Possible garrys mod virus?

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Possible garrys mod virus?

Post by planetsngalaxies on Sun 10 Jul 2011, 12:56 pm

First topic message reminder :

Last week my computer began running CHKDSK at every start up. After some investigating I discovered it was related to garrys mod. CHKDSK would only run if my brother had been playing garrys mod the last time the computer was on. My brother plays it online and whenever he joins a server I noticed a blue screen which pops up and says "A Lua Script is creating a render target". This only started happening within the last few weeks.

To try to fix the CHKDSK problem I tried to uninstall garrys mod but to my surprise one of the folders wouldn't delete. Its path was "C:\Program Files\Steam\steamapps\user\garrysmod\garrysmod\lua_temp\weapons_______________".

The strange folder name is what caught my attention. Besides the long line of underscores, every time I tried to delete it said "Cannot delete weapons__________________: The directory is not empty". Trying to open it gave me an error message saying it was not accessible and "The file or directory is corrupted and unreadable."

After searching for solutions online and using various methods to remove it I decided to run a full CHKDSK. It didn't work. The folder is empty and it can be renamed and moved, just not deleted. Right now it's on my desktop (I've deleted all other garrys mod files successfully) and renamed it to "what_is_this". I ran another full CHKDSK earlier today and still can't delete it.

I've heard of people getting viruses through shady garrys mod servers and they involve lua files. My guess is it's either that or my hard drive is just dying but I thought I'd check here first before I replace it.

edit: Just some additional information. When I tried deleting it with Unlocker a yellow triangle with an exclamation point appeared in the tray with a bubble saying "Unlocker.exe - Corrupt File The file or directory C: is corrupt and unreadable. Please run the Chkdsk utility."

This warning also popped up when I ran Spybot S&D earlier today and just a few minutes ago when I ran OTL.


Last edited by planetsngalaxies on Mon 11 Jul 2011, 10:56 am; edited 3 times in total

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down


Re: Possible garrys mod virus?

Post by Sneakyone on Sun 14 Aug 2011, 3:17 pm

Hi,

Actually, lets do some deeper checks to make sure. Be sure you change all of your passwords from a clean machine. Try and cancel that credit card as well because people who steal them have no heart when it comes to charging them when making purchases online.


Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.



I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Possible garrys mod virus?

Post by planetsngalaxies on Sun 14 Aug 2011, 9:27 pm

ComboFix 11-08-14.02 - memoirs 08/14/2011 3:11.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2752 [GMT -7:00]
Running from: c:\documents and settings\memoirs\desktop\commy.exe
Command switches used :: /stepdel
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Steam\steam.exe
.
---- Previous Run -------
.
c:\documents and settings\memoirs\Application Data\Local
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\3.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\4.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\5.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\6.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi(2).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi(3).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan_2010_DVDSCR.XviD.AC3-Rx.avi.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi(2).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi(3).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan_2010_DVDSCR.XviD.AC3-Rx.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi(2).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\video.avi(2).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\video.avi.ddr
c:\documents and settings\memoirs\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-13 01:18 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6F1EBDDF-1178-49AC-BAC6-6D4B14DCF1B4}\mpengine.dll
2011-08-12 08:35 . 2011-08-12 08:35 -------- d-----w- c:\documents and settings\memoirs\Application Data\.minecraft
2011-08-11 10:00 . 2011-08-11 10:00 -------- d-----w- C:\NVIDIA
2011-08-11 09:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 09:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\UpdatusUser
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-08-03 23:18 . 2011-08-03 11:49 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-08-03 23:18 . 2011-08-11 10:20 280276 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-08-03 23:18 . 2011-08-11 10:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-08-03 23:18 . 2011-08-11 10:02 280276 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-08-03 23:17 . 2011-08-03 11:49 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-08-03 23:17 . 2011-08-03 11:49 2387560 ----a-w- c:\windows\system32\nvcuvid.dll
2011-08-03 23:17 . 2011-08-03 11:49 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-08-03 23:17 . 2011-08-03 11:49 17186816 ----a-w- c:\windows\system32\nvcompiler.dll
2011-08-03 23:17 . 2011-05-25 06:09 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-07-16 01:26 . 2011-07-16 01:26 -------- d-----w- c:\documents and settings\abe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 23:38 . 2008-11-15 04:52 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-08-03 23:38 . 2010-07-11 23:01 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-08-03 23:38 . 2008-11-15 04:52 280736 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-08-03 23:26 . 2008-11-15 04:52 280768 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-08-03 11:49 . 2010-12-29 06:19 875112 ----a-w- c:\windows\system32\nvgenco32.dll
2011-07-15 19:49 . 2009-05-10 06:25 313208 ----a-w- c:\windows\system32\TubeFinder.exe
2011-07-15 13:29 . 2004-08-03 23:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 03:39 . 2009-06-07 17:24 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-08 14:02 . 2004-12-01 10:46 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-11-03 13:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-03 22:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2004-08-03 22:59 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 00:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 00:02 . 2008-11-30 03:20 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-06-16 00:02 . 2008-11-30 03:20 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2004-08-03 23:17 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 16:11 . 2010-06-19 03:42 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-06-19 03:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2010-06-13 14:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-16 04:17 . 2011-03-23 05:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
[-] 2009-08-07 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[-] 2009-08-07 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
.
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2005-04-07 . 45757077A47C68A603A79B03A1A836AB . 1032192 . . [6.00.2900.2649] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB884883$\explorer.exe
.
[-] 2008-04-14 . 0B720CAE71F51A2B93811816F187BC0A . 224256 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[-] 2008-04-14 . 0B720CAE71F51A2B93811816F187BC0A . 224256 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe
[7] 2004-08-04 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regedit.exe
.
[-] 2008-04-14 . AAC9DAE0E7C43BD26C43FC7436E2F1B0 . 832512 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\program files\Core Temp\Core Temp.exe" [2010-10-03 470544]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MDS_Menu"="c:\program files\Olympus\ib\MUITransfer\MUIStartMenu.exe" [2010-07-01 220336]
"RTHDCPL"="RTHDCPL.EXE" [2011-03-22 20053096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
.
c:\documents and settings\memoirs\Start Menu\Programs\Startup\
nvidiaInspector.lnk - c:\documents and settings\memoirs\Desktop\nvidia Inspector\nvidiaInspector.exe [2011-1-25 530432]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^memoirs^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\memoirs\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^memoirs^Start Menu^Programs^Startup^Shortcut to steamstart.lnk]
path=c:\documents and settings\memoirs\Start Menu\Programs\Startup\Shortcut to steamstart.lnk
backup=c:\windows\pss\Shortcut to steamstart.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\pchelpforum\CF26829.cfxxe [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager]
2010-12-08 21:15 63360 ----a-w- c:\program files\DivX\DivX Plus Web Player\DDMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-01-10 23:25 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-24 04:25 136176 ----atw- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 16:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Olympus ib]
2010-09-30 18:47 93360 ------w- c:\program files\Olympus\ib\olycamdetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 20:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneBusEnum"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"MBAMService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.patch.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\pirates, vikings, and knights ii\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Microsoft Games\\Rome at War\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\ricochet\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fate of the world\\bin\\fotw.exe"=
"c:\\Program Files\\Ubisoft\\Dawn of Discovery\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dino d-day\\dinodday.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dino d-day\\srcds.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\garrysmod\\hl2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8380:TCP"= 8380:TCP:*:Disabled:League of Legends Launcher
"8380:UDP"= 8380:UDP:*:Disabled:League of Legends Launcher
"6892:TCP"= 6892:TCP:*:Disabled:League of Legends Launcher
"6892:UDP"= 6892:UDP:*:Disabled:League of Legends Launcher
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8/3/2011 4:18 PM 2255464]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\memoirs\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\memoirs\LOCALS~1\Temp\ALSysIO.sys [?]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/24/2010 6:30 PM 1691480]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/15/2009 1:07 PM 25832]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/18/2010 8:42 PM 22712]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 1:57 PM 268528]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/18/2010 8:42 PM 366640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007Core.job
- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-24 04:25]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007UA.job
- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-24 04:25]
.
2011-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol 120\axcmd.exe
MSConfigStartUp-Steam - c:\program files\Steam\steam.exe
AddRemove-SimCity 3000 - c:\program files\Maxis\SimCity 3000\Uninst.isu
AddRemove-Steam App 130 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17510 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17570 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17700 - c:\program files\Steam\steam.exe
AddRemove-Steam App 20 - c:\program files\Steam\steam.exe
AddRemove-Steam App 215 - c:\program files\Steam\steam.exe
AddRemove-Steam App 218 - c:\program files\Steam\steam.exe
AddRemove-Steam App 220 - c:\program files\Steam\steam.exe
AddRemove-Steam App 22380 - c:\program files\Steam\steam.exe
AddRemove-Steam App 24400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 30 - c:\program files\Steam\steam.exe
AddRemove-Steam App 380 - c:\program files\Steam\steam.exe
AddRemove-Steam App 400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 41700 - c:\program files\Steam\steam.exe
AddRemove-Steam App 420 - c:\program files\Steam\steam.exe
AddRemove-Steam App 43110 - c:\program files\Steam\steam.exe
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4500 - c:\program files\Steam\steam.exe
AddRemove-Steam App 50 - c:\program files\Steam\steam.exe
AddRemove-Steam App 500 - c:\program files\Steam\steam.exe
AddRemove-Steam App 550 - c:\program files\Steam\steam.exe
AddRemove-Steam App 57300 - c:\program files\Steam\steam.exe
AddRemove-Steam App 60 - c:\program files\Steam\steam.exe
AddRemove-Steam App 620 - c:\program files\Steam\steam.exe
AddRemove-Steam App 67000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 70000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 80200 - c:\program files\Steam\steam.exe
AddRemove-Steam App 8930 - c:\program files\Steam\steam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-08-14 03:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-1454471165-839522115-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c9,8d,dc,fa,21,f9,1b,5d,d9,77,1f,99,cb,a7,cc,f7,05,88,12,3d,7b,77,b1,
4e,0b,7e,ca,eb,d7,0b,24,68,c3,b7,e7,08,0d,91,35,ce,4f,1a,41,32,00,2a,8d,16,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-1123561945-1454471165-839522115-1007\Software\SecuROM\License information*]
"datasecu"=hex:c5,27,bd,de,1a,73,7c,f6,df,77,56,df,7a,35,ec,ef,53,a2,eb,9c,8c,
af,dc,3a,38,17,48,1f,5e,aa,34,f7,bc,6b,21,59,00,a8,84,2b,63,31,4c,77,1d,b8,\
"rkeysecu"=hex:d6,d6,4e,6f,9d,d6,91,1f,67,26,d8,e2,98,68,ce,07
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\nvLsp.dll
.
Completion time: 2011-08-14 03:23:34
ComboFix-quarantined-files.txt 2011-08-14 10:23
ComboFix2.txt 2010-07-07 19:52
.
Pre-Run: 31,268,020,224 bytes free
Post-Run: 31,287,857,152 bytes free
.
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 917258D82BFDD1753C05AA2A832DB405

planetsngalaxies

Newbie Surfer
Newbie Surfer

Posts : 33
Joined : 2010-06-17
Operating System : Windows XP and Linux

View user profile

Back to top Go down

Re: Possible garrys mod virus?

Post by Sneakyone on Mon 15 Aug 2011, 2:52 pm

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DeQuarantine::
    c:\qoobox\quarantine\c\program files\Steam\steam.exe.vir

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Possible garrys mod virus?

Post by Sponsored content Today at 8:03 am


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum