unknown virus/adware, undetectable so far!

View previous topic View next topic Go down

unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 12:55 am

I have recently removed AV Security suite from my laptop, using the correct procedure. I am at a point where malwarebytes finds no infection, neither does NOD 32. I then scanned with search and destroy, that found 2 registries and that was fixed, followed by running ad-aware which fixed a few things. Running all of them again finds nothing BUT:

When i open firefox NOD 32 tells me that its blocked attempts to connect to various nasty sounding sites (long random urls). After a few minutes FF crashes, and IE does the same. I can get you screenshots of this happening if you need them, but i was wondering what the cause and fix would be? Im guessing its residual damage from the previous virus i had, but im at a dead end since nothing seems to be able to find the remaining infections!

Logs will be added as per request

Thanks,

FK

Edit:



this is a very fake site!


Last edited by freddyk on Fri 02 Jul 2010, 1:39 am; edited 1 time in total

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 1:00 am

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 1:21 am

OLT.txt (NB: spare me the telling off for utorrent )

OTL logfile created on: 7/1/2010 3:13:59 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Chris\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 129.98 Gb Free Space | 87.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRIS-PC
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/01 15:13:09 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Downloads\OTL.exe
PRC - [2010/07/01 13:40:43 | 000,755,096 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
PRC - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/03/29 17:11:50 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 02:14:24 | 000,157,184 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\MpCmdRun.exe
PRC - [2009/07/14 02:14:15 | 000,301,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
PRC - [2009/07/14 02:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2007/10/23 10:56:18 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Modules (SafeList) ==========

MOD - [2010/07/01 15:13:09 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:35 | 000,017,920 | -HS- | M] () -- C:\Windows\ServiceProfiles\LocalService\ntl.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/07/01 13:40:40 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/07/01 12:01:59 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/29 17:16:36 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV - [2010/07/01 13:40:55 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/06/29 16:29:30 | 000,163,376 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2010/06/08 00:57:00 | 010,888,168 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/29 17:13:48 | 000,096,896 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV - [2010/03/29 17:12:00 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/03/29 17:07:44 | 000,134,024 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2009/12/11 08:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/10/05 16:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/08/04 13:15:36 | 000,033,736 | ---- | M] (Yamaha Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ymidusbw.sys -- (YMIDUSBW) Yamaha USB-MIDI Driver (WDM)
DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 00:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 00:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 23:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)
DRV - [2009/07/13 23:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)
DRV - [2009/07/13 23:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)
DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2007/11/18 03:39:50 | 001,040,544 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2006/11/14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 D6 D1 8B 0C 19 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D}:1.9.1
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D}: C:\Users\Chris\AppData\Local\{EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D}\ [2010/06/30 18:04:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/01 12:19:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/01 12:19:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/06/30 18:13:29 | 000,000,000 | ---D | M]

