Jump to content


Photo

Computer freeze-up, slow internet, issue not found with web searches


  • This topic is locked This topic is locked
7 replies to this topic

#1 XoOvermindoX

XoOvermindoX

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 05 December 2009 - 09:09 PM

Greetings. It has been some years since I have posted here. I am now desperate. This site will be once again my last line of defense from ignorance, and from hard drive obliteration.


Symptoms:

* Slow internet, slow program loading, slow everything. As if the ram is being corrupted.
* Eventual freeze and lock-up of cursor. system.ini, win.ini and boot.ini deleted without consent (possibly by malware?)
* After system restore, computer fails to recognize mouse/keyboard on main drive.
* After system restore, and from my secondary drive, computer fails to allow me access to Documents and Settings\MyComputer (access denied notification)

Attempts to fix:

* Hijackthis
* Ad Aware
* Spybot
* Malwarebyte's
* AVG
- all updated

* Updated video card drivers
* Changed network card drivers
* Changed network card
* Attempted to boot from different hard drive on same PC

Please note that I have two hard drives, each bootable with a different OS (Main is XP, second is an XP-like Vista). This problem has affected BOTH.

The problem persists.

It is only made significantly better (and not completely better) by leaving networking off (as with no-networking safe mode) or by booting with modem disconnected.

This has all lead me to believe that software transmission is occupying my CPU when my computer is connected to the internet, and it has affected both drives. After a system restore on my main drive, I am now denied access to it, as it refuses input from my mouse and keyboard. I am on my secondary drive now, suffering the aforementioned, persistent lack of functionality.


Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:45 PM, on 12/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1237675579\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Simon Marcus.XPWINDOWS7\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\Supertoolbar\GenericAskToolbar.dll (file missing)
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\Supertoolbar\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 5013 bytes

Malwarebyte's log shows nothing wrong.

Thanks for any help!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 08 December 2009 - 10:02 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 XoOvermindoX

XoOvermindoX

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 December 2009 - 12:50 PM

* Noticed a few features. Windows Live Messenger refuses to turn on. Crashes with different errors.

* Ran combofix and found all instances of firefox renamed/relabeled/replaced? with internet explorer

* After combofix, ran gmer. gmer failed, saying "MOM.exe" created an illegal operation.

combofix log:

ComboFix 09-12-08.03 - Simon Marcus 12/08/2009 21:10:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2634 [GMT -8:00]
Running from: c:\documents and settings\Simon Marcus\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-08 07:29 . 2009-12-08 07:29 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\WINDOWS
2009-12-08 07:29 . 2009-12-08 07:29 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\UserData
2009-12-08 07:29 . 2009-12-08 07:29 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Tracing
2009-12-08 07:29 . 2009-12-08 07:29 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Shaders
2009-12-08 07:13 . 2009-04-23 05:49 34 ----a-w- c:\documents and settings\HelpAssistant.SIMON\jagex_runescape_preferences.dat
2009-12-08 07:13 . 2009-12-08 07:13 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\InstallAnywhere
2009-12-08 07:13 . 2009-12-08 07:13 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Incomplete
2009-12-08 07:07 . 2009-12-08 07:07 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Contacts
2009-12-08 07:07 . 2009-12-08 07:07 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\awc_italian702
2009-12-08 07:07 . 2009-12-08 07:07 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Yahoo!
2009-12-08 07:07 . 2009-12-08 07:07 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\vlc
2009-12-08 07:07 . 2009-12-08 07:07 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\VirtualStore
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Viewpoint
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Ventrilo
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\uTorrent
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Ubisoft
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Tropico 3
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Trillian
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\The Creative Assembly
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\teamspeak2
2009-12-08 07:06 . 2009-12-08 07:06 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\SystemRequirementsLab
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Steinberg
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\SPORE Creature Creator
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\SPORE
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Softarium.com
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\skypePM
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Skype
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\ScripterRon
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Propellerhead Software
2009-12-08 05:50 . 2009-12-08 05:50 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\PlayFirst
2009-12-08 05:47 . 2009-12-08 05:47 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\MySpace
2009-12-08 05:47 . 2009-12-08 05:47 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\My Games
2009-12-08 05:47 . 2009-12-08 05:47 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Microsoft Games
2009-12-08 05:46 . 2009-12-08 05:46 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Media Player Classic
2009-12-08 05:46 . 2009-12-08 05:46 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Malwarebytes
2009-12-08 05:42 . 2009-12-08 05:42 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Aim
2009-12-08 05:42 . 2009-12-08 05:42 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\Ahead
2009-12-08 05:42 . 2009-12-08 05:42 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\Application Data\ACAMPREF
2009-12-08 05:42 . 2009-12-08 05:42 -------- d-----w- c:\documents and settings\HelpAssistant.SIMON\.realobjects
2009-12-05 09:19 . 2009-12-05 09:19 -------- d-----w- c:\program files\ATI
2009-12-05 03:09 . 2009-12-05 03:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-03 07:34 . 2009-12-03 07:34 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-03 07:34 . 2009-12-03 07:34 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-03 07:34 . 2009-12-03 07:34 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2009-12-03 07:34 . 2009-12-03 07:34 -------- d-----w- c:\documents and settings\HelpAssistant\Shaders
2009-12-03 07:21 . 2009-12-03 07:22 -------- d-----w- C:\$AVG
2009-12-03 07:21 . 2009-12-03 07:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-03 07:21 . 2009-12-03 07:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-03 07:21 . 2009-12-03 07:21 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-03 07:21 . 2009-12-04 01:38 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-03 07:21 . 2009-12-03 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-03 06:14 . 2009-12-03 06:14 -------- d-----w- c:\documents and settings\HelpAssistant\InstallAnywhere
2009-12-03 05:41 . 2009-12-04 22:57 -------- d-----w- c:\documents and settings\HelpAssistant
2009-11-29 21:52 . 2009-11-29 21:52 -------- d-----w- c:\program files\Canasta
2009-11-29 21:52 . 2003-04-01 17:07 319488 ----a-w- c:\windows\system32\esellerateEngine.dll
2009-11-29 21:52 . 2002-12-12 19:34 81920 ----a-w- c:\windows\system32\eSellerateControl300.dll
2009-11-23 06:36 . 2009-11-23 06:37 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-23 06:36 . 2009-11-23 06:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-23 06:11 . 2009-11-23 06:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-23 06:11 . 2009-11-23 06:11 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\skypePM
2009-11-23 05:34 . 2009-11-23 05:34 -------- d-----w- c:\program files\Common Files\Skype
2009-11-20 05:48 . 2004-08-04 06:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-11-20 05:48 . 2004-08-04 06:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-11-19 21:37 . 2009-05-25 07:21 142336 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2009-11-19 21:37 . 2009-03-03 12:18 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2009-11-19 21:37 . 2009-11-19 21:37 -------- d-----w- c:\program files\Realtek
2009-11-19 21:33 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-19 21:33 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-19 21:33 . 2004-08-04 08:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-19 21:33 . 2004-08-04 08:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-11-19 21:33 . 2001-08-17 22:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-19 21:33 . 2001-08-17 22:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-19 20:15 . 2004-08-04 07:07 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-11-19 20:15 . 2004-08-04 07:07 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 02:11 . 2009-05-23 02:59 -------- d-----w- c:\program files\Windows Live
2009-12-04 18:22 . 2008-09-06 07:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:13 . 2007-06-04 03:41 -------- d-----w- c:\program files\Java
2009-12-04 01:52 . 2009-10-02 09:50 -------- d-----w- c:\program files\Trillian
2009-12-04 00:14 . 2009-05-09 03:39 -------- d-----w- c:\program files\ToshibaUtility
2009-12-04 00:14 . 2008-09-06 07:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2008-09-06 07:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 23:28 . 2007-07-16 13:27 -------- d-----w- c:\program files\Rar Repair Tool
2009-12-03 22:05 . 2007-06-26 11:09 -------- d-----w- c:\program files\HKL
2009-12-03 20:47 . 2009-05-09 03:59 -------- d-----w- c:\program files\CKM
2009-12-03 08:41 . 2008-07-13 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-03 07:21 . 2009-04-18 00:04 -------- d-----w- c:\program files\AVG
2009-12-03 06:52 . 2007-08-04 07:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 16:36 . 2009-09-25 19:56 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\Tropico 3
2009-11-23 06:42 . 2007-11-22 09:44 -------- d-----w- c:\program files\DivX
2009-11-23 06:36 . 2007-09-23 01:25 -------- d-----w- c:\program files\Google
2009-11-23 06:11 . 2007-07-29 12:46 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\Skype
2009-11-23 05:34 . 2007-07-29 12:46 -------- d-----r- c:\program files\Skype
2009-11-23 05:34 . 2007-07-29 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-23 05:03 . 2009-11-23 05:03 -------- d-----w- c:\program files\Jpeg2000
2009-11-23 05:03 . 2009-11-23 05:03 -------- d-----w- c:\program files\Temp
2009-11-22 13:46 . 2009-08-28 22:43 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\uTorrent
2009-11-20 08:29 . 2007-08-08 07:04 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-19 21:37 . 2007-05-31 09:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-10 01:26 . 2008-10-09 15:32 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 01:26 . 2008-10-09 15:05 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-07 09:14 . 2009-11-07 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-07 08:57 . 2008-07-13 01:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 08:57 . 2008-06-08 06:47 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-07 08:48 . 2009-11-07 08:34 -------- d-----w- c:\program files\Dragon Age
2009-11-07 08:27 . 2007-06-14 04:59 -------- d-----w- c:\program files\Bethesda Softworks
2009-11-03 18:37 . 2007-12-02 13:38 -------- d-----w- c:\program files\Electronic Arts
2009-10-31 04:04 . 2009-10-31 04:04 -------- d-----w- c:\program files\Lizardtech
2009-10-28 11:26 . 2008-03-07 00:44 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2009-10-27 03:22 . 2009-10-27 00:21 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-10-27 03:12 . 2009-10-27 03:12 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\Creative
2009-10-27 03:06 . 2007-12-08 03:41 -------- d-----w- c:\program files\Creative
2009-10-27 03:05 . 2009-10-27 03:05 -------- d-----w- c:\program files\Common Files\Creative
2009-10-27 03:05 . 2009-10-27 03:05 -------- d--h--w- c:\program files\Creative Installation Information
2009-10-27 02:51 . 2009-10-27 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-10-27 00:22 . 2009-10-27 00:21 -------- d-----w- c:\documents and settings\Simon Marcus\Application Data\teamspeak2
2009-10-12 02:48 . 2009-10-12 02:48 -------- d-----w- c:\program files\Volition Inc
2009-10-11 12:17 . 2009-01-25 23:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-11 04:26 . 2008-03-19 10:14 -------- d-----w- c:\program files\Monte Cristo
2009-09-19 05:13 . 2007-05-31 09:11 97440 ----a-w- c:\documents and settings\Simon Marcus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 09:42 . 2009-04-09 09:42 341 ----a-w- c:\program files\Setup_ver1.1561.0.exe
2009-04-09 09:42 . 2009-04-09 09:42 335 ----a-w- c:\program files\MediaXCodec.exe
2007-08-21 19:06 . 2007-08-21 19:06 604 ---ha-w- c:\program files\STLL Notifier
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 49152]
"DefaultP17"="P17Def.Exe" [2005-05-03 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=usbmn2x2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^Civilization Registration.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\Civilization Registration.lnk
backup=c:\windows\pss\Civilization Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^Connect Kasamba.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\Connect Kasamba.lnk
backup=c:\windows\pss\Connect Kasamba.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^LivePerson Expert Messenger.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\LivePerson Expert Messenger.lnk
backup=c:\windows\pss\LivePerson Expert Messenger.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon Marcus^Start Menu^Programs^Startup^RollerCoaster Tycoon 3_ Wild Registration.lnk]
path=c:\documents and settings\Simon Marcus\Start Menu\Programs\Startup\RollerCoaster Tycoon 3_ Wild Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3_ Wild Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 01:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 21:53 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-04-18 06:49 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 02:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 22:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
2004-03-04 11:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-06-21 05:36 1207080 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 07:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 23:21 61952 ----a-w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
2008-12-18 23:44 1587576 ----a-w- c:\program files\iCall\iCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-11-29 09:00 28672 ----a-w- c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyRemapper.{E671E7FD-C72F-4c83-862C-C84F2A2A0514}]
2008-07-22 05:41 110080 ----a-w- c:\program files\Key Remapper\KeyRemapper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2007-08-31 01:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-05-16 14:11 648504 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 11:38 64512 ----a-r- c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto]
2008-12-06 01:28 10732168 ----a-w- c:\program files\Wimba\Pronto\pronto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 11:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 09:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-07-03 01:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[־`=v%S8>grl>\=۱"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"<NO NAME>"=
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6853:TCP"= 6853:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"5038:TCP"= 5038:TCP:Services
"3246:TCP"= 3246:TCP:Services

R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [3/28/2009 8:13 AM 20160]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [8/21/2007 11:20 AM 33792]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/7/2009 12:47 AM 25832]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [12/9/2007 11:06 PM 627840]
S3 USB22LDR;Midiman USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [11/28/2001 2:35 PM 16508]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [11/28/2001 2:35 PM 31740]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [5/27/2008 12:54 PM 899884]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Simon Marcus\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Simon Marcus\Application Data\Mozilla\Firefox\Profiles\vvlmai3k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 21:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C8BF30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cfc3
\Driver\ACPI -> 0x89c8bf30
\Driver\atapi -> atapi.sys @ 0xb9f117b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x025429800
malicious code @ sector 0x025429803 !
PE file found in sector at 0x025429819 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0C785FBD-9D76-3F2B-9DBB-6D454F9263FB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FF9D252-E651-E025-C894-670F60ACD2C1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-682003330-1220945662-2147153767-1003)
@Allowed: (Read) (S-1-5-21-682003330-1220945662-2147153767-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,a9,5f,c3,79,bf,6e,16,4a,4f,45,55,18,24,6a,34,3b,aa,33,55,c0,b6,30,
a7,fc,77,23,89,74,32,ec,18,d2,0a,1e,c7,a6,1a,f1,38,be,77,03,a7,87,88,24,f0,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95

[HKEY_USERS\S-1-5-21-682003330-1220945662-2147153767-1003\Software\SecuROM\License information*]
"datasecu"=hex:0a,cc,59,d7,d8,b4,82,ea,90,c4,5f,3f,08,ed,d4,6d,2d,de,6a,0c,b5,
f9,23,d1,6b,c9,bf,59,1a,f3,dd,0b,9e,65,85,27,3e,a3,64,51,0e,e5,0c,63,29,70,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-08 21:41:28
ComboFix-quarantined-files.txt 2009-12-09 05:41

Pre-Run: 438,456,320 bytes free
Post-Run: 497,848,320 bytes free

- - End Of File - - 457F7B5FB33D7EF929ECE6149303BEDC

#4 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 14 December 2009 - 05:55 AM

Hello XoOvermindoX and welcome to SWI.

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#5 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 14 December 2009 - 12:41 PM

Hello XoOvermindoX.

- Your system does not seem to have an antivirus program installed. Please DO NOT surf to anywhere but this site until your computer is clean. I will tell you what to do later.

- The logs you've posted indicate that your computer is infected with a MBR rootkit infection.
"A rootkit is a malicious program that hides deep in a computer's operating system". It may allow a hacker to have the potential for a variety of other attacks, to log a person's keystrokes and to collect financial and/ or personal data. For more information, please see here.
--

Please, print out these instructions or copy them to a Notepad file for an easer reading and download to your Desktop mbr.exe from Here

Please close all opened windows and go to Start => Run and type cmd and hit the Enter key.

At the DOS prompt type these commands and hit the Enter key after each line:

cd Desktop
mbr.exe -f


Please make sure you have a space between mbr.exe and -f.
Type exit at the prompt and hit the Enter key to close the Dos window and restart your computer.

Then, please use the Internet Explorer and run a BitDefender Online scan from Here

  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on "Click here to export the scan results".
  • Save the report to your Desktop as "scan results" so you can post it in your next reply.

Now, please close all windows and double-click mbr.exe (on your Desktop) to run the tool.
It will produce a log for you Report.txt. This log can be found on your Desktop.

Please, post the contents of Report.txt and scan results with a fresh HijackThis log.
Also, please let me know how your computer is functioning now.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#6 XoOvermindoX

XoOvermindoX

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 17 December 2009 - 02:49 PM

Hi Lance,

I understand how busy you and your staff are and I very much appreciate your help to the global internet community in general, and to me in particular.

Here is the bitdefender report:

Scan report generated at: Thu, Dec 17, 2009 - 10:42:44









Scan path: C:\;D:\;E:\;H:\;















Statistics

Time


06:38:30

Files


1725800

Folders


63925

Boot Sectors


0

Archives


17338

Packed Files


59866







Results

Identified Viruses


15

Infected Files


38

Suspect Files


0

Warnings


0

Disinfected


1

Deleted Files


37







Engines Info

Virus Definitions


4738480

Engine build


AVCORE v2.1 Windows/i386 11.0.0.26 (Oct 20 2009)

Scan plugins


17

Archive plugins


44

Unpack plugins


8

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Infected with: Trojan.Packed.7829

C:\Documents and Settings\HelpAssistant\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Deleted

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\HelpAssistant.SIMON\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\HelpAssistant.SIMON\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Infected with: Trojan.Packed.7829

C:\Documents and Settings\HelpAssistant.SIMON\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\18\a5cd292-255bd7d0


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\28\78060e1c-2b71db91


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\Simon Marcus\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-6ec0e8a7


Updated

C:\Documents and Settings\Simon Marcus\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Infected with: Trojan.Packed.7829

C:\Documents and Settings\Simon Marcus\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Deleted

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\4Z1ISLZN\popup[1].htm


Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\4Z1ISLZN\popup[1].htm


Disinfection failed

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\4Z1ISLZN\popup[1].htm


Deleted

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\MX9YEYVV\oHdae456c9V0100f070006R47495693102T91c02714201l0409317[1].pdf=>(JAVASCRIPT)


Infected with: Exploit.PDF-JS.Gen

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\MX9YEYVV\oHdae456c9V0100f070006R47495693102T91c02714201l0409317[1].pdf=>(JAVASCRIPT)


Disinfection failed

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\MX9YEYVV\oHdae456c9V0100f070006R47495693102T91c02714201l0409317[1].pdf=>(JAVASCRIPT)


Deleted

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\MX9YEYVV\oHdae456c9V0100f070006R47495693102T91c02714201l0409317[1].pdf


Update failed

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\PUW4G1NA\thoseBook[1].swf


Infected with: Trojan.SWF.Dropper.E

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\PUW4G1NA\thoseBook[1].swf


Disinfection failed

C:\Documents and Settings\Simon Marcus\Local Settings\Temporary Internet Files\Content.IE5\PUW4G1NA\thoseBook[1].swf


Deleted

C:\Program Files\Atari\Tycoon City - New York\PatchFX.exe


Infected with: Trojan.Generic.1941738

C:\Program Files\Atari\Tycoon City - New York\PatchFX.exe


Deleted

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069384.exe


Infected with: Trojan.Packed.7829

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069384.exe


Deleted

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069385.exe


Infected with: Trojan.Packed.7829

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069385.exe


Deleted

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069386.exe


Infected with: Trojan.Packed.7829

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069386.exe


Deleted

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069387.exe


Infected with: Trojan.Generic.1941738

C:\System Volume Information\_restore{86536476-9207-439A-901C-92E6A748AAF1}\RP147\A0069387.exe


Deleted

H:\Documents and Settings\HelpAssistant\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Infected with: Trojan.Packed.7829

H:\Documents and Settings\HelpAssistant\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Deleted

H:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\4UFHBZ1H\p[1].htm


Infected with: Trojan.Script.9533

H:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\4UFHBZ1H\p[1].htm


Disinfection failed

H:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\4UFHBZ1H\p[1].htm


Deleted

H:\Documents and Settings\Simon Marcus.XPWINDOWS7\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Infected with: Trojan.Packed.7829

H:\Documents and Settings\Simon Marcus.XPWINDOWS7\Desktop\System\SystemG\Sibelius4\dlm-sib4\Keygen.exe


Deleted

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP17\A0016913.exe


Infected with: Trojan.Packed.7829

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP17\A0016913.exe


Deleted

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP18\A0017908.exe


Infected with: Trojan.Packed.7829

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP18\A0017908.exe


Deleted

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP18\A0018903.exe


Infected with: Trojan.Packed.7829

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP18\A0018903.exe


Deleted

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP19\A0019918.exe


Infected with: Trojan.Packed.7829

H:\System Volume Information\_restore{2B58ABCB-E0E1-4A37-91AF-A99AF65291F3}\RP19\A0019918.exe


Deleted

H:\Torin's Passage\Torin's_Passage.BIN=>MANUAL/ar40eng.exe


Infected with: Win95.CIH.Rest.Gen

H:\Torin's Passage\Torin's_Passage.BIN=>MANUAL/ar40eng.exe


Disinfected

H:\Torin's Passage\Torin's_Passage.BIN


Update failed


Here is the new MBR.EXE report:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x025429800
malicious code @ sector 0x025429803 !
PE file found in sector at 0x025429819 !



Functioning is okay, but as you can see the infection was not removed. Functioning has been okay since the switch to IE, and the running of combofix.

#7 lance_yien

lance_yien

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 2,442 posts

Posted 18 December 2009 - 10:29 AM

Hello XoOvermindoX.

... but as you can see the infection was not removed...


The MBR appears to be OK :)

Lets try Kaspersky Virus Removal Tool:

Please download, to your Desktop, the latest version from here

  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • After that click on Security level (1) then choose Customize (2) then click on the tab that says Heuristic Analyzer (3) then choose Enable deep rootkit search (4) and then choose OK.
    Posted Image
  • Then choose OK again to go back to the main screen and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the OK button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Warning: Please DO NOT run the second HD until this one is clean, as you may well have to go through a lot of this again with the second HD.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 January 2010 - 04:48 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button