18 -------- d-----w- c:\program files\Common Files\BioWare
2010-05-19 07:35 . 2009-07-07 01:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 22:04 . 2010-04-25 22:54 -------- d-----w- c:\program files\Mass Effect
2010-05-16 15:15 . 2008-11-03 21:26 -------- d-----w- c:\program files\Warcraft III
2010-05-12 21:31 . 2010-05-12 21:31 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 21:31 . 2010-05-12 21:31 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-11 22:38 . 2010-05-11 01:30 -------- d-----w- c:\program files\Alcohol 120
2010-05-11 21:55 . 2010-05-10 23:01 -------- d-----w- c:\program files\roms
2010-05-11 01:24 . 2009-01-09 10:04 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-10 23:22 . 2010-05-10 23:22 -------- d-----w- c:\documents and settings\memoirs\Application Data\FaceGen
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_6FEFF9B68218417F98F549.exe
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_061D43A5181EFECA1957E0.exe
2010-05-02 05:22 . 2004-08-03 23:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 00:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-08 01:58 . 2008-11-03 13:54 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-04 02:23 . 2010-04-04 02:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 02:23 . 2010-04-04 02:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 02:23 . 2010-04-04 02:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 02:23 . 2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 02:23 . 2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 02:22 . 2010-04-04 02:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-03 22:55 . 2009-05-01 05:02 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2009-05-01 05:02 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 22:55 . 2009-05-01 05:02 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2008-11-03 14:07 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55 . 2008-10-07 20:33 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55 . 2008-10-07 20:33 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2008-10-07 20:33 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55 . 2008-10-07 20:33 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 22:55 . 2008-10-07 20:33 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-20 18:02 . 2010-06-20 18:02 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2010-06-20 18:02 . 2010-06-20 18:02 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2010-01-07 21:22 . 2010-01-07 21:22 74240 c:\windows\system32\ZuneUsbTransport.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 18944 c:\windows\system32\ZuneTcp2Udp.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 57344 c:\windows\system32\ZuneRegUtil.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 12800 c:\windows\system32\ZunePTDNS.dll
+ 2006-09-29 01:56 . 2009-07-14 01:16 64512 c:\windows\system32\WudfSvc.dll
+ 2006-09-29 03:13 . 2009-07-14 01:16 39936 c:\windows\system32\WUDFCoinstaller.dll
+ 2008-11-03 14:32 . 2008-11-08 01:55 16928 c:\windows\system32\spmsg.dll
+ 2006-09-29 01:55 . 2009-07-13 23:50 91904 c:\windows\system32\drivers\WudfPf.sys
+ 2010-01-07 21:22 . 2010-01-07 21:22 310784 c:\windows\system32\ZuneNetProxy.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 147456 c:\windows\system32\ZuneMTPZ.dll
+ 2006-09-29 01:56 . 2009-07-14 01:16 567808 c:\windows\system32\WUDFx.dll
+ 2006-09-29 01:56 . 2009-07-13 23:50 148480 c:\windows\system32\WudfPlatform.dll
+ 2006-09-29 01:56 . 2009-07-14 01:14 195584 c:\windows\system32\WudfHost.exe
+ 2006-09-29 02:00 . 2009-07-13 23:50 132224 c:\windows\system32\drivers\WudfRd.sys
+ 2010-01-07 21:22 . 2010-01-07 21:22 708608 c:\windows\system32\drivers\UMDF\ZuneDriver.dll
+ 2009-12-14 22:28 . 2009-12-14 22:28 1837296 c:\windows\system32\WUDFUpdate_01009.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\jdk\bin\jusched.exe" [2009-05-10 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-8-8 1011320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"\\\\GOLLUM\\SID MEIER'S CIVILIZATION 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\JDK\\bin\\java.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\EA Games\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Deluge\\Deluge-Python\\deluge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike\\hl.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [8/8/2008 5:17 AM 96376]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [8/8/2008 5:17 AM 843384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/9/2009 3:04 AM 721904]
S3 jatmlano;jatmlano;\??\c:\docume~1\memoirs\LOCALS~1\Temp\jatmlano.sys --> c:\docume~1\memoirs\LOCALS~1\Temp\jatmlano.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:1032
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
FF - plugin: c:\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\jdk\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-20 11:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-20 11:16:40
ComboFix-quarantined-files.txt 2010-06-20 18:16
ComboFix2.txt 2010-06-19 01:08

Pre-Run: 90,880,270,336 bytes free
Post-Run: 90,878,459,904 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6EB9A049301D27E633A4CB039617D585

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Tue 22 Jun 2010, 4:51 am

Hello.
That didn't work correctly because the script file wasn't saved correctly. The log shows it was named "CFscript.txt.txt" when it needs to be named "CFScript.txt"