[2010/06/29 00:50:02 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Mozilla\Extensions
[2010/07/01 11:57:03 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qv25s0sp.default\extensions
[2010/06/29 16:49:06 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qv25s0sp.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/01 12:19:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/26 08:47:04 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/06/26 08:47:04 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/06/26 08:47:04 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/06/26 08:47:04 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/07/01 14:28:32 | 000,411,414 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 virustotal.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 virustotal
O1 - Hosts: 127.0.0.1 virscan.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 virscan
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 virustotal
O1 - Hosts: 127.0.0.1 virscan
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 virusscan.jotti.org/
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 scanner.novirusthanks.org/
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 14231 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [note] File not found
O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKCU..\Run: [note] C:\Windows\ServiceProfiles\LocalService\ntl.dll ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat ()
O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/01 13:51:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/07/01 13:51:31 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/07/01 13:41:36 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/07/01 13:41:36 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010/07/01 13:41:32 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/07/01 13:36:35 | 000,000,000 | -H-D | C] -- C:\ProgramData\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/07/01 13:36:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/07/01 13:36:25 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/07/01 12:53:46 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallShield
[2010/07/01 12:53:39 | 000,466,944 | ---- | C] (SuYin) -- C:\Windows\Acer Crystal Eye webcam.EXE
[2010/07/01 12:53:39 | 000,073,728 | ---- | C] (Macrovision Corporation) -- C:\Windows\System32\ISUSPM.cpl
[2010/07/01 12:53:35 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/07/01 12:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/07/01 12:53:18 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\InstallShield
[2010/07/01 12:02:01 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/06/30 19:29:56 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Malwarebytes
[2010/06/30 19:29:52 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/06/30 19:29:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/06/30 19:29:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/30 19:29:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/30 18:54:17 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/06/30 18:14:37 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\ESET
[2010/06/30 18:13:29 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2010/06/30 18:13:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/30 18:04:22 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D}
[2010/06/30 18:03:01 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\wdnrmpmvh
[2010/06/30 18:02:53 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\pcbsmellb
[2010/06/30 02:24:37 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\WinRAR
[2010/06/30 02:15:10 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/06/29 18:45:22 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Synthesia
[2010/06/29 18:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\Yamaha
[2010/06/29 18:40:23 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Downloaded Installations
[2010/06/29 18:24:43 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Heiv
[2010/06/29 18:21:03 | 000,000,000 | ---D | C] -- C:\Users\Chris\Documents\Synthesia Music
[2010/06/29 18:21:02 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2010/06/29 18:20:50 | 000,000,000 | ---D | C] -- C:\Program Files\Synthesia
[2010/06/29 18:16:07 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/06/29 18:16:07 | 000,000,000 | ---D | C] -- C:\Users\Chris\Documents\PassMark
[2010/06/29 18:16:07 | 000,000,000 | ---D | C] -- C:\ProgramData\PassMark
[2010/06/29 18:16:05 | 000,000,000 | ---D | C] -- C:\Program Files\BatteryMon
[2010/06/29 18:09:26 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/06/29 18:09:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2010/06/29 18:08:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/06/29 18:08:46 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Apple
[2010/06/29 18:08:44 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/06/29 18:08:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2010/06/29 17:22:37 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2010/06/29 17:22:14 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\uTorrent
[2010/06/29 17:16:58 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/06/29 16:54:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2010/06/29 16:54:21 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/06/29 16:53:20 | 010,888,168 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
[2010/06/29 16:53:20 | 000,795,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dpinst.exe
[2010/06/29 16:53:20 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2010/06/29 16:53:20 | 000,010,920 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvBridge.kmd
[2010/06/29 16:53:19 | 015,764,072 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
[2010/06/29 16:53:19 | 009,712,744 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvd3dum.dll
[2010/06/29 16:53:19 | 004,967,528 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvwgf2um.dll
[2010/06/29 16:53:19 | 002,890,856 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvencodemft.dll
[2010/06/29 16:53:19 | 000,426,600 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvumdshim.dll
[2010/06/29 16:53:19 | 000,332,392 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvdecodemft.dll
[2010/06/29 16:53:19 | 000,101,992 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvinit.dll
[2010/06/29 16:53:17 | 010,263,144 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
[2010/06/29 16:53:17 | 004,513,384 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
[2010/06/29 16:53:17 | 002,632,296 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
[2010/06/29 16:53:17 | 002,145,896 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
[2010/06/29 16:53:17 | 001,592,424 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvapi.dll
[2010/06/29 16:53:17 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod1921.dll
[2010/06/29 16:53:17 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod.dll
[2010/06/29 16:53:10 | 000,000,000 | ---D | C] -- C:\NVIDIA
[2010/06/29 16:38:16 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\ElevatedDiagnostics
[2010/06/29 16:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\Apoint2K
[2010/06/29 16:12:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/06/29 16:10:32 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browserchoice.exe
[2010/06/29 16:09:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/29 16:08:42 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/06/29 16:08:42 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/06/29 16:08:42 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/06/29 16:07:35 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/06/29 16:07:35 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/06/29 16:07:35 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/06/29 16:07:35 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/06/29 16:07:34 | 003,954,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/06/29 16:07:34 | 003,899,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/06/29 16:07:32 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/06/29 16:07:32 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/06/29 16:07:32 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/06/29 16:07:32 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/06/29 16:07:32 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/06/29 16:07:32 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/06/29 16:07:32 | 000,108,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/06/29 16:07:32 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/06/29 16:07:32 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/06/29 16:07:30 | 002,326,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/06/29 16:07:28 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2010/06/29 16:07:28 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2010/06/29 16:07:28 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll
[2010/06/29 16:07:28 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2010/06/29 16:07:28 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2010/06/29 16:07:25 | 012,625,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2010/06/29 16:07:25 | 001,320,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CertEnroll.dll
[2010/06/29 16:07:25 | 000,507,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winload.exe
[2010/06/29 16:07:25 | 000,442,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winresume.exe
[2010/06/29 16:07:22 | 001,037,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2010/06/29 16:07:22 | 000,133,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecpkg.sys
[2010/06/29 16:07:20 | 002,614,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2010/06/29 16:07:19 | 001,328,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/06/29 16:07:19 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010/06/29 16:07:19 | 000,084,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[2010/06/29 16:07:16 | 000,427,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/06/29 16:07:14 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/06/29 16:07:13 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/06/29 16:07:12 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010/06/29 16:05:06 | 000,293,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/06/29 16:05:06 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/06/29 16:05:06 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/06/29 15:47:57 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Macromedia
[2010/06/29 15:47:57 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Adobe
[2010/06/29 15:47:53 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2010/06/29 09:35:24 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/06/29 09:29:58 | 000,000,000 | ---D | C] -- C:\Windows.old
[2010/06/29 08:39:01 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/06/29 08:36:55 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/06/29 01:44:52 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\mIRC
[2010/06/29 01:44:52 | 000,000,000 | ---D | C] -- C:\Program Files\mIRC
[2010/06/29 01:25:30 | 000,000,000 | ---D | C] -- C:\Users\Chris\Tracing
[2010/06/29 01:20:12 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/06/29 01:20:01 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2010/06/29 01:19:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/06/29 01:19:33 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/06/29 01:19:15 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010/06/29 01:19:12 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/06/29 01:17:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2010/06/29 01:04:44 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/06/29 00:53:35 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Qotipo
[2010/06/29 00:49:55 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Mozilla
[2010/06/29 00:49:55 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Mozilla
[2010/06/29 00:49:51 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/29 00:47:49 | 000,000,000 | R--D | C] -- C:\Users\Chris\Searches
[2010/06/29 00:47:49 | 000,000,000 | -H-D | C] -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2010/06/29 00:47:39 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Identities
[2010/06/29 00:47:36 | 000,000,000 | R--D | C] -- C:\Users\Chris\Contacts
[2010/06/29 00:47:26 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\VirtualStore
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\AppData\Local\Temporary Internet Files
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Templates
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Start Menu
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\SendTo
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Recent
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\PrintHood
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\NetHood
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Documents\My Videos
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Documents\My Pictures
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Documents\My Music
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\My Documents
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Local Settings
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\AppData\Local\History
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Cookies
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\Application Data
[2010/06/29 00:47:21 | 000,000,000 | -HSD | C] -- C:\Users\Chris\AppData\Local\Application Data
[2010/06/29 00:47:20 | 000,000,000 | --SD | C] -- C:\Users\Chris\AppData\Roaming\Microsoft
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Videos
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Saved Games
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Pictures
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Music
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Links
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Favorites
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Downloads
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\My Documents
[2010/06/29 00:47:20 | 000,000,000 | R--D | C] -- C:\Users\Chris\Desktop
[2010/06/29 00:47:20 | 000,000,000 | -H-D | C] -- C:\Users\Chris\AppData
[2010/06/29 00:47:20 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Temp
[2010/06/29 00:47:20 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Microsoft
[2010/06/29 00:47:20 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Media Center Programs
[2010/06/29 00:43:46 | 000,000,000 | -HSD | C] -- C:\Recovery
[2010/06/29 00:28:23 | 000,000,000 | -HSD | C] -- C:\Boot
[2010/06/28 23:41:56 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2010/06/07 17:47:34 | 013,917,800 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcpl.dll
[2010/06/07 17:47:34 | 001,691,752 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvsvcr.dll
[2010/06/07 17:47:34 | 001,331,816 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvsvc.dll
[2010/06/07 17:47:34 | 000,579,688 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nv3dappshext.dll
[2010/06/07 17:47:34 | 000,255,592 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvhotkey.dll
[2010/06/07 17:47:34 | 000,110,696 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvmctray.dll
[2010/06/07 17:47:34 | 000,066,664 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvshext.dll
[2010/06/07 17:47:34 | 000,053,864 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nv3dappshextr.dll

========== Files - Modified Within 30 Days ==========

[2010/07/01 15:14:09 | 005,505,024 | -HS- | M] () -- C:\Users\Chris\NTUSER.DAT
[2010/07/01 14:28:32 | 000,411,414 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/07/01 13:51:43 | 000,001,240 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/07/01 13:51:43 | 000,001,216 | ---- | M] () -- C:\Users\Chris\Desktop\Spybot - Search & Destroy.lnk
[2010/07/01 13:49:17 | 000,016,848 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/01 13:49:17 | 000,016,848 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/01 13:48:38 | 000,726,316 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/01 13:48:38 | 000,628,460 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/01 13:48:38 | 000,110,612 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/01 13:43:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/01 13:43:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/01 13:43:07 | 1609,764,864 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/01 13:41:48 | 001,530,214 | -H-- | M] () -- C:\Users\Chris\AppData\Local\IconCache.db
[2010/07/01 13:41:29 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/07/01 13:41:26 | 000,015,880 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2010/07/01 13:40:55 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/07/01 13:36:34 | 000,001,124 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/01 13:36:34 | 000,001,100 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/01 12:53:39 | 000,001,502 | ---- | M] () -- C:\Users\Public\Desktop\Acer Crystal Eye Webcam.lnk
[2010/07/01 12:19:24 | 000,001,909 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/01 12:19:24 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/07/01 11:44:30 | 000,244,186 | RHS- | M] () -- C:\JKAEH
[2010/07/01 11:44:30 | 000,000,020 | RHS- | M] () -- C:\win7.ld
[2010/06/30 19:29:55 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/30 19:14:34 | 190,544,430 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/30 18:04:23 | 000,000,120 | ---- | M] () -- C:\Users\Chris\AppData\Local\Epibodadujod.dat
[2010/06/30 18:04:23 | 000,000,000 | ---- | M] () -- C:\Users\Chris\AppData\Local\Xqavuwefokib.bin
[2010/06/30 18:03:57 | 000,000,752 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100701-142832.backup
[2010/06/30 18:03:43 | 000,000,970 | -HS- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.lnk
[2010/06/30 18:02:37 | 000,006,353 | -HS- | M] () -- C:\Windows\E88D4.exe
[2010/06/30 17:49:11 | 000,000,042 | -HS- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat
[2010/06/29 22:21:41 | 000,244,161 | ---- | M] () -- C:\Users\Chris\Desktop\Synthesia-r811 crash report.dmp
[2010/06/29 18:09:37 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/06/29 16:30:14 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
[2010/06/29 16:29:38 | 001,419,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WdfCoInstaller01005.dll
[2010/06/29 16:29:38 | 000,100,418 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Windows\System32\Vxdif.dll
[2010/06/29 16:29:30 | 000,163,376 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Windows\System32\drivers\Apfiltr.sys
[2010/06/29 16:24:11 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/29 16:20:45 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
[2010/06/29 09:35:16 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/06/29 09:35:14 | 000,000,355 | RHS- | M] () -- C:\Boot.ini.saved
[2010/06/29 08:40:01 | 000,042,045 | ---- | M] () -- C:\Windows\System32\license.rtf
[2010/06/29 02:32:28 | 000,524,288 | -HS- | M] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/06/29 02:32:28 | 000,524,288 | -HS- | M] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/06/29 02:32:28 | 000,065,536 | -HS- | M] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/06/29 01:17:10 | 000,057,560 | ---- | M] () -- C:\Users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/06/29 00:48:33 | 000,001,407 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/29 00:47:21 | 000,000,020 | -HS- | M] () -- C:\Users\Chris\ntuser.ini
[2010/06/28 22:54:18 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/06/28 22:54:18 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/28 22:48:41 | 000,000,211 | -H-- | M] () -- C:\Boot.BAK
[2010/06/08 00:57:00 | 015,764,072 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
[2010/06/08 00:57:00 | 010,888,168 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
[2010/06/08 00:57:00 | 010,263,144 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
[2010/06/08 00:57:00 | 009,712,744 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvd3dum.dll
[2010/06/08 00:57:00 | 004,967,528 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvwgf2um.dll
[2010/06/08 00:57:00 | 004,513,384 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
[2010/06/08 00:57:00 | 002,890,856 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvencodemft.dll
[2010/06/08 00:57:00 | 002,632,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
[2010/06/08 00:57:00 | 002,145,896 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
[2010/06/08 00:57:00 | 001,592,424 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvapi.dll
[2010/06/08 00:57:00 | 000,795,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dpinst.exe
[2010/06/08 00:57:00 | 000,426,600 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvumdshim.dll
[2010/06/08 00:57:00 | 000,332,392 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvdecodemft.dll
[2010/06/08 00:57:00 | 000,232,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcod1921.dll
[2010/06/08 00:57:00 | 000,232,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcod.dll
[2010/06/08 00:57:00 | 000,101,992 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvinit.dll
[2010/06/08 00:57:00 | 000,056,936 | ---- | M] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2010/06/08 00:57:00 | 000,010,920 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvBridge.kmd
[2010/06/08 00:57:00 | 000,009,633 | ---- | M] () -- C:\Windows\System32\nvinfo.pb
[2010/06/07 17:47:34 | 013,917,800 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcpl.dll
[2010/06/07 17:47:34 | 001,691,752 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvsvcr.dll
[2010/06/07 17:47:34 | 001,331,816 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvsvc.dll
[2010/06/07 17:47:34 | 000,579,688 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nv3dappshext.dll
[2010/06/07 17:47:34 | 000,408,168 | ---- | M] () -- C:\Windows\System32\easyUpdatusAPIU.dll
[2010/06/07 17:47:34 | 000,258,142 | ---- | M] () -- C:\Windows\System32\nvcoproc.bin
[2010/06/07 17:47:34 | 000,255,592 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvhotkey.dll
[2010/06/07 17:47:34 | 000,110,696 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvmctray.dll
[2010/06/07 17:47:34 | 000,066,664 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvshext.dll
[2010/06/07 17:47:34 | 000,053,864 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nv3dappshextr.dll

========== Files Created - No Company Name ==========

[2010/07/01 13:51:43 | 000,001,240 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/07/01 13:51:43 | 000,001,216 | ---- | C] () -- C:\Users\Chris\Desktop\Spybot - Search & Destroy.lnk
[2010/07/01 13:48:27 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2010/07/01 13:36:34 | 000,001,124 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/01 13:36:34 | 000,001,100 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/01 12:53:40 | 000,626,688 | ---- | C] () -- C:\Windows\Image.dll
[2010/07/01 12:53:40 | 000,222,382 | ---- | C] () -- C:\Windows\Acer Crystal Eye webcam.ico
[2010/07/01 12:53:40 | 000,200,704 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2010/07/01 12:53:40 | 000,000,036 | ---- | C] () -- C:\Windows\PidList.ini
[2010/07/01 12:53:39 | 000,001,502 | ---- | C] () -- C:\Users\Public\Desktop\Acer Crystal Eye Webcam.lnk
[2010/07/01 12:19:24 | 000,001,909 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/01 12:19:24 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/07/01 11:44:30 | 000,000,020 | RHS- | C] () -- C:\win7.ld
[2010/07/01 11:44:29 | 000,244,186 | RHS- | C] () -- C:\JKAEH
[2010/06/30 19:29:55 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/30 18:54:09 | 190,544,430 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/06/30 18:04:23 | 000,000,120 | ---- | C] () -- C:\Users\Chris\AppData\Local\Epibodadujod.dat
[2010/06/30 18:04:23 | 000,000,000 | ---- | C] () -- C:\Users\Chris\AppData\Local\Xqavuwefokib.bin
[2010/06/30 18:02:37 | 000,006,353 | -HS- | C] () -- C:\Windows\E88D4.exe
[2010/06/30 17:49:11 | 000,000,042 | -HS- | C] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat
[2010/06/29 22:21:41 | 000,244,161 | ---- | C] () -- C:\Users\Chris\Desktop\Synthesia-r811 crash report.dmp
[2010/06/29 18:09:37 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/06/29 16:53:20 | 000,009,633 | ---- | C] () -- C:\Windows\System32\nvinfo.pb
[2010/06/29 16:30:14 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
[2010/06/29 16:20:45 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
[2010/06/29 16:08:21 | 000,003,636 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2010/06/29 09:35:14 | 000,000,211 | -H-- | C] () -- C:\Boot.BAK
[2010/06/29 08:36:02 | 1609,764,864 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/29 00:48:33 | 000,001,407 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/29 00:47:21 | 000,000,020 | -HS- | C] () -- C:\Users\Chris\ntuser.ini
[2010/06/29 00:47:20 | 005,505,024 | -HS- | C] () -- C:\Users\Chris\NTUSER.DAT
[2010/06/29 00:47:20 | 000,524,288 | -HS- | C] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/06/29 00:47:20 | 000,524,288 | -HS- | C] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/06/29 00:47:20 | 000,262,144 | -HS- | C] () -- C:\Users\Chris\ntuser.dat.LOG1
[2010/06/29 00:47:20 | 000,065,536 | -HS- | C] () -- C:\Users\Chris\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/06/29 00:47:20 | 000,000,290 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2010/06/29 00:47:20 | 000,000,272 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/06/29 00:47:20 | 000,000,000 | -HS- | C] () -- C:\Users\Chris\ntuser.dat.LOG2
[2010/06/29 00:28:28 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2010/06/29 00:28:23 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2010/06/28 23:41:11 | 000,000,355 | RHS- | C] () -- C:\Boot.ini.saved
[2010/06/28 22:54:18 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/06/28 22:54:18 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/06/07 17:47:34 | 000,408,168 | ---- | C] () -- C:\Windows\System32\easyUpdatusAPIU.dll
[2010/06/07 17:47:34 | 000,258,142 | ---- | C] () -- C:\Windows\System32\nvcoproc.bin
[2009/07/14 02:15:07 | 000,000,009 | ---- | C] () -- C:\Windows\System32\comsats.sys
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2005/05/06 19:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:0E08FC17
< End of report >


EDIT

I cant post the extras, i get a timeout when i submit it. No idea why, my nets working fine (appart from FF crashing every 10 minutes!)

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 1:54 am

Hello.
3 steps to do here.

Step 1:

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.



Step 2:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Step 3:

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [note] File not found
    O4 - HKCU..\Run: [note] C:\Windows\ServiceProfiles\LocalService\ntl.dll ()
    O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat ()
    O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.dll ()
    [2010/06/30 18:03:01 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\wdnrmpmvh
    [2010/06/30 18:02:53 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\pcbsmellb
    [2010/06/30 18:04:23 | 000,000,120 | ---- | M] () -- C:\Users\Chris\AppData\Local\Epibodadujod.dat
    [2010/06/30 18:04:23 | 000,000,000 | ---- | M] () -- C:\Users\Chris\AppData\Local\Xqavuwefokib.bin
    [2010/06/30 18:03:57 | 000,000,752 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100701-142832.backup
    [2010/06/30 18:03:43 | 000,000,970 | -HS- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.lnk
    [2010/06/30 18:02:37 | 000,006,353 | -HS- | M] () -- C:\Windows\E88D4.exe
    [2010/06/30 17:49:11 | 000,000,042 | -HS- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 3:03 am

Running Goored:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 16:22 on 01/07/2010 (Chris)
Firefox version 3.6.6 (en-GB)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D} -> Success!
Deleting C:\Users\Chris\AppData\Local\{EABABE8D-3A53-4FB9-B9C1-5777C7AFA56D} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:19 01/07/2010]

C:\Users\Chris\Application Data\Mozilla\Firefox\Profiles\qv25s0sp.default\extensions\
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [15:49 29/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

and now OLT

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\note deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\note deleted successfully.
C:\Windows\ServiceProfiles\LocalService\ntl.dll moved successfully.
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat moved successfully.
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.dll moved successfully.
C:\Users\Chris\AppData\Local\wdnrmpmvh folder moved successfully.
C:\Users\Chris\AppData\Local\pcbsmellb folder moved successfully.
C:\Users\Chris\AppData\Local\Epibodadujod.dat moved successfully.
C:\Users\Chris\AppData\Local\Xqavuwefokib.bin moved successfully.
C:\Windows\System32\drivers\etc\hosts.20100701-142832.backup moved successfully.
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scand.lnk moved successfully.
C:\Windows\E88D4.exe moved successfully.
File C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kill.bat not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chris
->Temp folder emptied: 8123841 bytes
->Temporary Internet Files folder emptied: 17123304 bytes
->FireFox cache emptied: 36648953 bytes
->Flash cache emptied: 2360 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22888570 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 81.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.7.0 log created on 07012010_163202

Files\Folders moved on Reboot...
C:\Users\Chris\AppData\Local\Temp\nsrbgxsaod.bak moved successfully.

Registry entries deleted on Reboot...

No change to problems, firefox crashes out on this page too, im in safe mode to post this (logs from normal mode)

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 3:17 am

Hello.

  • Download combofix from here
    Link 1
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 4:07 am

Run, couldnt close s+d because i couldnt find its root exe, but the scan worked anyway:


ComboFix 10-06-30.03 - Chris 01/07/2010 17:53:54.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1404 [GMT 1:00]
Running from: c:\users\Chris\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chris\ntl.dll
c:\windows\Fonts\mlog
c:\windows\system32\comsats.sys
c:\windows\system32\tfukdrrn.txt

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 16:25 . 2010-07-01 16:27 -------- d-----w- C:\32788R22FWJFW
2010-07-01 15:32 . 2010-07-01 15:32 -------- d-----w- C:\_OTL
2010-07-01 12:51 . 2010-07-01 13:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-01 12:51 . 2010-07-01 12:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-01 12:48 . 2010-07-01 12:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-01 12:41 . 2010-07-01 12:41 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-01 12:41 . 2010-07-01 12:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-01 12:41 . 2010-07-01 12:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-01 12:36 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-07-01 12:36 . 2010-07-01 12:36 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-07-01 12:36 . 2010-07-01 12:41 -------- d-----w- c:\programdata\Lavasoft
2010-07-01 12:36 . 2010-07-01 12:36 -------- d-----w- c:\program files\Lavasoft
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\programdata\InstallShield
2010-07-01 11:53 . 2007-10-23 09:56 200704 ----a-w- c:\windows\PLFSetI.exe
2010-07-01 11:53 . 2007-03-29 15:48 626688 ----a-w- c:\windows\Image.dll
2010-07-01 11:53 . 2008-01-17 12:52 466944 ----a-w- c:\windows\Acer Crystal Eye webcam.EXE
2010-07-01 11:53 . 2010-07-01 11:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\users\Chris\AppData\Roaming\InstallShield
2010-07-01 11:02 . 2010-07-01 11:02 -------- d-----w- c:\windows\system32\Wat
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2010-06-30 18:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\programdata\Malwarebytes
2010-06-30 18:29 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 17:14 . 2010-06-30 17:14 -------- d-----w- c:\users\Chris\AppData\Local\ESET
2010-06-30 17:13 . 2010-06-30 17:13 -------- d-----w- c:\program files\ESET
2010-06-30 17:04 . 2010-06-30 17:04 286976 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{EAA10467-91EB-094A-E634-DA53860B84B7}-dvpxqsktssd.exe
2010-06-29 17:45 . 2010-06-29 21:28 -------- d-----w- c:\users\Chris\AppData\Roaming\Synthesia
2010-06-29 17:40 . 2010-06-29 17:40 4286 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{271A659B-A7D3-405E-AE31-3086133BE0B7}\ARPPRODUCTICON.exe
2010-06-29 17:40 . 2010-06-29 17:40 -------- d-----w- c:\program files\Yamaha
2010-06-29 17:40 . 2010-06-29 17:40 -------- d-----w- c:\users\Chris\AppData\Local\Downloaded Installations
2010-06-29 17:24 . 2010-06-30 17:23 -------- d-----w- c:\users\Chris\AppData\Roaming\Heiv
2010-06-29 17:21 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-29 17:20 . 2010-06-29 21:23 -------- d-----w- c:\program files\Synthesia
2010-06-29 17:16 . 2010-06-29 17:16 -------- d-----w- c:\programdata\PassMark
2010-06-29 17:16 . 2010-06-29 17:16 -------- d-----w- c:\program files\BatteryMon
2010-06-29 17:09 . 2010-06-29 17:09 -------- d-----w- c:\program files\QuickTime
2010-06-29 17:09 . 2010-06-29 17:09 -------- d-----w- c:\programdata\Apple Computer
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\program files\Common Files\Apple
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\users\Chris\AppData\Local\Apple
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\program files\Apple Software Update
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\programdata\Apple
2010-06-29 16:22 . 2010-06-29 16:22 -------- d-----w- c:\program files\uTorrent
2010-06-29 16:22 . 2010-07-01 12:41 -------- d-----w- c:\users\Chris\AppData\Roaming\uTorrent
2010-06-29 16:16 . 2010-06-29 16:16 -------- d-----w- c:\programdata\NVIDIA
2010-06-29 15:54 . 2010-06-29 15:54 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-29 15:54 . 2010-06-29 15:54 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-29 15:38 . 2010-06-30 18:18 -------- d-----w- c:\users\Chris\AppData\Local\ElevatedDiagnostics
2010-06-29 15:30 . 2010-06-29 15:30 -------- d-----w- c:\program files\Apoint2K
2010-06-29 15:15 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-29 15:12 . 2010-06-29 15:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-29 15:10 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-29 15:09 . 2010-06-29 15:09 -------- d-----w- c:\program files\Microsoft.NET
2010-06-29 15:08 . 2009-11-25 11:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-29 15:08 . 2009-11-25 11:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-29 15:08 . 2009-11-25 11:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-29 15:08 . 2009-11-25 11:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-29 15:08 . 2009-11-25 11:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-29 15:08 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-29 15:08 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-06-29 15:08 . 2007-11-17 22:22 3636 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-06-29 15:05 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-29 15:05 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-29 15:05 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-06-29 14:47 . 2010-06-29 14:47 -------- d-----w- c:\windows\system32\Macromed
2010-06-29 08:35 . 2010-06-28 23:43 -------- d-----w- c:\windows\Panther
2010-06-29 08:29 . 2010-06-29 08:29 -------- d-----w- C:\Windows.old
2010-06-29 00:44 . 2010-06-29 01:32 -------- d-----w- c:\users\Chris\AppData\Roaming\mIRC
2010-06-29 00:44 . 2010-06-29 00:44 -------- d-----w- c:\program files\mIRC
2010-06-29 00:25 . 2010-07-01 15:33 -------- d-----w- c:\users\Chris\Tracing
2010-06-29 00:20 . 2010-06-29 00:20 -------- d-----w- c:\program files\Microsoft
2010-06-29 00:19 . 2010-06-29 00:19 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-29 00:19 . 2010-06-29 00:20 -------- d-----w- c:\program files\Windows Live
2010-06-29 00:19 . 2010-06-29 00:19 -------- d-----w- c:\windows\PCHEALTH
2010-06-29 00:19 . 2010-07-01 12:36 -------- d-sh--w- c:\windows\Installer
2010-06-29 00:17 . 2010-06-29 00:17 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-29 00:17 . 2010-06-29 00:17 57560 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-29 00:04 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-28 23:53 . 2010-06-30 17:32 -------- d-----w- c:\users\Chris\AppData\Roaming\Qotipo
2010-06-28 23:51 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-28 23:51 . 2010-07-01 16:58 -------- d-----w- c:\windows\system32\wbem\Performance
2010-06-28 23:51 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-28 23:49 . 2010-06-28 23:49 -------- d-----w- c:\users\Chris\AppData\Local\Mozilla
2010-06-28 23:43 . 2010-06-28 23:43 -------- d-----w- C:\Recovery
2010-06-28 23:28 . 2010-06-29 08:35 -------- d-----w- C:\Boot
2010-06-07 16:47 . 2010-06-07 16:47 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 16:47 . 2010-06-07 16:47 579688 ----a-w- c:\windows\system32\nv3dappshext.dll
2010-06-07 16:47 . 2010-06-07 16:47 53864 ----a-w- c:\windows\system32\nv3dappshextr.dll
2010-06-07 16:47 . 2010-06-07 16:47 408168 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2010-06-07 16:47 . 2010-06-07 16:47 258142 ----a-w- c:\windows\system32\nvcoproc.bin
2010-06-07 16:47 . 2010-06-07 16:47 255592 ----a-w- c:\windows\system32\nvhotkey.dll
2010-06-07 16:47 . 2010-06-07 16:47 1691752 ----a-w- c:\windows\system32\nvsvcr.dll
2010-06-07 16:47 . 2010-06-07 16:47 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 16:47 . 2010-06-07 16:47 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 16:47 . 2010-06-07 16:47 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 16:47 . 2010-06-07 16:47 110696 ----a-w- c:\windows\system32\nvmctray.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 15:30 . 2010-06-29 15:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-06-29 15:29 . 2007-06-25 18:51 100418 ----a-w- c:\windows\system32\Vxdif.dll
2010-06-29 15:29 . 2006-11-02 07:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-06-29 15:29 . 2007-12-11 16:42 163376 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2010-06-29 15:22 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-06-29 15:20 . 2010-06-29 15:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-05-21 05:18 . 2010-06-29 15:07 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14 . 2010-06-29 15:07 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-29 15:07 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49 . 2010-06-29 15:07 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 07:13 . 2010-06-29 15:07 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-06-29 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCInstallQueue"="netman.dll" [2009-07-14 280576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-01 1343400]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2009-08-04 33736]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-01 64288]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-01 1352832]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qv25s0sp.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-07-01 18:03:03
ComboFix-quarantined-files.txt 2010-07-01 17:03

Pre-Run: 139,553,288,192 bytes free
Post-Run: 139,443,851,264 bytes free

- - End Of File - - 6A2D4401B4BA756A330AB543702A9A1F


will update status in a moment after testing if its fixed.

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 4:11 am

Hello.
Okay, so far so good. Before we continue, please attach the Extras.txt log, I need to check something in that log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 4:17 am

OTL Extras logfile created on: 7/1/2010 3:13:59 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Chris\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 129.98 Gb Free Space | 87.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRIS-PC
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Windows\fonts\services.exe" = C:\Windows\fonts\services.exe:*:Enabled:services.exe -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{271A659B-A7D3-405E-AE31-3086133BE0B7}" = Yamaha USB-MIDI Driver
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B91B4988-2671-4C7A-9B84-5FE9E38EDDE0}" = ESET NOD32 Antivirus
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BatteryMon_is1" = BatteryMon V2.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"mIRC" = mIRC
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"Synthesia" = Synthesia (remove only)
"uTorrent" = µTorrent
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/1/2010 7:15:08 AM | Computer Name = Chris-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00012bf6 Faulting process id:
0xf88 Faulting application start time: 0x01cb190ea704f6a0 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: e7d3b0e0-8501-11df-8492-001b384e18f2

Error - 7/1/2010 7:16:51 AM | Computer Name = Chris-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00012bf6 Faulting process id:
0xb8c Faulting application start time: 0x01cb190eb1572ce0 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 24fb6440-8502-11df-8492-001b384e18f2

Error - 7/1/2010 7:17:03 AM | Computer Name = Chris-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00012bf6 Faulting process id:
0xc34 Faulting application start time: 0x01cb190eeb474480 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 2c7535c0-8502-11df-8492-001b384e18f2

Error - 7/1/2010 7:18:00 AM | Computer Name = Chris-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00012bf6 Faulting process id:
0xbcc Faulting application start time: 0x01cb190ef8959420 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 4e1bc5e0-8502-11df-8492-001b384e18f2

Error - 7/1/2010 7:18:07 AM | Computer Name = Chris-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x00012bf6 Faulting process id:
0xff8 Faulting application start time: 0x01cb190f13773b40 Faulting application path:
C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 5288d460-8502-11df-8492-001b384e18f2

Error - 7/1/2010 7:18:38 AM | Computer Name = Chris-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Users\Chris\Downloads\Vi64\Uninstap.exe".
Dependent
Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="AMD64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 7/1/2010 7:53:22 AM | Computer Name = Chris-PC | Source = VSS | ID = 8193
Description =

Error - 7/1/2010 7:53:23 AM | Computer Name = Chris-PC | Source = VSS | ID = 8193
Description =

Error - 7/1/2010 8:06:13 AM | Computer Name = Chris-PC | Source = Microsoft-Windows-CAPI2 | ID = 4101
Description = Failed auto update retrieval of third-party root certificate from:

with error: 12030 (0x2efe).

Error - 7/1/2010 8:37:12 AM | Computer Name = Chris-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 6/30/2010 2:30:42 PM | Computer Name = Chris-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 6/30/2010 2:35:42 PM | Computer Name = Chris-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 6/30/2010 2:35:42 PM | Computer Name = Chris-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 6/30/2010 2:35:42 PM | Computer Name = Chris-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 6/30/2010 2:38:17 PM | Computer Name = Chris-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.

Error - 6/30/2010 2:38:17 PM | Computer Name = Chris-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.

Error - 6/30/2010 9:13:34 PM | Computer Name = Chris-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 7/1/2010 6:27:34 AM | Computer Name = Chris-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 9 Processor ID: 1 The details view of this entry contains
further information.

Error - 7/1/2010 6:48:14 AM | Computer Name = Chris-PC | Source = DCOM | ID = 10010
Description =

Error - 7/1/2010 8:37:12 AM | Computer Name = Chris-PC | Source = Service Control Manager | ID = 7030
Description = The Lavasoft Ad-Aware Service service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.


< End of report >


it wasnt letting me submit it earlier. problems seem fixed, although nod32 disabled itself so i had to change that in msconfig and my mouse drivers randomly gone awol.

and wtf does "kitty had a snack" mean in the previous log?

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 4:28 am

Hello.
Just Combofix fixing a rootkit infection.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride =

    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 4:36 am

is that all to remove utorrent or is the 2nd part separate? I use utorrent as its slightly safer than things like kazaa and limewire (i actually know where i got the initial virus and its a case of being much more careful in future on my behalf)

so yeah, do i do the 2nd part if i wanna keep utorrent?

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Fri 02 Jul 2010, 4:51 am

Yes, Combofix wont touch uTorrent.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Fri 02 Jul 2010, 5:18 am

Done:

ComboFix 10-07-01.02 - Chris 01/07/2010 19:01:35.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1235 [GMT 1:00]
Running from: c:\users\Chris\ComboFix.exe
Command switches used :: c:\users\Chris\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chris\ComboFix.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 18:06 . 2010-07-01 18:06 -------- d-----w- c:\users\Chris\AppData\Local\temp
2010-07-01 18:06 . 2010-07-01 18:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-01 18:06 . 2010-07-01 18:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-01 18:00 . 2010-07-01 18:00 -------- d-----w- C:\32788R22FWJFW
2010-07-01 15:32 . 2010-07-01 15:32 -------- d-----w- C:\_OTL
2010-07-01 12:51 . 2010-07-01 13:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-01 12:51 . 2010-07-01 12:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-01 12:48 . 2010-07-01 12:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-01 12:41 . 2010-07-01 12:41 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-01 12:41 . 2010-07-01 12:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-01 12:41 . 2010-07-01 12:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-01 12:36 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-07-01 12:36 . 2010-07-01 12:36 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-07-01 12:36 . 2010-07-01 12:41 -------- d-----w- c:\programdata\Lavasoft
2010-07-01 12:36 . 2010-07-01 12:36 -------- d-----w- c:\program files\Lavasoft
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\programdata\InstallShield
2010-07-01 11:53 . 2007-10-23 09:56 200704 ----a-w- c:\windows\PLFSetI.exe
2010-07-01 11:53 . 2007-03-29 15:48 626688 ----a-w- c:\windows\Image.dll
2010-07-01 11:53 . 2008-01-17 12:52 466944 ----a-w- c:\windows\Acer Crystal Eye webcam.EXE
2010-07-01 11:53 . 2010-07-01 11:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-01 11:53 . 2010-07-01 11:53 -------- d-----w- c:\users\Chris\AppData\Roaming\InstallShield
2010-07-01 11:02 . 2010-07-01 11:02 -------- d-----w- c:\windows\system32\Wat
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2010-06-30 18:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 18:29 . 2010-06-30 18:29 -------- d-----w- c:\programdata\Malwarebytes
2010-06-30 18:29 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 17:14 . 2010-06-30 17:14 -------- d-----w- c:\users\Chris\AppData\Local\ESET
2010-06-30 17:13 . 2010-06-30 17:13 -------- d-----w- c:\program files\ESET
2010-06-30 17:04 . 2010-06-30 17:04 286976 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{EAA10467-91EB-094A-E634-DA53860B84B7}-dvpxqsktssd.exe
2010-06-29 17:45 . 2010-06-29 21:28 -------- d-----w- c:\users\Chris\AppData\Roaming\Synthesia
2010-06-29 17:40 . 2010-06-29 17:40 4286 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{271A659B-A7D3-405E-AE31-3086133BE0B7}\ARPPRODUCTICON.exe
2010-06-29 17:40 . 2010-06-29 17:40 -------- d-----w- c:\program files\Yamaha
2010-06-29 17:40 . 2010-06-29 17:40 -------- d-----w- c:\users\Chris\AppData\Local\Downloaded Installations
2010-06-29 17:24 . 2010-06-30 17:23 -------- d-----w- c:\users\Chris\AppData\Roaming\Heiv
2010-06-29 17:21 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-06-29 17:20 . 2010-06-29 21:23 -------- d-----w- c:\program files\Synthesia
2010-06-29 17:16 . 2010-06-29 17:16 -------- d-----w- c:\programdata\PassMark
2010-06-29 17:16 . 2010-06-29 17:16 -------- d-----w- c:\program files\BatteryMon
2010-06-29 17:09 . 2010-06-29 17:09 -------- d-----w- c:\program files\QuickTime
2010-06-29 17:09 . 2010-06-29 17:09 -------- d-----w- c:\programdata\Apple Computer
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\program files\Common Files\Apple
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\users\Chris\AppData\Local\Apple
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\program files\Apple Software Update
2010-06-29 17:08 . 2010-06-29 17:08 -------- d-----w- c:\programdata\Apple
2010-06-29 16:22 . 2010-06-29 16:22 -------- d-----w- c:\program files\uTorrent
2010-06-29 16:22 . 2010-07-01 12:41 -------- d-----w- c:\users\Chris\AppData\Roaming\uTorrent
2010-06-29 16:16 . 2010-06-29 16:16 -------- d-----w- c:\programdata\NVIDIA
2010-06-29 15:54 . 2010-06-29 15:54 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-29 15:54 . 2010-06-29 15:54 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-29 15:38 . 2010-06-30 18:18 -------- d-----w- c:\users\Chris\AppData\Local\ElevatedDiagnostics
2010-06-29 15:30 . 2010-06-29 15:30 -------- d-----w- c:\program files\Apoint2K
2010-06-29 15:15 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-29 15:12 . 2010-06-29 15:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-29 15:10 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-29 15:09 . 2010-06-29 15:09 -------- d-----w- c:\program files\Microsoft.NET
2010-06-29 15:08 . 2009-11-25 11:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-29 15:08 . 2009-11-25 11:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-29 15:08 . 2009-11-25 11:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-29 15:08 . 2009-11-25 11:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-29 15:08 . 2009-11-25 11:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-29 15:08 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-06-29 15:08 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-06-29 15:08 . 2007-11-17 22:22 3636 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-06-29 15:05 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-29 15:05 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-29 15:05 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-06-29 14:47 . 2010-06-29 14:47 -------- d-----w- c:\windows\system32\Macromed
2010-06-29 08:35 . 2010-06-28 23:43 -------- d-----w- c:\windows\Panther
2010-06-29 08:29 . 2010-06-29 08:29 -------- d-----w- C:\Windows.old
2010-06-29 00:44 . 2010-06-29 01:32 -------- d-----w- c:\users\Chris\AppData\Roaming\mIRC
2010-06-29 00:44 . 2010-06-29 00:44 -------- d-----w- c:\program files\mIRC
2010-06-29 00:25 . 2010-07-01 17:21 -------- d-----w- c:\users\Chris\Tracing
2010-06-29 00:20 . 2010-06-29 00:20 -------- d-----w- c:\program files\Microsoft
2010-06-29 00:19 . 2010-06-29 00:19 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-29 00:19 . 2010-06-29 00:20 -------- d-----w- c:\program files\Windows Live
2010-06-29 00:19 . 2010-06-29 00:19 -------- d-----w- c:\windows\PCHEALTH
2010-06-29 00:19 . 2010-07-01 12:36 -------- d-sh--w- c:\windows\Installer
2010-06-29 00:17 . 2010-06-29 00:17 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-29 00:17 . 2010-06-29 00:17 57560 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-29 00:04 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-28 23:53 . 2010-06-30 17:32 -------- d-----w- c:\users\Chris\AppData\Roaming\Qotipo
2010-06-28 23:51 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-28 23:51 . 2010-07-01 17:25 -------- d-----w- c:\windows\system32\wbem\Performance
2010-06-28 23:51 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-06-28 23:49 . 2010-06-28 23:49 -------- d-----w- c:\users\Chris\AppData\Local\Mozilla
2010-06-28 23:43 . 2010-06-28 23:43 -------- d-----w- C:\Recovery
2010-06-28 23:28 . 2010-06-29 08:35 -------- d-----w- C:\Boot
2010-06-07 16:47 . 2010-06-07 16:47 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 16:47 . 2010-06-07 16:47 579688 ----a-w- c:\windows\system32\nv3dappshext.dll
2010-06-07 16:47 . 2010-06-07 16:47 53864 ----a-w- c:\windows\system32\nv3dappshextr.dll
2010-06-07 16:47 . 2010-06-07 16:47 408168 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2010-06-07 16:47 . 2010-06-07 16:47 258142 ----a-w- c:\windows\system32\nvcoproc.bin
2010-06-07 16:47 . 2010-06-07 16:47 255592 ----a-w- c:\windows\system32\nvhotkey.dll
2010-06-07 16:47 . 2010-06-07 16:47 1691752 ----a-w- c:\windows\system32\nvsvcr.dll
2010-06-07 16:47 . 2010-06-07 16:47 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 16:47 . 2010-06-07 16:47 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 16:47 . 2010-06-07 16:47 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 16:47 . 2010-06-07 16:47 110696 ----a-w- c:\windows\system32\nvmctray.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 15:30 . 2010-06-29 15:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-06-29 15:29 . 2007-06-25 18:51 100418 ----a-w- c:\windows\system32\Vxdif.dll
2010-06-29 15:29 . 2006-11-02 07:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-06-29 15:29 . 2007-12-11 16:42 163376 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2010-06-29 15:22 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-06-29 15:20 . 2010-06-29 15:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-05-21 05:18 . 2010-06-29 15:07 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14 . 2010-06-29 15:07 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-29 15:07 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49 . 2010-06-29 15:07 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 07:13 . 2010-06-29 15:07 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 23:48 . 2010-07-01 17:22 20482 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-07-01 17:22 33490 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:50 . 2010-07-01 17:19 86016 c:\windows\System32\DriverStore\infpub.dat
- 2009-07-14 04:50 . 2010-06-29 17:41 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2010-06-28 23:48 . 2010-07-01 17:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-28 23:48 . 2010-07-01 16:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-07-01 17:55 72920 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-06-28 23:48 . 2010-07-01 16:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-28 23:48 . 2010-07-01 17:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-28 23:48 . 2010-07-01 16:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-28 23:48 . 2010-07-01 17:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-28 23:48 . 2010-07-01 16:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-28 23:48 . 2010-07-01 17:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-30 23:00 . 2010-07-01 17:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-06-30 23:00 . 2010-07-01 18:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-30 23:00 . 2010-07-01 17:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-06-30 23:00 . 2010-07-01 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-06-30 23:00 . 2010-07-01 17:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-06-30 23:00 . 2010-07-01 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-06-28 23:48 . 2010-07-01 18:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-28 23:48 . 2010-07-01 17:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-28 23:48 . 2010-07-01 16:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-28 23:48 . 2010-07-01 17:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-28 23:49 . 2010-07-01 17:22 5204 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-743148043-3432302570-714209451-1001_UserData.bin
+ 2010-07-01 17:21 . 2010-07-01 17:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-07-01 16:53 . 2010-07-01 16:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-07-01 17:21 . 2010-07-01 17:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-07-01 16:53 . 2010-07-01 16:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2010-07-01 16:58 628460 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-07-01 17:25 628460 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-07-01 17:25 110612 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2010-07-01 16:58 110612 c:\windows\System32\perfc009.dat
- 2009-07-14 04:50 . 2010-06-29 17:41 143360 c:\windows\System32\DriverStore\infstrng.dat
+ 2009-07-14 04:50 . 2010-07-01 17:19 143360 c:\windows\System32\DriverStore\infstrng.dat
- 2009-07-14 02:03 . 2010-07-01 12:56 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2010-07-01 18:05 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-06-29 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCInstallQueue"="netman.dll" [2009-07-14 280576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-01 1352832]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-01 1343400]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2009-08-04 33736]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-01 64288]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:40]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qv25s0sp.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
Completion time: 2010-07-01 19:08:40
ComboFix-quarantined-files.txt 2010-07-01 18:08
ComboFix2.txt 2010-07-01 17:03

Pre-Run: 139,256,164,352 bytes free
Post-Run: 139,063,828,480 bytes free

- - End Of File - - B53B32DE38FDF3E35382BE6A38E7DD8B

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Sat 03 Jul 2010, 8:10 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Mon 05 Jul 2010, 3:28 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=24eb02cd9212f84792dc860d26104087
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-03 03:16:11
# local_time=2010-07-03 04:16:11 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 116466 30587504 0 0
# compatibility_mode=8199 39157181 100 98 20068 8242271 0 0
# scanned=75011
# found=2
# cleaned=1
# scan_time=49056
# nod_component=V3 Build:0x30000000
C:\Users\Chris\Downloads\backups\backup-20100630-192618-769.dll a variant of Win32/Adware.Lifze.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I

seems i still have a trojan on the loose

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Mon 05 Jul 2010, 11:00 am

Hello.
Yeah, this rootkit isn't nice, it's gone after backup copies of the main driver it infected, ESET wasn't able to fix it, so were gonna go with the big rocket launcher, I haven't come across many things that can survive this tool.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Mon 05 Jul 2010, 11:47 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys" not found!
Deletion of file "C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


oh crap... oddly the pc is behaving normally. would such a rootkit stay dormant or should i be getting spammed with adverts for viagra? :S

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Mon 05 Jul 2010, 11:51 am

also i tried to go to that location using a shortcut and i got that it doesnt exist. (C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys)

i will rescan with eset online

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Mon 05 Jul 2010, 7:17 pm

sorry for triple post, just done another eset online scan, very interesting results:

C:\_OTL\MovedFiles\07012010_163202\C_Users\Chris\AppData\Local\pcbsmellb\dvpxqsktssd.exe a variant of Win32/Kryptik.FHS trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\07012010_163202\C_Users\Chris\AppData\Local\wdnrmpmvh\dmyueretssd.exe a variant of Win32/Kryptik.FHS trojan cleaned by deleting - quarantined


those are obviously the quarantine files from otl, so hopefully no worries right?

And then i happened to go on the eset quarantine, take a guess what was there

damn right, the exact location of the file we couldnt find above had been quarantined by the previous scan, but not flagged in the log! maybe this is why it couldnt be found? i have now deleted all from the quarantine for safety.

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Belahzur on Tue 06 Jul 2010, 8:08 am

Weird, ah well, nevermind, this looks good. How is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by freddyk on Tue 06 Jul 2010, 12:54 pm

smooth, to say it never ran well before the virus (7 be slaying it )

thanks for all the help, i hope this info goes to people with the same problems. and thanks for the experience, i've learned a fair bit and got to try out a few tools of the trade en-route. next stop academy

freddyk

Newbie Surfer
Newbie Surfer

Posts : 18
Joined : 2010-07-02
Operating System : Windows 7 Ultimate x86

View user profile

Back to top Go down

Re: unknown virus/adware, undetectable so far!

Post by Sponsored content Today at 7:46 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum