Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92370 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]áComputer may be infected.


  • This topic is locked This topic is locked
17 replies to this topic

#1 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 19 November 2009 - 12:03 AM

Hi guys, I have some suspicious processes running which I believe may possibly be viruses. iexplore.exe Sachiel.sys.bat Internet Explorer is never running yet the process for it is always there. Even when I end it, it comes back. My computer runs normally but I'd just like to make sure these are safe and I have no viruses on my computer. I also have a hidden folder in my Program Files folder called HaRepacker, which I can't delete. My laptop is a school laptop connected to a network. -Acer TravelMate 6293 DDS (Ver_09-06-26.01) - NTFSx86 Run by 12LinNZ at 16:58:44.21 on Thu 19/11/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1190 [GMT 11:00] AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\ifxspmgt.exe C:\WINDOWS\system32\IFXTCS.exe C:\Program Files\Acer\Acer Bio Protection\BASVC.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\IfxPsdSv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\PLFSetI.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Program Files\Infineon\Security Platform Software\PSDrt.exe C:\Program Files\Infineon\Security Platform Software\SpTna.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\igfxsrvc.exe C:\DOCUME~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\12linnz\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://intranet.cgs.vic.edu.au uDefault_Page_URL = hxxp://intranet.cgs.vic.edu.au mDefault_Page_URL = hxxp://intranet.cgs.vic.edu.au uInternet Settings,ProxyOverride = local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe mRun: [ZPdtWzdVitaKey MC3000] "c:\program files\acer\acer bio protection\PdtWzd.exe" show mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon mRun: [PLFSetI] c:\windows\PLFSetI.exe mRun: [PLFSetL] c:\windows\PLFSetL.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [LManager] c:\progra~1\launch~1\LManager.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [<NO NAME>] mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio protection\PwdBank.exe IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\acer bio protection\WinNotify.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli c:\program files\acer\acer bio protection\PwdFilter ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\12linnz\applic~1\mozilla\firefox\profiles\ehr3xlul.default\ FF - plugin: c:\documents and settings\12linnz\application data\mozilla\firefox\profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [2008-10-22 43184] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-3 110848] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-3 38528] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-11-20 13560] R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [2008-10-22 20352] R2 IGBASVC;iGroupTec Service;c:\program files\acer\acer bio protection\BASVC.exe [2008-10-22 3481600] R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-29 80936] R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-8-3 98304] R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2009-8-3 266240] R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-2 172032] R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2009-8-3 794624] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-24 41216] R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [2008-10-22 24576] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-16 25832] S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\12linnz\locals~1\temp\kpn97.tmp --> c:\docume~1\12linnz\locals~1\temp\KPN97.tmp [?] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-23 28592] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-3 14976] =============== Created Last 30 ================ 2009-11-17 19:56 107,888 ac------ c:\windows\system32\CmdLineExt.dll 2009-11-17 16:37 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\BioWare 2009-11-17 11:50 <DIR> -cd----- c:\windows\system32\winrm 2009-11-17 11:50 <DIR> -cd-h--- c:\windows\$968930Uinstall_KB968930$ 2009-11-16 18:31 <DIR> -cd----- c:\windows\1C4551A64743409391E41477CD655043.TMP 2009-11-16 17:57 <DIR> -cd----- c:\program files\Dragon Age 2009-11-16 17:57 <DIR> -cd----- c:\program files\common files\BioWare 2009-11-16 17:15 <DIR> -cd----- c:\program files\Rockstar Games 2009-11-13 00:21 <DIR> -cd----- C:\Log 2009-11-12 16:02 <DIR> -cd----- c:\program files\SAW 2009-11-11 16:16 <DIR> -cd----- c:\program files\Machinarium 2009-11-10 18:25 <DIR> -cd----- c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP 2009-11-10 17:44 <DIR> -cd----- c:\program files\2K Games 2009-11-10 17:44 <DIR> -cd----- C:\BDS 2009-11-08 23:22 <DIR> -cd----- c:\windows\system32\Adobe 2009-11-05 21:37 <DIR> -cd----- c:\docume~1\12linnz\applic~1\runic games 2009-11-05 21:15 <DIR> -cd----- c:\program files\Runic Games 2009-11-03 21:36 <DIR> -cd----- c:\docume~1\12linnz\applic~1\MozillaControl 2009-11-03 21:35 <DIR> -cd----- c:\program files\Mozilla ActiveX Control v1.7.12 2009-11-03 21:34 <DIR> -cd----- c:\program files\VideoLAN 2009-11-03 21:30 <DIR> -cd----- c:\program files\Graboid 2009-11-02 23:07 <DIR> -cd----- c:\program files\iPod 2009-10-23 19:28 2,395,944 ac------ c:\windows\system32\pbsvc_heroes.exe ==================== Find3M ==================== 2009-11-04 16:34 139,456 ac------ c:\windows\system32\drivers\PnkBstrK.sys 2009-11-04 16:34 190,160 ac------ c:\windows\system32\PnkBstrB.exe 2009-10-23 19:28 138,056 ac------ c:\docume~1\12linnz\applic~1\PnkBstrK.sys 2009-10-23 19:28 75,064 ac------ c:\windows\system32\PnkBstrA.exe 2009-10-19 16:39 77,028 ac--h--- c:\windows\system32\mlfcache.dat 2009-10-11 04:17 411,368 ac------ c:\windows\system32\deploytk.dll 2009-10-09 16:23 1,107,456 -c------ c:\windows\system32\WsmSvc.dll 2009-10-09 16:23 178,176 -c------ c:\windows\system32\wevtfwd.dll 2009-10-09 16:22 368,640 -c------ c:\windows\system32\WsmRes.dll 2009-10-09 16:22 69,632 -c------ c:\windows\system32\winrs.exe 2009-10-09 16:22 42,496 -c------ c:\windows\system32\pwrshplugin.dll 2009-10-09 14:56 209,408 -c------ c:\windows\system32\WsmWmiPl.dll 2009-10-09 14:56 14,848 -c------ c:\windows\system32\wsmprovhost.exe 2009-10-09 14:56 22,528 -c------ c:\windows\system32\winrshost.exe 2009-10-09 14:56 25,088 -c------ c:\windows\system32\winrmprov.dll 2009-10-09 14:56 12,288 -c------ c:\windows\system32\wsmplpxy.dll 2009-10-09 14:56 2,048 -c------ c:\windows\system32\winrsmgr.dll 2009-10-09 14:56 233,984 -c------ c:\windows\system32\winrscmd.dll 2009-10-09 14:56 225,280 -c------ c:\windows\system32\wsmanhttpconfig.exe 2009-10-09 14:56 12,288 -c------ c:\windows\system32\winrssrv.dll 2009-10-09 14:56 139,776 -c------ c:\windows\system32\WsmAuto.dll 2009-10-08 14:57 611,328 ac------ c:\windows\system32\uiautomationcore.dll 2009-10-08 14:57 220,160 ac------ c:\windows\system32\oleacc.dll 2009-10-08 14:56 20,480 ac------ c:\windows\system32\oleaccrc.dll 2009-09-19 13:12 794,408 ac------ c:\windows\system32\pbsvc.exe 2009-09-18 17:39 444,952 ac------ c:\windows\system32\wrap_oal.dll 2009-09-18 17:39 109,080 ac------ c:\windows\system32\OpenAL32.dll 2009-09-11 23:30 25,268 -c--h--- c:\docume~1\12linnz\applic~1\addons.dat 2009-09-04 18:44 515,416 ac------ c:\windows\system32\XAudio2_5.dll 2009-09-04 18:44 238,936 ac------ c:\windows\system32\xactengine3_5.dll 2009-09-04 18:44 69,464 ac------ c:\windows\system32\XAPOFX1_3.dll 2009-09-04 18:29 453,456 ac------ c:\windows\system32\d3dx10_42.dll 2009-09-04 18:29 235,344 ac------ c:\windows\system32\d3dx11_42.dll 2009-09-04 18:29 5,501,792 ac------ c:\windows\system32\d3dcsx_42.dll 2009-09-04 18:29 1,974,616 ac------ c:\windows\system32\D3DCompiler_42.dll 2009-09-04 18:29 1,892,184 ac------ c:\windows\system32\D3DX9_42.dll 2009-08-28 20:42 2,065,696 ac------ c:\windows\system32\usbaaplrc.dll 2003-06-09 07:56 23,552 -c-sh--- c:\windows\help\Sachiel.sys.bat 2003-06-09 07:56 23,552 -c-sh--- c:\windows\system32\helpdks.dll 2003-06-09 07:56 23,552 -c-sh--- c:\windows\system32\winrun.sys.pif ============= FINISH: 16:59:15.06 =============== ROOTREPEAL ę AD, 2007-2009 ================================================== Scan Start Time: 2009/11/19 17:00 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0x9F7AF000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA604000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_PNP1570 Image Path: \Driver\PCI_PNP1570 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0x9E437000 Size: 49152 File Visible: No Signed: - Status: - Name: spis.sys Image Path: spis.sys Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys" at address 0x9f9b0fa0 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys" at address 0x9f9b10f6 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spis.sys" at address 0xb9ec5ca4 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spis.sys" at address 0xb9ec6032 #: 119 Function Name: NtOpenKey Status: Hooked by "spis.sys" at address 0xb9ea70c0 #: 160 Function Name: NtQueryKey Status: Hooked by "spis.sys" at address 0xb9ec610a #: 177 Function Name: NtQueryValueKey Status: Hooked by "spis.sys" at address 0xb9ec5f8a #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys" at address 0x9f9b115c ==EOF== EDIT: I'm going to be away until Thursday 26th November.

Attached Files


Edited by lin0056, 21 November 2009 - 02:01 PM.

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 24 November 2009 - 12:17 PM

Hi lin0056,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

You've got a very old worm in there. One of the things it is known for is infecting any floppy disk inserted in the machine. Luckily, you probably don't have a floppy disk.

HaRepacker is a program designed to "hack" a game called MapleStory. Is this something you play?

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also please describe how your computer behaves at the moment.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#3 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 26 November 2009 - 01:35 AM

I am back from camp now, thanks for the reply. I do not play the game 'MapleStory'. I'm running TFC now and will post the MBAM log after my computer restarts.

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 26 November 2009 - 02:01 AM

:thumbup:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#5 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 26 November 2009 - 02:04 AM

My computer is running fine. (Same as usual). Malwarebytes' Anti-Malware 1.41 Database version: 3235 Windows 5.1.2600 Service Pack 3 26/11/2009 6:56:22 PM mbam-log-2009-11-26 (18-56-22).txt Scan type: Quick Scan Objects scanned: 114233 Time elapsed: 5 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\12linnz\Application Data\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 26 November 2009 - 02:10 AM

lin0056,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#7 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 26 November 2009 - 04:09 AM

ComboFix 09-11-25.05 - 12LinNZ 26/11/2009 20:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1491 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://cgsremote6
.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-05 10:37 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-05 10:15 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-03 10:35 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 09:59 . 2009-11-26 09:59 25268 -c-h--w- c:\documents and settings\12linnz\Application Data\addons.dat
2009-11-26 08:58 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-29 04:34 . 2009-09-11 12:30 -------- dc-h--w- c:\program files\HaRepacker
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\Help\Sachiel.sys.bat
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\helpdks.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\winrun.sys.pif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp --> c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{13F1A74D-6028-E4D1-70B5-80FCAE592473}]
c:\program files\HaRepacker\HaRepacker.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-LManager - c:\windows\UNINST32.EXE LManager.UNI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sppo.sys hal.dll >>UNKNOWN [0x8A5B6938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e66cb8
\Driver\atapi -> atapi.sys @ 0xb9dddb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xb9ce6bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9cd5a0d
SendHandler -> NDIS.sys @ 0xb9ce9b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1096)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-26 21:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 10:08

Pre-Run: 34,515,591,168 bytes free
Post-Run: 34,384,420,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 3DF5D5E79639B108059176D8F533828C

#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 26 November 2009 - 09:58 AM

lin0056,

Limewire, Vuze, and utorrent
You have Limewire, Vuze, and utorrent, P2P/file sharing programs installed on your computer. P2P applications are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
[url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm


I would recommend that you uninstall Limewire, Vuze, and utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Rootkit::
    c:\windows\Help\Sachiel.sys.bat
    c:\windows\system32\helpdks.dll
    c:\windows\system32\winrun.sys.pif
    c:\documents and settings\12linnz\Application Data\addons.dat
    c:\documents and settings\12linnz\Local Settings\Temp\KPN97.tmp
    
    Folder::
    c:\program files\HaRepacker
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{13F1A74D-6028-E4D1-70B5-80FCAE592473}]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
    "ImagePath"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#9 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 26 November 2009 - 05:59 PM

Vuze is not installed on my computer. Running CFScript, will post results after reboot.

#10 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 26 November 2009 - 06:31 PM

ComboFix 09-11-25.05 - 12LinNZ 27/11/2009 11:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1487 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\12linnz\Application Data\addons.dat
c:\program files\HaRepacker
c:\program files\HaRepacker\HaRepacker.exe
c:\program files\HaRepacker\logg.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 22:24 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-11-26 09:59 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-11-27 00:19 . 2009-11-27 00:19 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2009-11-27 00:18 . 2009-11-27 00:18 16384 c:\windows\Temp\Perflib_Perfdata_130.dat
+ 2009-11-27 00:18 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-11-27 00:18 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-11-26 09:59 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-11-26 09:59 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 11:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1080)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-27 11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 00:30
ComboFix2.txt 2009-11-26 10:08

Pre-Run: 17,998,426,112 bytes free
Post-Run: 17,951,010,816 bytes free

- - End Of File - - 3DFC0ABCEF49D4702E7E660285A5B477

    Advertisements

Register to Remove


#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 26 November 2009 - 08:11 PM

lin0056,


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#12 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 27 November 2009 - 05:05 AM

-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, November 27, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, November 27, 2009 06:02:38 Records in database: 3295661 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ X:\ Scan statistics: Objects scanned: 223876 Threats found: 5 Infected objects found: 45 Suspicious objects found: 0 Scan duration: 05:21:54 File name / Threat / Threats count C:\Qoobox\Quarantine\C\Program Files\HaRepacker\HaRepacker.exe.vir Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\Qoobox\Quarantine\C\windows\Help\Sachiel.sys.bat.vir Infected: Worm.Win32.Sachiel.d 1 C:\Qoobox\Quarantine\C\windows\system32\helpdks.dll.vir Infected: Worm.Win32.Sachiel.d 1 C:\Qoobox\Quarantine\C\windows\system32\winrun.sys.pif.vir Infected: Worm.Win32.Sachiel.d 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP104\A0054803.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP109\A0056690.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0056697.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0056781.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0057271.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060379.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060385.bat Infected: Worm.Win32.Sachiel.d 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060386.dll Infected: Worm.Win32.Sachiel.d 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060387.pif Infected: Worm.Win32.Sachiel.d 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP50\A0036304.exe Infected: Trojan.Win32.Refroso.cvo 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP54\A0037474.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP59\A0038902.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP61\A0039609.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP70\A0040945.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP74\A0041327.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP75\A0041538.exe Infected: Backdoor.Win32.Poison.aylh 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP76\A0042510.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043560.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043860.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043944.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP79\A0045247.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP80\A0045284.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP81\A0045550.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP81\A0046733.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP83\A0047165.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP85\A0047250.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP85\A0047727.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP86\A0048200.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0048543.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0048807.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0049143.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP88\A0049563.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP90\A0051286.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051289.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051294.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051365.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP92\A0052702.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP92\A0052839.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP94\A0053331.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1 C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP98\A0053900.exe Infected: Trojan-Dropper.Win32.VB.afel 1 C:\WINDOWS\Gedzac.dll Infected: Worm.Win32.Sachiel.d 1 Selected area has been scanned.

#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 27 November 2009 - 08:37 AM

lin0056,

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\Gedzac.dll
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Then please let me know of any symptoms you are having.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#14 lin0056

lin0056

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 27 November 2009 - 04:01 PM

ComboFix 09-11-25.05 - 12LinNZ 28/11/2009 8:38.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1538 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FILE ::
"c:\windows\Gedzac.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gedzac.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 21:33 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-27 09:46 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-27 09:46 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 21:35 . 2009-11-27 21:35 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2009-11-27 21:36 . 2009-11-27 21:36 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1064)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-11-28 08:50
ComboFix-quarantined-files.txt 2009-11-27 21:50
ComboFix2.txt 2009-11-27 00:30
ComboFix3.txt 2009-11-26 10:08

Pre-Run: 30,320,009,216 bytes free
Post-Run: 30,374,023,168 bytes free

- - End Of File - - ED5950CFA54F528F7BCB0016184BA115



I am not having any symptoms, the computer seems to run a little faster upon startup.

#15 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 27 November 2009 - 05:49 PM

lin0056,

Log looks good :D


Time for some housekeeping
  • Click START then RUN
  • Now type ComboFix /Uninstall in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users