I suspect this maybe becuase you cannot see file extensions when you saved it. Try once more and post the new log please.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Wed 23 Jun 2010, 3:05 am

ComboFix 10-06-17.03 - memoirs 06/21/2010 14:18:01.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2792 [GMT -7:00]
Running from: c:\documents and settings\memoirs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\memoirs\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\memoirs\Local Settings\Application Data\hadkdjvi
c:\documents and settings\memoirs\Local Settings\Application Data\hnekrik

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JATMLANO
-------\Service_jatmlano


((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-21 19:37 . 2010-06-21 19:37 -------- d-----w- c:\documents and settings\John Connor
2010-06-21 19:37 . 2010-06-21 19:37 -------- d-----w- c:\documents and settings\Adrian
2010-06-19 04:46 . 2010-06-19 04:46 -------- d-----w- c:\documents and settings\memoirs\Application Data\The Creative Assembly
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\memoirs\Application Data\Unity
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\memoirs\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\Unity
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\program files\Unity
2010-06-18 23:07 . 2010-06-21 07:00 -------- d-----w- c:\documents and settings\memoirs\Application Data\vlc
2010-06-18 04:10 . 2010-06-18 04:10 -------- d-----w- C:\_OTL
2010-06-16 03:47 . 2010-06-16 03:48 -------- d-----w- c:\documents and settings\memoirs\Application Data\Mount&Blade Warband
2010-06-15 23:23 . 2010-06-16 01:23 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\SecondLife
2010-06-15 23:23 . 2010-06-15 23:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\SecondLife
2010-06-15 23:20 . 2010-06-15 23:20 -------- d-----w- c:\program files\SecondLifeViewer2
2010-06-15 20:58 . 2010-06-15 20:58 -------- d-s---w- c:\documents and settings\memoirs\UserData
2010-06-15 04:53 . 2010-06-20 17:57 -------- d-----w- c:\program files\PeerBlock
2010-06-15 04:51 . 2010-06-15 05:00 -------- d-----w- c:\documents and settings\memoirs\Application Data\gtk-2.0
2010-06-15 04:51 . 2010-06-15 04:51 -------- d-----w- c:\documents and settings\memoirs\Application Data\Python-Eggs
2010-06-15 04:48 . 2010-06-15 04:48 -------- d-----w- c:\program files\GTK2-Runtime
2010-06-15 04:46 . 2010-06-15 04:47 -------- d-----w- c:\program files\Deluge
2010-06-15 04:41 . 2010-06-17 02:52 -------- d-----w- c:\documents and settings\memoirs\Application Data\deluge
2010-06-14 23:44 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-06-14 23:44 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-14 23:44 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-06-14 23:44 . 2010-06-16 03:48 -------- d-----w- c:\program files\Mount&Blade Warband
2010-06-14 22:41 . 2010-06-22 03:09 -------- d-----w- c:\documents and settings\memoirs\Tracing
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Microsoft
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-14 22:32 . 2010-06-14 22:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-14 22:30 . 2010-06-14 22:30 -------- d-----w- c:\documents and settings\memoirs\Contacts
2010-06-13 20:36 . 2010-06-13 20:36 -------- d-----w- C:\ProgramData
2010-06-13 14:50 . 2010-06-19 07:33 -------- d-----w- c:\documents and settings\memoirs\Application Data\Xfire
2010-06-13 14:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-13 14:44 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-13 14:44 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-13 14:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-13 14:41 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-10 20:02 . 2010-06-22 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-06-10 20:02 . 2010-06-10 21:44 -------- d-----w- c:\program files\eBoostr
2010-06-09 21:06 . 2010-06-09 21:06 -------- d-----w- c:\program files\Scanti
2010-06-09 20:56 . 2010-06-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-09 20:56 . 2010-06-09 20:57 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-09 20:55 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-09 20:55 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-03 20:48 . 2010-06-03 20:48 -------- d-----w- c:\program files\NTCore
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 02:35 . 2010-06-02 19:04 -------- d-----w- c:\program files\Mass Effect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-06-19 04:50 . 2008-11-15 02:48 -------- d-----w- c:\program files\Steam
2010-06-19 02:03 . 2008-11-14 23:05 -------- d-----w- c:\program files\Xfire
2010-06-15 01:47 . 2008-11-15 05:43 -------- d-----w- c:\program files\Zune
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-14 22:41 . 2009-06-04 21:19 23304 ----a-w- c:\documents and settings\memoirs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 22:34 . 2008-11-14 19:53 -------- d-----w- c:\program files\Windows Live
2010-06-13 14:42 . 2008-11-27 05:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-10 20:12 . 2009-11-22 22:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\U3
2010-06-09 21:09 . 2010-05-10 23:21 -------- d-----w- c:\program files\FaceGen Modeller 3.4 Free
2010-06-06 04:30 . 2008-11-03 17:31 -------- d-----w- c:\program files\Bethesda Softworks
2010-06-04 17:24 . 2008-11-19 02:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-04 17:15 . 2009-02-06 04:57 -------- d-----w- c:\program files\Paradox Interactive
2010-06-04 17:12 . 2008-11-03 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 16:58 . 2009-02-19 15:53 -------- d-----w- c:\program files\Maxis
2010-06-04 16:43 . 2009-03-03 04:17 -------- d-----w- c:\program files\AOE II & III
2010-06-03 23:04 . 2009-09-11 23:26 -------- d-----w- c:\documents and settings\memoirs\Application Data\dvdcss
2010-05-30 19:58 . 2010-04-06 05:02 -------- d-----w- c:\documents and settings\memoirs\Application Data\Grand Ages Rome
2010-05-29 18:37 . 2010-02-03 23:38 -------- d-----w- c:\documents and settings\memoirs\Application Data\Any Audio Converter
2010-05-25 02:54 . 2010-04-25 23:18 -------- d-----w- c:\program files\Common Files\BioWare
2010-05-19 07:35 . 2009-07-07 01:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 22:04 . 2010-04-25 22:54 -------- d-----w- c:\program files\Mass Effect
2010-05-16 15:15 . 2008-11-03 21:26 -------- d-----w- c:\program files\Warcraft III
2010-05-12 21:31 . 2010-05-12 21:31 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 21:31 . 2010-05-12 21:31 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-11 22:38 . 2010-05-11 01:30 -------- d-----w- c:\program files\Alcohol 120
2010-05-11 21:55 . 2010-05-10 23:01 -------- d-----w- c:\program files\roms
2010-05-11 01:24 . 2009-01-09 10:04 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-10 23:22 . 2010-05-10 23:22 -------- d-----w- c:\documents and settings\memoirs\Application Data\FaceGen
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_6FEFF9B68218417F98F549.exe
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_061D43A5181EFECA1957E0.exe
2010-05-02 05:22 . 2004-08-03 23:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 00:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-08 01:58 . 2008-11-03 13:54 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-04 02:23 . 2010-04-04 02:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 02:23 . 2010-04-04 02:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 02:23 . 2010-04-04 02:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 02:23 . 2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 02:23 . 2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 02:22 . 2010-04-04 02:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-03 22:55 . 2009-05-01 05:02 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2009-05-01 05:02 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 22:55 . 2009-05-01 05:02 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2008-11-03 14:07 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55 . 2008-10-07 20:33 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55 . 2008-10-07 20:33 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55 . 2008-10-07 20:33 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2008-10-07 20:33 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55 . 2008-10-07 20:33 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 22:55 . 2008-10-07 20:33 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\jdk\bin\jusched.exe" [2009-05-10 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-8-8 1011320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"\\\\GOLLUM\\SID MEIER'S CIVILIZATION 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\JDK\\bin\\java.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\EA Games\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Deluge\\Deluge-Python\\deluge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike\\hl.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [8/8/2008 5:17 AM 96376]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/9/2009 3:04 AM 721904]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [8/8/2008 5:17 AM 843384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
FF - plugin: c:\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\jdk\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-21 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spnz.sys >>UNKNOWN [0x8B22E938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e66cb8
\Driver\atapi -> atapi.sys @ 0xb7dfbb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7cd6bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7cc5a0d
SendHandler -> NDIS.sys @ 0xb7cd9b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(716)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\jdk\bin\jqs.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-06-21 20:16:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 03:16
ComboFix2.txt 2010-06-21 19:37
ComboFix3.txt 2010-06-20 18:16
ComboFix4.txt 2010-06-19 01:08

Pre-Run: 86,195,326,976 bytes free
Post-Run: 86,071,209,984 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 05C02F15FD6C47302A0B0865D275300F

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Wed 23 Jun 2010, 4:42 am

Hello.


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Wed 23 Jun 2010, 9:00 am

12:10:22:703 2844 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
12:10:22:703 2844 ================================================================================
12:10:22:703 2844 SystemInfo:

12:10:22:703 2844 OS Version: 5.1.2600 ServicePack: 3.0
12:10:22:703 2844 Product type: Workstation
12:10:22:703 2844 ComputerName: ADRIAN-9B9F6298
12:10:22:703 2844 UserName: memoirs
12:10:22:703 2844 Windows directory: C:\WINDOWS
12:10:22:703 2844 Processor architecture: Intel x86
12:10:22:703 2844 Number of processors: 4
12:10:22:703 2844 Page size: 0x1000
12:10:22:703 2844 Boot type: Normal boot
12:10:22:703 2844 ================================================================================
12:10:23:531 2844 Initialize success
12:10:23:531 2844
12:10:23:531 2844 Scanning Services ...
12:10:23:937 2844 Raw services enum returned 336 services
12:10:23:937 2844
12:10:23:937 2844 Scanning Drivers ...
12:10:24:625 2844 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:10:24:671 2844 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:10:24:703 2844 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:10:24:796 2844 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
12:10:25:000 2844 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
12:10:25:218 2844 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:10:25:234 2844 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:10:25:296 2844 atksgt (f9c24d25d9ff29f894995a64812b4d85) C:\WINDOWS\system32\DRIVERS\atksgt.sys
12:10:25:328 2844 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:10:25:390 2844 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:10:25:437 2844 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
12:10:25:531 2844 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:10:25:593 2844 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:10:25:609 2844 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:10:25:625 2844 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:10:25:656 2844 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:10:25:718 2844 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:10:25:750 2844 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:10:25:781 2844 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:10:25:796 2844 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:10:25:812 2844 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:10:25:828 2844 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:10:25:859 2844 eBoost (cc9ab7c20aa7e3e39cf50144cbcb6ebf) C:\WINDOWS\system32\drivers\eBoost.sys
12:10:25:859 2844 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:10:25:875 2844 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:10:25:921 2844 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:10:25:937 2844 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:10:25:953 2844 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:10:25:968 2844 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:10:25:968 2844 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:10:25:984 2844 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:10:26:031 2844 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
12:10:26:093 2844 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:10:26:140 2844 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:10:26:187 2844 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:10:26:187 2844 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:10:26:187 2844 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:10:26:250 2844 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:10:26:265 2844 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:10:26:265 2844 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:10:26:421 2844 IntcAzAudAddService (12cd9f66b64b25cbe18f1bb2c6f54832) C:\WINDOWS\system32\drivers\RtkHDAud.sys
12:10:26:484 2844 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:10:26:515 2844 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:10:26:515 2844 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:10:26:546 2844 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:10:26:546 2844 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:10:26:562 2844 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:10:26:562 2844 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:10:26:578 2844 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:10:26:578 2844 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:10:26:609 2844 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
12:10:26:640 2844 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:10:26:671 2844 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:10:26:703 2844 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
12:10:26:750 2844 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:10:26:765 2844 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:10:26:765 2844 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:10:26:796 2844 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:10:26:812 2844 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:10:26:828 2844 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:10:26:890 2844 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:10:26:906 2844 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:10:26:937 2844 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:10:26:937 2844 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:10:26:937 2844 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:10:26:953 2844 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:10:26:953 2844 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
12:10:27:000 2844 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:10:27:015 2844 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:10:27:031 2844 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:10:27:031 2844 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:10:27:046 2844 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
12:10:27:046 2844 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:10:27:093 2844 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:10:27:109 2844 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
12:10:27:125 2844 NPF (d21fee8db254ba762656878168ac1db6) C:\WINDOWS\system32\drivers\npf.sys
12:10:27:125 2844 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:10:27:156 2844 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:10:27:187 2844 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:10:27:500 2844 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:10:27:812 2844 NVENETFD (d875346596bd48d74ac9b9be791b8d69) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
12:10:28:000 2844 nvnetbus (f02c1c5e84c37667ecd3eea5958449bc) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
12:10:28:156 2844 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:10:28:171 2844 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:10:28:187 2844 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
12:10:28:187 2844 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
12:10:28:218 2844 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
12:10:28:234 2844 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:10:28:234 2844 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:10:28:250 2844 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:10:28:250 2844 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:10:28:296 2844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:10:28:296 2844 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:10:28:343 2844 PnkBstrK (af77494e55b421be21c7eb716980ab22) C:\WINDOWS\system32\drivers\PnkBstrK.sys
12:10:28:375 2844 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:10:28:375 2844 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
12:10:28:390 2844 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:10:28:406 2844 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:10:28:437 2844 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:10:28:468 2844 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:10:28:468 2844 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:10:28:484 2844 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:10:28:484 2844 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:10:28:500 2844 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:10:28:515 2844 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:10:28:546 2844 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
12:10:28:546 2844 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:10:28:578 2844 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
12:10:28:593 2844 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:10:28:609 2844 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:10:28:609 2844 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:10:28:609 2844 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:10:28:640 2844 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:10:28:703 2844 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
12:10:28:703 2844 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
12:10:28:734 2844 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:10:28:750 2844 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
12:10:28:781 2844 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:10:28:781 2844 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:10:28:828 2844 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:10:28:890 2844 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:10:28:921 2844 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:10:28:937 2844 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:10:28:937 2844 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:10:28:953 2844 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:10:28:984 2844 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:10:29:000 2844 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:10:29:000 2844 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:10:29:031 2844 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:10:29:062 2844 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:10:29:062 2844 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:10:29:062 2844 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:10:29:078 2844 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:10:29:078 2844 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:10:29:093 2844 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:10:29:093 2844 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:10:29:140 2844 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
12:10:29:156 2844 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:10:29:203 2844 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
12:10:29:234 2844 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
12:10:29:265 2844 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
12:10:29:296 2844 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:10:29:312 2844 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:10:29:359 2844 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys
12:10:29:359 2844
12:10:29:359 2844 Completed
12:10:29:359 2844
12:10:29:359 2844 Results:
12:10:29:359 2844 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:10:29:359 2844 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:10:29:359 2844
12:10:29:359 2844 KLMD(ARK) unloaded successfully

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Wed 23 Jun 2010, 10:47 am

Hello.

Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Mon 28 Jun 2010, 4:55 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-25 07:57:44
Windows 5.1.2600 Service Pack 3
Running: vzmbpodh.exe; Driver: C:\DOCUME~1\memoirs\LOCALS~1\Temp\pgldrkow.sys


---- System - GMER 1.0.15 ----

SSDT spbc.sys ZwCreateKey [0xB7EB50E0]
SSDT spbc.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spbc.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spbc.sys ZwOpenKey [0xB7EB50C0]
SSDT spbc.sys ZwQueryKey [0xB7ECE20A]
SSDT spbc.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spbc.sys ZwSetValueKey [0xB7ECE29C]

INT 0x63 ? 8AFB2F00
INT 0x73 ? 8AFB2F00
INT 0x83 ? 8B283BF8
INT 0x83 ? 8B283BF8
INT 0x83 ? 8AFB2F00
INT 0x83 ? 8B283BF8
INT 0xB1 ? 8B210BF8
INT 0xB1 ? 8B210BF8

---- Kernel code sections - GMER 1.0.15 ----

? spbc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B78238AC 5 Bytes JMP 8AFB24E0
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6D1B380, 0x566445, 0xE8000020]
.text ad3lofki.SYS B6CD0386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ad3lofki.SYS B6CD03AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ad3lofki.SYS B6CD03C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ad3lofki.SYS B6CD03C9 1 Byte [2E]
.text ad3lofki.SYS B6CD03C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
.text appjz112.SYS B6C97386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text appjz112.SYS B6C973AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text appjz112.SYS B6C973C4 3 Bytes [00, 80, 02]
.text appjz112.SYS B6C973C9 1 Byte [30]
.text appjz112.SYS B6C973C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB2DCC300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8418300, 0x1BCE, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spbc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spbc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spbc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spbc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spbc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spbc.sys
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KfAcquireSpinLock] CCCCCCC3
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!READ_PORT_UCHAR] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KeGetCurrentIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KfRaiseIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KfLowerIrql] 8BEC8B55
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!HalGetInterruptVector] 00C73445
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!HalTranslateBusAddress] 00000000
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KeStallExecutionProcessor] 830C458B
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!KfReleaseSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 053C0D74
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!READ_PORT_USHORT] 57B80974
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8B000000
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[HAL.dll!WRITE_PORT_UCHAR] 56C35DE5
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[WMILIB.SYS!WmiSystemControl] 8D51FC4D
IAT \SystemRoot\System32\Drivers\ad3lofki.SYS[WMILIB.SYS!WmiCompleteRequest] 8D52FD55
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\appjz112.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\appjz112.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\appjz112.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B2821F8

AttachedDevice \FileSystem\Ntfs \Ntfs eBoost.sys (eBoostr Filter Driver/eBoostr.com)

Device \Driver\NetBT \Device\NetBT_Tcpip_{430B52EA-1722-40C5-BB64-7019E10A8AF1} 8AA5B500
Device \Driver\usbohci \Device\USBPDO-0 8AFD51F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B20E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B20E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B20E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B20E1F8
Device \Driver\usbehci \Device\USBPDO-1 8B036500
Device \Driver\PCI_PNP0924 \Device\00000052 spbc.sys
Device \Driver\usbohci \Device\USBPDO-2 8AFD51F8
Device \Driver\PCI_PNP0924 \Device\00000053 spbc.sys
Device \Driver\usbehci \Device\USBPDO-3 8B036500
Device \Driver\sptd \Device\2577838424 spbc.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B2841F8
Device \Driver\Cdrom \Device\CdRom0 8AFD41F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B2841F8
Device \Driver\Cdrom \Device\CdRom1 8AFD41F8
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B2841F8
Device \Driver\Cdrom \Device\CdRom2 8AFD41F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AA5B500
Device \Driver\sptd \Device\2577682174 spbc.sys
Device \Driver\NetBT \Device\NetbiosSmb 8AA5B500
Device \Driver\usbohci \Device\USBFDO-0 8AFD51F8
Device \Driver\usbehci \Device\USBFDO-1 8B036500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AE561F8
Device \Driver\usbohci \Device\USBFDO-2 8AFD51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AE561F8
Device \Driver\usbehci \Device\USBFDO-3 8B036500
Device \Driver\Ftdisk \Device\FtControl 8B2841F8
Device \Driver\appjz112 \Device\Scsi\appjz1121Port4Path0Target0Lun0 8AFEB1F8
Device \Driver\ad3lofki \Device\Scsi\ad3lofki1 8AEB31F8
Device \Driver\ad3lofki \Device\Scsi\ad3lofki1Port5Path0Target0Lun0 8AEB31F8
Device \Driver\appjz112 \Device\Scsi\appjz1121 8AFEB1F8
Device \FileSystem\Cdfs \Cdfs 8AAE8500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDC 0xB4 0xA2 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x55 0x1F 0xF2 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x3D 0x06 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0x83 0xD5 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0x71 0x52 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB2 0xF2 0x7F 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x51 0x1D 0xFD 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAA 0xB4 0x32 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x98 0x67 0x36 0x60 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x51 0x1D 0xFD 0x24 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAA 0xB4 0x32 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6E 0xD6 0x1E 0x61 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDC 0xB4 0xA2 0x05 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x55 0x1F 0xF2 0x47 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x3D 0x06 0x40 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0x83 0xD5 0x58 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0x71 0x52 0x5C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB2 0xF2 0x7F 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x51 0x1D 0xFD 0x24 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAA 0xB4 0x32 0x04 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x98 0x67 0x36 0x60 ...

---- Files - GMER 1.0.15 ----

File C:\UCL\UCLShowcase\Showcase Pack Definition.txt 0 bytes

---- EOF - GMER 1.0.15 ----

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Mon 28 Jun 2010, 9:52 am

Woohoo, no rootkit.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Thu 08 Jul 2010, 4:12 am

It keeps getting stuck around 18%. Is it really necessary or could we skip this step?

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Thu 08 Jul 2010, 5:28 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    TDL::
    C:\WINDOWS\system32\Drivers\sptd.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Thu 08 Jul 2010, 6:53 am

ComboFix 10-07-06.05 - memoirs 07/07/2010 12:34:01.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2785 [GMT -7:00]
Running from: c:\documents and settings\memoirs\Desktop\DEFENSE\ComboFix.exe
Command switches used :: c:\documents and settings\memoirs\Desktop\DEFENSE\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-03 04:38 . 2010-07-03 04:39 -------- d-----w- c:\documents and settings\Guest\Application Data\Mount&Blade Warband
2010-06-22 22:49 . 2010-06-22 22:49 -------- d-----w- c:\documents and settings\memoirs\Application Data\Mount&Blade
2010-06-22 22:40 . 2010-06-23 15:06 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-21 19:37 . 2010-06-21 19:37 -------- d-----w- c:\documents and settings\John Connor
2010-06-21 19:37 . 2010-06-21 19:37 -------- d-----w- c:\documents and settings\Adrian
2010-06-19 04:46 . 2010-06-19 04:46 -------- d-----w- c:\documents and settings\memoirs\Application Data\The Creative Assembly
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\memoirs\Application Data\Unity
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\memoirs\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 03:42 . 2010-06-19 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 03:42 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\Unity
2010-06-19 02:44 . 2010-06-19 02:44 -------- d-----w- c:\program files\Unity
2010-06-18 23:07 . 2010-07-06 21:24 -------- d-----w- c:\documents and settings\memoirs\Application Data\vlc
2010-06-18 04:10 . 2010-06-18 04:10 -------- d-----w- C:\_OTL
2010-06-16 03:47 . 2010-06-16 03:48 -------- d-----w- c:\documents and settings\memoirs\Application Data\Mount&Blade Warband
2010-06-15 23:23 . 2010-06-16 01:23 -------- d-----w- c:\documents and settings\memoirs\Local Settings\Application Data\SecondLife
2010-06-15 23:23 . 2010-06-15 23:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\SecondLife
2010-06-15 23:20 . 2010-06-15 23:20 -------- d-----w- c:\program files\SecondLifeViewer2
2010-06-15 20:58 . 2010-06-15 20:58 -------- d-s---w- c:\documents and settings\memoirs\UserData
2010-06-15 04:53 . 2010-06-20 17:57 -------- d-----w- c:\program files\PeerBlock
2010-06-15 04:51 . 2010-06-15 05:00 -------- d-----w- c:\documents and settings\memoirs\Application Data\gtk-2.0
2010-06-15 04:51 . 2010-06-15 04:51 -------- d-----w- c:\documents and settings\memoirs\Application Data\Python-Eggs
2010-06-15 04:48 . 2010-06-15 04:48 -------- d-----w- c:\program files\GTK2-Runtime
2010-06-15 04:41 . 2010-06-17 02:52 -------- d-----w- c:\documents and settings\memoirs\Application Data\deluge
2010-06-14 23:44 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-06-14 23:44 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-14 23:44 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-06-14 23:44 . 2010-06-23 04:21 -------- d-----w- c:\program files\Mount&Blade Warband
2010-06-14 22:41 . 2010-07-07 19:44 -------- d-----w- c:\documents and settings\memoirs\Tracing
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Microsoft
2010-06-14 22:35 . 2010-06-14 22:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-14 22:32 . 2010-06-14 22:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-14 22:30 . 2010-06-14 22:30 -------- d-----w- c:\documents and settings\memoirs\Contacts
2010-06-13 20:36 . 2010-06-13 20:36 -------- d-----w- C:\ProgramData
2010-06-13 14:50 . 2010-06-19 07:33 -------- d-----w- c:\documents and settings\memoirs\Application Data\Xfire
2010-06-13 14:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-13 14:44 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-13 14:44 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-13 14:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-13 14:41 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-10 20:02 . 2010-07-07 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\eboostr
2010-06-10 20:02 . 2010-06-10 21:44 -------- d-----w- c:\program files\eBoostr
2010-06-09 21:06 . 2010-06-09 21:06 -------- d-----w- c:\program files\Scanti
2010-06-09 20:56 . 2010-06-09 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-09 20:56 . 2010-06-09 20:57 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-09 20:55 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-09 20:55 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 16:49 . 2008-11-14 23:05 -------- d-----w- c:\program files\Xfire
2010-07-04 15:00 . 2010-06-29 21:39 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2010-07-04 03:54 . 2008-11-15 02:48 -------- d-----w- c:\program files\Steam
2010-06-30 21:15 . 2008-11-03 15:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-29 22:55 . 2009-03-19 18:38 -------- d-----w- c:\documents and settings\Guest\Application Data\Mount&Blade
2010-06-29 21:36 . 2009-07-07 01:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-23 21:58 . 2008-11-05 04:22 23304 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 15:09 . 2009-06-28 20:32 -------- d-----w- c:\documents and settings\memoirs\Application Data\DAEMON Tools Lite
2010-06-22 22:41 . 2009-01-09 10:04 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-22 22:40 . 2009-01-09 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-06-19 17:54 . 2010-06-19 17:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-06-15 01:47 . 2008-11-15 05:43 -------- d-----w- c:\program files\Zune
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-15 01:46 . 2010-06-15 01:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-14 22:41 . 2009-06-04 21:19 23304 ----a-w- c:\documents and settings\memoirs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 22:34 . 2008-11-14 19:53 -------- d-----w- c:\program files\Windows Live
2010-06-13 14:42 . 2008-11-27 05:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-10 20:12 . 2009-11-22 22:30 -------- d-----w- c:\documents and settings\memoirs\Application Data\U3
2010-06-09 21:09 . 2010-05-10 23:21 -------- d-----w- c:\program files\FaceGen Modeller 3.4 Free
2010-06-06 04:30 . 2008-11-03 17:31 -------- d-----w- c:\program files\Bethesda Softworks
2010-06-04 17:24 . 2008-11-19 02:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-04 17:15 . 2009-02-06 04:57 -------- d-----w- c:\program files\Paradox Interactive
2010-06-04 16:58 . 2009-02-19 15:53 -------- d-----w- c:\program files\Maxis
2010-06-04 16:43 . 2009-03-03 04:17 -------- d-----w- c:\program files\AOE II & III
2010-06-03 23:04 . 2009-09-11 23:26 -------- d-----w- c:\documents and settings\memoirs\Application Data\dvdcss
2010-06-03 20:48 . 2010-06-03 20:48 -------- d-----w- c:\program files\NTCore
2010-06-02 19:04 . 2010-05-25 02:35 -------- d-----w- c:\program files\Mass Effect 2
2010-05-30 19:58 . 2010-04-06 05:02 -------- d-----w- c:\documents and settings\memoirs\Application Data\Grand Ages Rome
2010-05-29 18:37 . 2010-02-03 23:38 -------- d-----w- c:\documents and settings\memoirs\Application Data\Any Audio Converter
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 02:54 . 2010-04-25 23:18 -------- d-----w- c:\program files\Common Files\BioWare
2010-05-18 22:04 . 2010-04-25 22:54 -------- d-----w- c:\program files\Mass Effect
2010-05-16 15:15 . 2008-11-03 21:26 -------- d-----w- c:\program files\Warcraft III
2010-05-12 21:31 . 2010-05-12 21:31 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 21:31 . 2010-05-12 21:31 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-11 22:38 . 2010-05-11 01:30 -------- d-----w- c:\program files\Alcohol 120
2010-05-11 21:55 . 2010-05-10 23:01 -------- d-----w- c:\program files\roms
2010-05-10 23:22 . 2010-05-10 23:22 -------- d-----w- c:\documents and settings\memoirs\Application Data\FaceGen
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_6FEFF9B68218417F98F549.exe
2010-05-10 23:21 . 2010-05-10 23:21 766 ----a-r- c:\documents and settings\memoirs\Application Data\Microsoft\Installer\{05156799-4EC3-4885-864E-E190A429B307}\_061D43A5181EFECA1957E0.exe
2010-05-02 05:22 . 2004-08-03 23:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 00:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 19:44 . 2010-07-07 19:44 16384 c:\windows\temp\Perflib_Perfdata_470.dat
+ 2010-07-07 19:44 . 2010-07-07 19:44 16384 c:\windows\temp\Perflib_Perfdata_374.dat
+ 2010-01-07 21:22 . 2010-01-07 21:22 74240 c:\windows\system32\ZuneUsbTransport.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 18944 c:\windows\system32\ZuneTcp2Udp.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 57344 c:\windows\system32\ZuneRegUtil.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 12800 c:\windows\system32\ZunePTDNS.dll
+ 2006-09-29 01:56 . 2009-07-14 01:16 64512 c:\windows\system32\WudfSvc.dll
+ 2006-09-29 03:13 . 2009-07-14 01:16 39936 c:\windows\system32\WUDFCoinstaller.dll
+ 2008-11-03 14:32 . 2008-11-08 01:55 16928 c:\windows\system32\spmsg.dll
+ 2006-09-29 01:55 . 2009-07-13 23:50 91904 c:\windows\system32\drivers\WudfPf.sys
+ 2010-01-07 21:22 . 2010-01-07 21:22 310784 c:\windows\system32\ZuneNetProxy.dll
+ 2010-01-07 21:22 . 2010-01-07 21:22 147456 c:\windows\system32\ZuneMTPZ.dll
+ 2006-09-29 01:56 . 2009-07-14 01:16 567808 c:\windows\system32\WUDFx.dll
+ 2006-09-29 01:56 . 2009-07-13 23:50 148480 c:\windows\system32\WudfPlatform.dll
+ 2006-09-29 01:56 . 2009-07-14 01:14 195584 c:\windows\system32\WudfHost.exe
+ 2006-09-29 02:00 . 2009-07-13 23:50 132224 c:\windows\system32\drivers\WudfRd.sys
+ 2010-01-07 21:22 . 2010-01-07 21:22 708608 c:\windows\system32\drivers\UMDF\ZuneDriver.dll
+ 2009-12-14 22:28 . 2009-12-14 22:28 1837296 c:\windows\system32\WUDFUpdate_01009.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\jdk\bin\jusched.exe" [2009-05-10 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-8-8 1011320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"\\\\GOLLUM\\SID MEIER'S CIVILIZATION 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\JDK\\bin\\java.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\EA Games\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike\\hl.exe"=
"c:\\Program Files\\Unreal Anthology\\UnrealTournament\\System\\UnrealTournament.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [8/8/2008 5:17 AM 96376]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [8/8/2008 5:17 AM 843384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/9/2009 3:04 AM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
FF - plugin: c:\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\jdk\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-07 12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wudfhost.exe
c:\jdk\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\jdk\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-07 12:52:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-07 19:51
ComboFix2.txt 2010-06-22 03:16
ComboFix3.txt 2010-06-21 19:37
ComboFix4.txt 2010-06-20 18:16
ComboFix5.txt 2010-07-07 19:31

Pre-Run: 83,780,628,480 bytes free
Post-Run: 84,274,728,960 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - FE2D4B1395587D79CA219BD92D6C10B0

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Belahzur on Thu 08 Jul 2010, 6:57 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by planetsngalaxies on Sat 10 Jul 2010, 5:14 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=545800214e767c44919dba26d77e7bcd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-10 06:06:21
# local_time=2010-07-09 11:06:21 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=324502
# found=12
# cleaned=12
# scan_time=7507
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\Adrian\Local Settings\Application Data\dhaegd\ybsorgx.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\Adrian\Local Settings\Application Data\jclgsnask\klgiqds.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\Adrian\Local Settings\Application Data\qdswimv\pspqqtj.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\Adrian\Local Settings\Application Data\tnfaof\scjdrca.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\John Connor\Local Settings\Application Data\fdhwbksk\rjhyfw.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\John Connor\Local Settings\Application Data\qvveagw\jqvjyh.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\John Connor\Local Settings\Application Data\snoafjp\kqkmurq.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\memoirs\Local Settings\Application Data\ddgymqcrk\vawxad.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\memoirs\Local Settings\Application Data\fsepvstt\yoiyhua.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\memoirs\Local Settings\Application Data\kjbdjk\haqdep.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\memoirs\Local Settings\Application Data\whcdawih\qhynod.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06182010_002522\c_Documents and Settings\memoirs\Local Settings\Application Data\xebdbx\qojkhs.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: AV Security Suite annihilated windows

Post by Sponsored content Today at 12:47 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum