Welcome to Omgili,
Omgili ( Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.
This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.
 |
|
 |
|
Internet Connection Getting Heavy Spikes - Security Cadets Forum
Posted 31 July 2009 - 07:55 PM
First of all i'd like to greet everybody thats here and to thank you for time you took to read this.
Second, i'd like to guide you into my problem.
So basically my ping is 40 for 1-2 sec, goes up to 12000 for few min, goes back to 40 for 1-2 sec etc.
Not happening regular, can be 12k for hours as well.
So first thing i think of is x netstat pro.
I run it, i see LOADS of mail1.random and mail.random having lot of bytes out.
I made like hundreds rules to kill such processes but they keep respawning under different names.
Ran a scan with Avira - nothing, with Avast (preboot and normal deep) - found nothing.
Ran a scan with Malwarebytes' Anti-Malware and came up with this :
Malwarebytes' Anti-Malware 1.39
Database version: 2532
Windows 5.1.2600 Service Pack 3
7/31/2009 12:45:57 AM
mbam-log-2009-07-31 (00-45-57).txt
Scan type: Quick Scan
Objects scanned: 82428
Time elapsed: 5 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Protect (Rootkit.Agent) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) ->
Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\do_not_delete (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\do_not_delete (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Run\do_not_delete (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Run\do_not_delete (Trojan.Agent) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) ->
Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->
Bad: (1) Good: (0) ->
Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Fish\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) ->
Quarantined and deleted successfully.
I tried to kill it, cant..Cant delete files, cant install ESET smart security/nod32, cant change boot config so donotdelete and reader_s cant run etc.
Basically i've tried everything and im stuck, so im asking for u help.
The funny thing is i got it off a 5210 xpress music phone when i plugged it into usb as data storage.
Guess virus/malware whatever it is was being a parazite waiting for a pc to spread.
Here's a hijack log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:05 PM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
D:\MadCracker Ultima\mirc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
R3 - URLSearchHook: mobilewitch Toolbar - {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - C:\Program Files\mobilewitch\tbmobi.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: mobilewitch Toolbar - {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - C:\Program Files\mobilewitch\tbmobi.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: mobilewitch Toolbar - {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - C:\Program Files\mobilewitch\tbmobi.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSN] C:\Windows\svrse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Fish\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ms18_word] C:\Documents and Settings\Fish\ms18_word.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910- - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910- - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1245884341358
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O23 - Service: avast!
IAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc.
- C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast!
Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast!
Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast!
Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc.
- C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
--
End of file - 6382 bytes
If its not too much trouble, an anwser withing the day would be great, because atm Avast mail filter is the only thing thats keeping my connection good, rendering my pc useless and real slow.
Thanks again
-F!Sh
|
|
 |
|
 |
|
|
|
|
Posted 31 July 2009 - 10:14 PM
Hello & Welcome to Security Cadets
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted.
To do this click Watch this topic .
Make sure it is set to Immediate Email Notification , then click Proceed .
In the meantime please note the following:
Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to.
This is very important for several reasons.
Here are just two of them:
1.
The tools that we use are very powerful and can cause >>irreparable damage<<
To your computer if not used correctly.
2.
Commercial scanners, for the most part can not completely remove some of the more "resistant" infections.
This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system.
Continue to respond to this thread until I give you the All Clean!
Even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here.
We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.
Thanks
DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
Double-Click on dds.scr and a command window will appear.
This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here .
Double click the .exe file.
If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked.
Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
Save it where you can easily find it, such as your desktop, and post it in reply **Caution**
Rootkit scans often produce false positives.
Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.
I'd also like you to to do the following:
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK
Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
Copy & paste the following File & Path in the text box next to the Browse button.
c:\windows\system32\winlogon.exe
Click Upload .
Wait for scans to finish then copy & paste the results into your next reply.
Following the instructions above do the same for:
c:\windows\system32\csrss.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
VirSCAN Results logs
|
|
|
|
|
|
|
|
|
Posted 31 July 2009 - 11:23 PM
Thanks for fast reply here are the logs you requested :
DDS :
DDS (Ver_09-07-30.01) - NTFSx86
Run by Fish at 0:31:00.73 on Sat 08/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.289 [GMT 2:00]
AV: avast!
Antivirus 4.8.1335 [VPS 090731-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
Running Processes
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fish\My Documents\Downloads\dds.scr
Pseudo HJT Report
uURLSearchHooks: mobilewitch Toolbar: {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - c:\program files\mobilewitch\tbmobi.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: mobilewitch Toolbar: {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - c:\program files\mobilewitch\tbmobi.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: mobilewitch Toolbar: {fcbf663e-8530-46f8-a880-ac5abe9d2b23} - c:\program files\mobilewitch\tbmobi.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSN] c:\windows\svrse.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dRun: [reader_s] c:\documents and settings\fish\reader_s.exe
dRun: [ms18_word] c:\documents and settings\fish\ms18_word.exe
dExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
StartupFolder: c:\docume~1\fish\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SystemRoot%\system32\PrxerDrv.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245884341358
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
FIREFOX
FF - ProfilePath - c:\docume~1\fish\applic~1\mozilla\firefox\profiles\rf21p1z6.default\
FF - plugin: c:\documents and settings\fish\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
SERVICES / DRIVERS
R1 aswSP;avast!
Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-30 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-30 20560]
R2 avast!
Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-30 138680]
R2 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-12-27 51816]
R3 avast!
Mail Scanner;avast!
Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-30 254040]
R3 avast!
Web Scanner;avast!
Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-30 352920]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-30 12672]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service -->
C:\windows\system32\GameMon.des -service [?]
Created Last 30
2009-07-31 21:40 <DIR>
--d c:\program files\Trend Micro
2009-07-31 00:38 <DIR>
--d c:\docume~1\fish\applic~1\Malwarebytes
2009-07-31 00:38 38,160 a c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 00:38 19,096 a c:\windows\system32\drivers\mbam.sys
2009-07-31 00:38 <DIR>
--d c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-31 00:38 <DIR>
--d c:\program files\Malwarebytes' Anti-Malware
2009-07-31 00:10 <DIR>
--d c:\docume~1\fish\applic~1\X-NetStat
2009-07-31 00:10 <DIR>
--d c:\program files\X-NetStat Professional
2009-07-31 00:01 <DIR>
--d c:\documents and settings\fish\.housecall6.6
2009-07-30 23:39 1,060,864 a c:\windows\system32\MFC71.dll
2009-07-30 23:39 499,712 a c:\windows\system32\MSVCP71.dll
2009-07-30 23:39 348,160 a c:\windows\system32\MSVCR71.dll
2009-07-30 01:46 <DIR>
--d c:\program files\WinPcap
2009-07-30 01:46 <DIR>
--d c:\program files\LineAge Utils
2009-07-30 01:41 55,640 a c:\windows\system32\drivers\avgntflt.sys
2009-07-30 01:27 361,600 a c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-29 19:31 135,367 a C:\gangsta init.jpg
2009-07-28 16:53 <DIR>
--d c:\docume~1\fish\applic~1\Lineage Utils - Beta
2009-07-28 16:53 <DIR>
--d c:\program files\LineAge Utils - Beta
2009-07-28 16:51 <DIR>
--d c:\program files\Auto Combat Points
2009-07-26 20:13 182,656 ac c:\windows\system32\dllcache\ndis.sys
2009-07-26 20:11 1 a c:\windows\system32\_id.dat
2009-07-17 10:49 <DIR>
--d C:\Samsung
2009-07-16 10:52 <DIR>
--d c:\docume~1\alluse~1\applic~1\Uniblue
2009-07-16 10:47 20,232 a c:\windows\system32\AntiSpyNative64.exe
2009-07-16 10:47 16,648 a c:\windows\system32\AntiSpyNative32.exe
2009-07-15 04:36 <DIR>
--d c:\program files\Uniblue
2009-07-15 04:36 <DIR>
--d c:\docume~1\fish\applic~1\Uniblue
2009-07-15 04:36 <DIR>
--d c:\docume~1\alluse~1\applic~1\DriverScanner
2009-07-15 04:35 <DIR>
-cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-07-13 21:29 <DIR>
--d c:\program files\Ventrilo
2009-07-13 21:28 262 a c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-07-13 21:27 <DIR>
--d c:\program files\common files\Wise Installation Wizard
2009-07-11 05:04 1,270 a C:\test4.bmp
2009-07-11 05:00 1,270 a C:\test3.bmp
2009-07-11 04:57 1,270 a C:\test2.bmp
2009-07-11 04:55 1,270 a C:\test1.bmp
2009-07-09 00:55 73,728 a c:\windows\system32\PrxerDrv.dll
2009-07-09 00:55 61,440 a c:\windows\system32\PrxerNsp.dll
2009-07-09 00:55 11,264 a c:\windows\system32\SPORDER.DLL
2009-07-09 00:55 <DIR>
--d c:\program files\Proxifier
2009-07-08 05:52 5,174 a c:\windows\system32\nppt9x.vxd
2009-07-08 05:52 4,682 a c:\windows\system32\npptNT2.sys
2009-07-05 19:38 <DIR>
--d c:\docume~1\fish\applic~1\TeamViewer
2009-07-05 19:38 <DIR>
--d c:\program files\TeamViewer
2009-07-05 19:37 <DIR>
--d c:\documents and settings\fish\temp
2009-07-03 05:28 1,846,632 a c:\windows\system32\D3DCompiler_41.dll
2009-07-03 05:27 3,495,784 a c:\windows\system32\d3dx9_33.dll
2009-07-03 05:22 <DIR>
--d c:\windows\Logs
2009-07-02 04:18 2,769,658 a c:\windows\system32\GameMon.des
2009-07-02 04:09 <DIR>
--d c:\program files\common files\INCA Shared
2009-07-02 03:11 <DIR>
--d c:\program files\NCSoft
2009-07-02 03:10 <DIR>
--d c:\docume~1\fish\applic~1\GetRightToGo
Find3M
2009-07-30 01:27 361,600 a c:\windows\system32\drivers\TCPIP.SYS
2009-07-26 20:13 182,656 a c:\windows\system32\drivers\ndis.sys
2009-06-30 14:45 218,624 a c:\windows\system32\uxtheme.dll
2009-06-29 04:08 721,904 a c:\windows\system32\drivers\sptd.sys
2009-06-26 18:50 666,624 a c:\windows\system32\wininet.dll
2009-06-26 18:50 81,920 c:\windows\system32\ieencode.dll
2009-06-26 17:25 86,327 a c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-24 19:00 410,984 a c:\windows\system32\deploytk.dll
2009-06-24 17:35 21,640 a c:\windows\system32\emptyregdb.dat
2009-06-16 16:36 119,808 a c:\windows\system32\t2embed.dll
2009-06-16 16:36 81,920 a c:\windows\system32\fontsub.dll
2009-06-03 21:09 1,291,264 a c:\windows\system32\quartz.dll
2009-05-07 17:32 345,600 a c:\windows\system32\localspl.dll
FINISH: 0:31:40.32
ATTACH :
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/24/2009 5:39:19 PM
System Uptime: 7/31/2009 12:47:46 AM (24 hours ago)
Motherboard: | | MS-7030
Processor: AMD Sempron Processor 3100+ | Socket 754 | 1808/200mhz
==== Disk Partitions
A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 4.137 GiB free.
D: is FIXED (NTFS) - 56 GiB total, 17.912 GiB free.
E: is CDROM ()
F: is CDROM ()
==== Disabled Device Manager Items
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_00E4&SUBSYS_70301462&REV_A1\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_00E4&SUBSYS_70301462&REV_A1\3&13C0B0C5&0&09
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_030C1462&REV_10\4&3191A3E6&0&6870
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8169&SUBSYS_030C1462&REV_10\4&3191A3E6&0&6870
Service:
==== System Restore Points
RP67: 7/16/2009 10:13:42 AM - System Checkpoint
RP68: 7/16/2009 10:47:51 AM - Software Distribution Service 3.0
RP69: 7/17/2009 5:00:09 PM - System Checkpoint
RP70: 7/18/2009 5:53:36 PM - System Checkpoint
RP71: 7/19/2009 6:05:46 PM - System Checkpoint
RP72: 7/20/2009 6:10:15 PM - System Checkpoint
RP73: 7/21/2009 6:22:55 PM - System Checkpoint
RP74: 7/22/2009 3:21:59 PM - Software Distribution Service 3.0
RP75: 7/24/2009 6:13:39 AM - System Checkpoint
RP76: 7/25/2009 6:14:49 AM - System Checkpoint
RP77: 7/26/2009 6:47:16 AM - System Checkpoint
RP78: 7/26/2009 8:27:16 PM - Installed Adobe Reader 9.1.
RP79: 7/28/2009 6:38:12 AM - System Checkpoint
RP80: 7/29/2009 9:49:59 AM - System Checkpoint
RP81: 7/30/2009 1:40:12 AM - Avira AntiVir Personal - 7/30/2009 1:40
RP82: 7/30/2009 12:33:17 PM - Software Distribution Service 3.0
RP83: 7/30/2009 11:26:56 PM - Installed ESET Smart Security
RP84: 7/30/2009 11:29:36 PM - Installed ESET Smart Security
RP85: 7/31/2009 12:33:14 AM - Malware Removal System Restore Point
==== Installed Programs
ACE Mega CoDecS Pack
ACP 2.0.4
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.2
Adobe Shockwave Player
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
avast!
Antivirus
Bluesoleil2.7.0.13 VoIP Release 071227
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Choice Guard
CPUID HWMonitor 1.14
ERUNT 1.1j
Exteel
Garena
GOM Player
Google Chrome
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java 6 Update 14
Junk Mail filter update
Lineage II
LineAge Utils
LineAge Utils - Beta
Magic ISO Maker v5.5 (build 0276)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Script 5.7
mIRC
Mobile Witch Remote Control
mobilewitch Toolbar
Mozilla Firefox (3.5.1)
MSVCRT
MSXML 6.0 Parser (KB933579)
NCsoft Launcher
Proxifier version 2.7
Realtek AC'97 Audio
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Segoe UI
Skins
Software Update for Web Folders
TeamViewer 4
Total Commander (Remove or Repair)
Uniblue DriverScanner 2009
Uniblue PowerSuite
Uniblue SpyEraser
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Ventrilo Client
WebFldrs XP
Western Australian Time Zone Update
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
World of Warcraft FREE Trial
X-NetStat Pro 5.55
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week
7/31/2009 12:48:19 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC 1' while processing the file '' on the volume 'HarddiskVolume1'.
It has stopped monitoring the volume.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file utilman.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.1.2600.5512.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file tourstart.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 6.0.2900.5512.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file osk.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.1.2600.5512.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file narrator.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.1.2600.5512.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file mobsync.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.1.2600.5512.
7/30/2009 10:03:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file magnify.exe.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.1.2600.5512.
7/29/2009 9:46:15 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
==== End Of File
|
|
|
|
|
|
|
|
|
Posted 01 August 2009 - 12:37 AM
Hi
That's fine.
Remove Programs
Click Start >
Control Panel >
Add/Remove Programs
Remove these programs by clicking Remove
Ask Toolbar
If some programs listed are not present, please do not panic
ComboFix
Download ComboFix from one of these locations ( DO NOT download ComboFix from anywhere else but one of the provided links) :
Link 1
Link 2
[COLOR=purple] **IMPORTANT !!!
Save ComboFix.exe to your Desktop** [/COLOR]
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.
Please include the contents of [B]C:\ComboFix.txt[/B] in your next reply A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
To post in next reply:
ComboFix log
New HijackThis log
Update on how the computer is running
|
|
|
|
|
|
|
|
|
Posted 01 August 2009 - 01:31 AM
Well to be honest i couldn't thank you enough.
I dont see avast blocking anything anymore and my internet connection works fine even if i shut it off.
This still is short term testing result, but time will tell.
I'd like to ask you how to maintain my computer safe.
Mostly protected from viruses that spread via usb devices and such, because i dont use p2p and i dont click random stuff on the internet.
Keep in mind that i have low performance pc and any program such as avast that slows it down is not a good solution.
Thank you very much for helping me with my issue
Here are the logs that u requested
ComboFix :
ComboFix 09-07-31.04 - Fish 08/01/2009 2:54.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.289 [GMT 2:00]
Running from: c:\documents and settings\Fish\My Documents\Downloads\ComboFix.exe
AV: avast!
Antivirus 4.8.1335 [VPS 090731-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
Other Deletions
.
c:\windows\system32\_id.dat
c:\windows\system32\drivers\ntndis.sys
.
Drivers/Services
.
\Legacy_PROTECT
Files Created from 2009-07-01 to 2009-08-01
.
2009-07-31 19:40 .
2009-07-31 19:40 d w- c:\program files\Trend Micro
2009-07-30 22:38 .
2009-07-30 22:38 d w- c:\documents and settings\Fish\Application Data\Malwarebytes
2009-07-30 22:38 .
2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 22:38 .
2009-07-30 22:38 d w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-30 22:38 .
2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 22:38 .
2009-07-30 22:38 d w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 22:32 .
2009-07-30 22:32 d w- c:\program files\ERUNT
2009-07-30 22:10 .
2009-07-30 22:11 d w- c:\documents and settings\Fish\Application Data\X-NetStat
2009-07-30 22:10 .
2009-07-30 22:10 d w- c:\program files\X-NetStat Professional
2009-07-30 22:01 .
2009-07-30 22:01 d w- c:\documents and settings\Fish\.housecall6.6
2009-07-30 21:40 .
2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-30 21:40 .
2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-30 21:40 .
2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-30 21:40 .
2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-30 21:40 .
2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-30 21:40 .
2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-30 21:40 .
2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-30 21:40 .
2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-30 21:39 .
2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-30 21:39 .
2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-30 21:39 .
2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-30 21:39 .
2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-30 21:39 .
2009-07-30 21:39 d w- c:\program files\Alwil Software
2009-07-29 23:46 .
2009-07-29 23:46 d w- c:\program files\WinPcap
2009-07-29 23:46 .
2009-07-29 23:52 d w- c:\program files\LineAge Utils
2009-07-29 23:41 .
2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-28 14:53 .
2009-07-28 15:01 d w- c:\documents and settings\Fish\Application Data\Lineage Utils - Beta
2009-07-28 14:53 .
2009-07-28 14:53 d w- c:\program files\LineAge Utils - Beta
2009-07-28 14:51 .
2009-07-28 14:51 d w- c:\program files\Auto Combat Points
2009-07-26 18:29 .
2009-07-26 18:29 d w- c:\documents and settings\Fish\Local Settings\Application Data\Adobe
2009-07-26 18:27 .
2009-07-26 18:28 d w- c:\program files\Common Files\Adobe
2009-07-26 18:13 .
2009-07-26 18:13 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-20 19:15 .
2009-07-20 19:23 d w- c:\documents and settings\Fish\Local Settings\Application Data\SecondLife
2009-07-20 19:15 .
2009-07-20 19:15 d w- c:\documents and settings\Fish\Application Data\SecondLife
2009-07-17 18:00 .
2009-07-17 19:22 d w- c:\documents and settings\Fish\Local Settings\Application Data\Temp
2009-07-17 08:49 .
2009-07-17 08:51 d w- C:\Samsung
2009-07-16 08:52 .
2009-07-16 08:52 d w- c:\documents and settings\All Users\Application Data\Uniblue
2009-07-16 08:47 .
2009-07-06 02:10 20232 ----a-w- c:\windows\system32\AntiSpyNative64.exe
2009-07-16 08:47 .
2009-07-06 02:10 16648 ----a-w- c:\windows\system32\AntiSpyNative32.exe
2009-07-16 08:42 .
2009-07-16 08:46 25254832 ----a-w- c:\documents and settings\Fish\Application Data\Uniblue\SpyEraser\SpyEraser_Setup_7_16_2009.exe
2009-07-15 02:49 .
2009-07-15 02:49 40091352 ----a-w- c:\documents and settings\Fish\Application Data\Uniblue\DriverScanner\Download\pci_ven_1002_dev_4173_subsys_201d17af8_591_0_0000.
Exe
2009-07-15 02:40 .
2009-07-15 02:40 117948 ----a-w- c:\documents and settings\Fish\Application Data\Uniblue\DriverScanner\Download\monitor_hsl06ab2_15.exe
2009-07-15 02:35 .
2006-12-01 22:26 57856 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfcm80u.
Dll
2009-07-15 02:34 .
2006-12-01 22:25 1093120 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfc80u.
Dll
2009-07-15 02:34 .
2006-12-01 22:25 1093120 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfc80u.dll
2009-07-15 02:34 .
2006-12-01 22:25 1101824 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfc80.
Dll
2009-07-15 02:34 .
2006-12-01 22:25 1101824 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfc80.
Dll
2009-07-15 02:34 .
2006-12-01 22:25 1101824 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfc80.dll
2009-07-15 02:34 .
2006-12-01 20:56 96256 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\73t3z6j5.7ag\ATL80.
Dll
2009-07-15 02:34 .
2006-12-01 20:56 96256 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\53t3z6j5.7ag\ATL80.
Dll
2009-07-15 02:34 .
2006-12-01 20:56 96256 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\ATL80.dll
2009-07-15 02:34 .
2006-12-01 20:55 114688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\Ansi\ATL80.dll
2009-07-13 19:31 .
2009-07-26 03:35 d w- c:\documents and settings\Fish\Application Data\Ventrilo
2009-07-13 19:29 .
2009-07-13 19:29 d w- c:\program files\Ventrilo
2009-07-13 19:27 .
2009-07-13 19:27 d w- c:\program files\Common Files\Wise Installation Wizard
2009-07-11 01:10 .
2009-07-11 01:10 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 01:10 .
2009-07-11 01:10 d w- c:\documents and settings\Fish\Local Settings\Application Data\Mozilla
2009-07-08 22:55 .
2007-09-25 13:40 73728 ----a-w- c:\windows\system32\PrxerDrv.dll
2009-07-08 22:55 .
2007-02-28 14:56 61440 ----a-w- c:\windows\system32\PrxerNsp.dll
2009-07-08 22:55 .
1997-06-06 13:52 11264 ----a-w- c:\windows\system32\SPORDER.DLL
2009-07-08 22:55 .
2009-07-08 22:55 d w- c:\program files\Proxifier
2009-07-08 03:52 .
2009-04-06 08:08 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-05 17:38 .
2009-07-05 21:06 d w- c:\documents and settings\Fish\Application Data\TeamViewer
2009-07-05 17:38 .
2009-07-05 17:38 d w- c:\program files\TeamViewer
2009-07-05 17:37 .
2009-07-05 17:37 d w- c:\documents and settings\Fish\temp
2009-07-03 03:27 .
2007-03-12 14:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-07-03 03:22 .
2009-07-03 03:22 d w- c:\windows\Logs
2009-07-02 21:32 .
2009-07-02 21:32 d w- c:\documents and settings\Fish\Application Data\InstallShield
2009-07-02 12:18 .
2009-07-02 12:18 d w- c:\windows\Sun
2009-07-02 02:18 .
2009-07-02 14:16 d w- c:\documents and settings\Fish\Local Settings\Application Data\DF
2009-07-02 02:09 .
2009-07-02 02:09 d w- c:\program files\Common Files\INCA Shared
.
Find3M Report
.
2009-07-29 23:27 .
2009-07-29 23:27 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-29 23:27 .
2001-08-23 12:00 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-07-29 19:52 .
2009-06-24 15:44 d w- c:\documents and settings\Fish\Application Data\U3
2009-07-26 18:13 .
2001-08-23 12:00 182656 w- c:\windows\system32\drivers\ndis.sys
2009-07-22 13:31 .
2009-06-24 23:58 d w- c:\program files\Microsoft Silverlight
2009-07-17 14:08 .
2009-07-15 02:36 d w- c:\documents and settings\Fish\Application Data\Uniblue
2009-07-16 02:22 .
2009-07-15 02:36 d w- c:\program files\Uniblue
2009-07-15 03:02 .
2009-06-24 16:24 d w- c:\program files\ATI
2009-07-15 02:38 .
2009-07-15 02:36 d w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-07-15 02:36 .
2009-07-15 02:35 dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-07-11 01:29 .
2009-06-24 23:57 d w- c:\program files\Windows Live
2009-07-08 03:26 .
2009-06-24 16:23 d--h--w- c:\program files\InstallShield Installation Information
2009-07-04 08:07 .
2009-06-24 16:28 14128 ----a-w- c:\documents and settings\Fish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 01:11 .
2009-07-02 01:11 d w- c:\program files\NCSoft
2009-07-02 01:10 .
2009-07-02 01:10 d w- c:\documents and settings\Fish\Application Data\GetRightToGo
2009-07-01 16:10 .
2009-07-01 16:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-30 12:58 .
2009-06-30 12:58 d w- c:\program files\CPUID
2009-06-30 12:45 .
2001-08-23 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-06-29 04:06 .
2009-07-15 02:36 2653070 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-06-29 02:37 .
2009-06-29 02:37 d w- c:\documents and settings\All Users\Application Data\Blizzard
2009-06-29 02:15 .
2009-06-29 02:08 d w- c:\documents and settings\Fish\Application Data\DAEMON Tools Pro
2009-06-29 02:12 .
2009-06-29 02:11 d w- c:\program files\DAEMON Tools Pro
2009-06-29 02:11 .
2009-06-29 02:11 d w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-06-29 02:08 .
2009-06-29 02:08 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-27 23:49 .
2009-06-26 23:21 d w- c:\program files\Warcraft III
2009-06-27 23:06 .
2009-06-26 23:26 d w- c:\program files\Garena
2009-06-27 19:14 .
2009-06-27 01:06 d w- c:\program files\Mobile Witch Remote Control
2009-06-27 14:17 .
2009-06-27 14:17 d w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-06-27 14:15 .
2009-06-27 14:15 d w- c:\program files\IVT Corporation
2009-06-27 01:12 .
2009-06-27 00:51 d w- c:\program files\Winamp
2009-06-27 01:11 .
2009-06-27 00:51 d w- c:\documents and settings\Fish\Application Data\Winamp
2009-06-27 01:10 .
2009-06-27 01:10 d w- c:\program files\AVSociety
2009-06-27 01:06 .
2009-06-27 01:06 d w- c:\program files\mobilewitch
2009-06-27 01:06 .
2009-06-27 01:06 d w- c:\program files\Conduit
2009-06-26 22:51 .
2009-06-26 22:51 d w- c:\documents and settings\Fish\Application Data\GHISLER
2009-06-26 21:31 .
2009-06-26 21:31 d w- c:\program files\Realtek AC97
2009-06-26 16:50 .
2001-08-23 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 .
2009-06-24 23:38 81920 w- c:\windows\system32\ieencode.dll
2009-06-26 15:25 .
2009-06-24 15:36 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-06-25 18:06 .
2009-06-25 18:06 d w- c:\documents and settings\Fish\Application Data\ATI
2009-06-25 18:06 .
2009-06-25 18:06 d w- c:\documents and settings\All Users\Application Data\ATI
2009-06-25 17:46 .
2009-06-25 17:46 65800 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-25 17:45 .
2009-06-25 17:45 d w- c:\program files\MSBuild
2009-06-25 17:45 .
2009-06-25 17:45 d w- c:\program files\Reference Assemblies
2009-06-25 17:27 .
2009-06-25 17:27 d w- c:\program files\MSXML 6.0
2009-06-25 11:18 .
2009-06-25 11:17 d w- c:\program files\ACE Mega CoDecS Pack
2009-06-25 11:11 .
2009-06-25 11:11 d w- c:\documents and settings\Fish\Application Data\GRETECH
2009-06-25 11:10 .
2009-06-25 11:10 d w- c:\program files\GRETECH
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\UC.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\RAR.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\LHA.PIF
2009-06-25 02:50 .
2009-06-26 22:51 545 ----a-w- c:\windows\ARJ.PIF
2009-06-24 23:58 .
2009-06-24 23:58 d w- c:\program files\Microsoft
2009-06-24 23:58 .
2009-06-24 23:58 d w- c:\program files\Windows Live SkyDrive
2009-06-24 23:53 .
2009-06-24 23:53 d w- c:\program files\Common Files\Windows Live
2009-06-24 22:24 .
2009-06-24 22:24 d w- c:\program files\MagicISO
2009-06-24 22:06 .
2009-06-24 22:06 d w- c:\documents and settings\Fish\Application Data\Nero
2009-06-24 17:00 .
2009-06-24 17:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-24 17:00 .
2009-06-24 17:00 d w- c:\program files\Java
2009-06-24 17:00 .
2009-06-24 17:00 152576 ----a-w- c:\documents and settings\Fish\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-24 16:26 .
2009-06-24 16:26 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-24 16:24 .
2009-06-24 16:23 d w- c:\program files\ATI Technologies
2009-06-24 16:24 .
2009-06-24 16:23 d w- c:\program files\Common Files\InstallShield
2009-06-24 16:03 .
2009-06-24 16:03 d w- c:\program files\MSECache
2009-06-24 16:02 .
2009-06-24 16:02 d w- c:\program files\HighMAT CD Writing Wizard
2009-06-24 16:00 .
2009-06-24 15:58 d w- c:\program files\AutoPatcher
2009-06-24 15:37 .
2009-06-24 15:37 d w- c:\program files\microsoft frontpage
2009-06-24 15:35 .
2009-06-24 15:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-16 14:36 .
2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 .
2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 .
2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 .
2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-17 17:42 .
2009-07-11 01:10 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
Sigcheck
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 22:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 22:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\backup\ tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\backup\ tcpip.sys
[-] 2009-07-29 23:27 361600 A29E1209F925A0E9B330E11DA5FC7BAB c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-07-29 23:27 361600 A29E1209F925A0E9B330E11DA5FC7BAB c:\windows\system32\drivers\TCPIP.SYS
[-] 2004-08-03 21:14 182656 1DF7F42665C94B825322FAE71721130D c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 22:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2001-08-23 12:00 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\backup\ ndis.sys
[-] 2004-08-03 21:14 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\backup\ ndis.sys
[-] 2009-07-26 18:13 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[-] 2009-07-26 18:13 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
.
Reg Loading Points
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{fcbf663e-8530-46f8-a880-ac5abe9d2b23}"= "c:\program files\mobilewitch\tbmobi.dll" [2009-05-20 2085400]
[HKEY_CLASSES_ROOT\clsid\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]
2009-05-20 16:05 2085400 ----a-w- c:\program files\mobilewitch\tbmobi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{fcbf663e-8530-46f8-a880-ac5abe9d2b23}"= "c:\program files\mobilewitch\tbmobi.dll" [2009-05-20 2085400]
[HKEY_CLASSES_ROOT\clsid\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}"= "c:\program files\mobilewitch\tbmobi.dll" [2009-05-20 2085400]
[HKEY_CLASSES_ROOT\clsid\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-08-16 9495832]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-24 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
c:\documents and settings\Fish\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\ AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R1 aswSP;avast!
Self Protection;c:\windows\system32\drivers\aswSP.sys [7/30/2009 11:40 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/30/2009 11:40 PM 20560]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [12/27/2007 3:39 PM 51816]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/30/2009 2:58 PM 12672]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 10:22 PM 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service -->
C:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder
2009-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-602609370-725345543-1003Core.
Job
- c:\documents and settings\Fish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-24 23:47]
2009-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-602609370-725345543-1003UA.job
- c:\documents and settings\Fish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-24 23:47]
2009-07-16 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-07-16 02:10]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKU-Default-Run-do_not_delete - c:\windows\system32\do_not_delete.exe
HKU-Default-Run-reader_s - c:\documents and settings\Fish\reader_s.exe
HKU-Default-Run-ms18_word - c:\documents and settings\Fish\ms18_word.exe
HKU-Default-Explorer_Run-do_not_delete - c:\windows\system32\do_not_delete.exe
.
Supplementary Scan
.
LSP: %SystemRoot%\system32\PrxerDrv.dll
FF - ProfilePath - c:\documents and settings\Fish\Application Data\Mozilla\Firefox\Profiles\rf21p1z6.default\
FF - plugin: c:\documents and settings\Fish\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 03:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
DLLs Loaded Under Running Processes
- - - - - - - >
'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
|
|
|
|
|
|
|
|
|
Posted 01 August 2009 - 04:50 AM
Hi
Quote: I'd like to ask you how to maintain my computer safe.
When we're done cleaning, I'll make some recommendations that you can have a look at.
mobilewitch Toolbar : Some Conduit toolbars are reputed to have a certain adware/trackware functionality.
I'll leave it up to you whether you want to keep it or not.
If you choose to remove it, you can do so via Add or Remove Programs
Couple more files to scan:
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK
Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
Copy & paste the following File & Path in the text box next to the Browse button.c:\windows\system32\dllcache\TCPIP.SYS
Click Upload .
Wait for scans to finish then copy & paste the results into your next reply.
Following the instructions above do the same for:
c:\windows\system32\drivers\TCPIP.SYS
c:\windows\system32\dllcache\ndis.sys
c:\windows\system32\drivers\ndis.sys
TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
Save any unsaved work.
TFC Cleaner will close all open application windows
Double-click TFC.exe to run the program, your desktop will temporarily disappear
If prompted, click Yes to reboot
Note: Save your work.
. TFC will automatically close any open programs, let it run uninterrupted.
It shouldn't take any longer than a couple of minutes & may only take a few seconds.
Only if needed will you be prompted to reboot.
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions.
You will be prompted to install an application from Kaspersky.
Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked).
If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan
Once the scan is complete, it will display the results.
Click on View Scan Report
You will see a list of infected items there.
Click on Save Report As...
Save this report to a convenient place.
Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply Pictured tutorial if required .
To post in next reply:
VirSCAN results logs
Kaspersky Scan log
New HijackThis log
|
|
|
|
|
|
|
|
|
Posted 01 August 2009 - 01:51 PM
quick question, c:\windows\system32\dllcache\ndis.sys doesnt want to get uploaded to virscan for strange reason.
It goes normal get stuck at 85% uploading, speed drops and it stays there.
Should i do it somewhere else or ..
?
|
|
|
|
|
|
|
|
|
Posted 01 August 2009 - 03:45 PM
Hi
Is it just that file or all of them?
Try either of these sites:
http://www.virustotal.com/
http://virusscan.jotti.org/en
Could you continue on with the Kaspersky Scan.
|
|
|
|
|
|
|
|
|
Posted 05 August 2009 - 08:15 PM
I think im just waisting your time..as for files u requested, first 2 clean, second 2 cant be uploaded on any site(dont know why)
As for kaspersky, i have to turn my avast off which makes my connection spike again..I left it over 2 nights to do scan, it gets stuck somewhere saying "A script on this page became unresponsive" and i can hit stop script or continue.
Both times i woke up i hit continue and firefox stops responding.
Im really sorry for bothering you this much, i know ur a volunteer and im thinking to save some of your time and just reformat the pc.
What do you think?
|
|
|
|
|
|
|
|
|
Posted 06 August 2009 - 01:27 AM
Hello Fish
I think a reformat probably wouldn't be a bad idea.
There are some indicators in your logs that point to an extremely nasty infection named Virut.
When Virut is activated it injects code into the executable files on the compromised system.
The main problem with the Virut infection is a bug in the viral code, which can leave legitimate .exe files corrupted & unable to be cleaned.
Most good quality Anti-virus & Spyware scanners can disinfect the infected files, however the files that may have been injected with the buggy code are unable to be cleaned because the scanners wont detect them.
You are then left with corrupted files on the system which would need to be replaced.
This, along with it's backdoor capability, is the main reason why a format & re-install is recommended when this infection is present.
The Kaspersky scan is usually quite good at picking up this infection hence the reason I was eager to see it.
As it would have confirmed one way or the other.
However from the problems you are having I think there is a pretty good chance Virut has taken hold.
At the moment there is no way to properly clean this infection other than a complete reformat & re-install of the operating system.
It is important to note when backing up any data you want to keep NOT to save any .exe, .scr (screen savers), .htm type files as these are targeted by Virut.
So all your personal data such as documents, spreadsheets, photos, music etc.
Should be OK. But a scan with an Anti-virus program wouldn't hurt.
Here's quite a good to Reformatting: http://forum.securit...?showtopic=6429
|
|
|
|
|
|
|
|
|
Posted 06 August 2009 - 04:06 AM
Yeah only thing i need is 1 installation containing .exe but nevermind i can redownloading.
Thanks for the help so far, ill get back to you with new system on tips how to keep it up this time.
|
|
|
|
|
|
|
|
|
Posted 06 August 2009 - 06:16 AM
Ok...
No worries
|
|
|
|
|
|
|
|
|
Posted 12 August 2009 - 11:40 AM
Glad we could be of assistance - This topic appears to be resolved and will be moved to the archive.
Please send an e-mail if you require this thread to be opened to: admin AT securitycadets DOT com.
"AT" being "@" and "DOT" being replaced with "." - Make sure you include a valid link when doing so.
Or just start a new thread.
If we helped you in any way, you can Donate and support this site.
Donation is not a requirement.
You can also post a Feedback Message on the help you received.
|
|
|
|
|
|
|
|