« previous next »
Pages: [1]   Go Down

Author Topic: [Resolved] Trojan attack, no AV software can help...  (Read 1970 times)

0 Members and 1 Guest are viewing this topic.

Offline percyrich

  • Bronze Member
  • Posts: 6
[Resolved] Trojan attack, no AV software can help...
« on: August 26, 2010, 12:12:40 AM »
Hi,

I'm currently trying to deal with a nasty piece of malware, and nothing I do seems to help.

I've tried Malwarebytes, SUPERAntiSpyware, Clamwin, AVG, and ESET. ESET has been the only one to give me good information; the log of a system scan has these two errors cropping up multiple times:

26/08/2010 1:58:25 AM   Startup scanner   boot sector   MBR sector of the 0. physical disk   probably unknown TSR.BOOT virus   unable to clean      
26/08/2010 1:58:07 AM   Startup scanner   file   C:\WINDOWS\system32\userinit.exe   a variant of Win32/Small.NHS trojan   unable to clean      

Other infections have been cleaned by ESET, and they all have the "a variant of Win32/Small.NHS trojan" tag attached.

I've tried reinstalling Windows, running FIXMBR from the Recovery Console, deleting the infected files manually.... I'm at a loss. I'd really rather not reformat my entire hard drive :(

Another possibly related problem is that I'm having trouble with downloading programs. When I try to download .exe or .msi files via Firefox, the download is immediately cancelled. When I download something using Chrome, I have to Unblock the file from Properties before it will work.

Anyway, here is my HJT log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:03:44 PM, on 26/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Percy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Percy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Percy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Percy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66016
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=14593&l=dis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - Unknown owner - c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/commons/f/f4/24-cell.gif

--
End of file - 6376 bytes



Thanks in advance!
« Last Edit: August 30, 2010, 04:17:54 AM by kevinf80 »
Logged


Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #1 on: August 26, 2010, 12:36:14 AM »
Hi percyrich,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

Please proceed as follows :-

Step 1

Please re-open HiJackThis and scan only.  Check the boxes next to the entry listed below.
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot into safemode with networking, as PC re-boots tap F8 key repeatedly until you see Windows Advanced Menu screen, select Safe Mode with Networking by using the up/down arrows, then enter. Follow the prompts.

Step 2

Download Combofix from either of these links and save to your Desktop that is very important :-

You must run Combofix from the Desktop

Link 1
Link 2

Using ComboFix

If you get a successful download and it will not run, delete it. Re-download again from the link that worked, but rename it to EXPLORER before saving to your desktop. Very Important

Print out this guide from another PC if required,  we will close all the open windows and programs, including your web browser, before starting the ComboFix program.

To download ComboFix, simply left-click on one of the links above and you will see a prompt similar to the figure below.



Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.



When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on your desktop similar to the one below.


ComboFix Icon

We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Click HERE to see a list of list of programs that should be disabled, please note; this list is not all inclusive.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon, you may see a screen similar to the one below.


Windows Open File Security Warning

 Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

You will now see the first ComboFix screen as shown below. The screen says wait Combofix is preparing to run


ComboFix is Preparing to Run

ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. This screen, press the OK button and you will now see the Disclaimer screen shown below.


ComboFix Disclaimer


If you do not agree to the disclaimer, then click on the No button to exit the program. Otherwise, to continue you should press the Yes button to continue. If you decided to continue, then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.


ComboFix is backing up the Windows Registry

Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:


ComboFix Recovery Console

At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.


ComboFix Recovery Console Finished

You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.


ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.


ComboFix is scanning the computer for infections

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.


Stages of the ComboFix AutoScan

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.


34th Stage of the ComboFix AutoScan

At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.


ComboFix is preparing the log report

When ComboFix has finished running, you will see a screen stating that it is preparing the log report as shown below.


ComboFix is almost done!

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.


ComboFix Log File

You should now post this log in your next reply.

Copy and paste the log in you reply from here..  C:\ComboFix.txt  if you don`t see it on your desk top.

kevinf80
Logged

Offline percyrich

  • Bronze Member
  • Posts: 6
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #2 on: August 26, 2010, 01:31:41 AM »
Here we go:


ComboFix 10-08-24.0C - Percy 26/08/2010  17:16:46.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2867 [GMT 10:00]
Running from: c:\documents and settings\Percy\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Percy\My Documents\cc_20100816_203544.reg
c:\windows\svc2.exe
c:\windows\system32\driVERs\iuthig.sys
c:\windows\system32\Install.txt
c:\windows\TEMP\logishrd\LVPrcInj01.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
\\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_iuthig
-------\Service_iuthig


(((((((((((((((((((((((((   Files Created from 2010-07-26 to 2010-08-26  )))))))))))))))))))))))))))))))
.

2010-08-26 06:03 . 2010-08-26 06:03   388096   ----a-r-   c:\documents and settings\Percy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-26 06:03 . 2010-08-26 06:03   --------   d-----w-   c:\program files\Trend Micro
2010-08-26 05:36 . 2008-04-13 18:45   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-08-26 05:36 . 2008-04-13 18:45   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-08-26 05:36 . 2001-08-17 12:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-08-26 05:36 . 2008-04-14 00:12   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-08-26 01:31 . 2010-06-21 15:27   354304   -c----w-   c:\windows\system32\dllcache\srv.sys
2010-08-26 01:27 . 2009-08-13 15:16   512000   -c----w-   c:\windows\system32\dllcache\jscript.dll
2010-08-26 00:21 . 2010-08-26 00:21   --------   d-----w-   c:\program files\MSXML 6.0
2010-08-26 00:02 . 2006-02-28 12:00   403   -c----w-   c:\windows\system32\dllcache\npdrmv2.zip
2010-08-26 00:02 . 2006-02-28 12:00   22060   -c----w-   c:\windows\system32\dllcache\npds.zip
2010-08-26 00:02 . 2008-04-13 17:27   79872   -c----w-   c:\windows\system32\dllcache\msxml6r.dll
2010-08-26 00:02 . 2008-04-14 00:12   294912   -c----w-   c:\windows\system32\dllcache\dlimport.exe
2010-08-25 23:55 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-08-25 23:54 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-08-25 23:54 . 2009-10-15 16:28   81920   -c----w-   c:\windows\system32\dllcache\fontsub.dll
2010-08-25 23:54 . 2009-10-15 16:28   119808   -c----w-   c:\windows\system32\dllcache\t2embed.dll
2010-08-25 23:52 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-08-25 23:52 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-08-25 23:48 . 2008-10-15 16:34   337408   -c----w-   c:\windows\system32\dllcache\netapi32.dll
2010-08-25 07:29 . 2010-08-25 07:29   --------   d-----w-   c:\documents and settings\Percy\Application Data\dvdcss
2010-08-24 15:54 . 2010-08-24 15:54   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-08-24 13:50 . 2010-08-24 13:50   29926   ----a-r-   c:\documents and settings\Percy\Application Data\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
2010-08-24 13:47 . 2010-08-24 13:53   --------   d-----w-   c:\documents and settings\Percy\Local Settings\Application Data\TwinglyScreensaver
2010-08-24 13:47 . 2010-08-24 13:47   --------   d-----w-   c:\program files\Primelabs
2010-08-24 13:42 . 2010-08-24 13:42   --------   d-----w-   c:\program files\Free Fire Screensaver
2010-08-24 13:42 . 2010-08-24 13:42   --------   d-----w-   c:\documents and settings\Percy\Application Data\Laconic Software
2010-08-24 13:40 . 2010-08-24 13:40   33443   ----a-w-   c:\windows\fire-un.exe
2010-08-24 13:33 . 2010-08-24 13:33   --------   d-----w-   c:\program files\KellySoftware
2010-08-24 10:29 . 2001-08-17 12:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-24 10:29 . 2001-08-17 12:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-08-24 10:29 . 2001-08-17 12:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-08-24 10:29 . 2001-08-17 12:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2010-08-24 10:28 . 2001-08-17 02:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-08-24 10:28 . 2004-08-03 12:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-08-24 10:28 . 2004-08-03 12:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-08-24 10:26 . 2001-08-17 03:28   397502   -c--a-w-   c:\windows\system32\dllcache\vpctcom.sys
2010-08-24 10:26 . 2001-08-17 03:28   604253   -c--a-w-   c:\windows\system32\dllcache\vmodem.sys
2010-08-24 10:26 . 2001-08-17 02:14   249402   -c--a-w-   c:\windows\system32\dllcache\vinwm.sys
2010-08-24 10:26 . 2001-08-17 03:49   24576   -c--a-w-   c:\windows\system32\dllcache\viairda.sys
2010-08-24 10:26 . 2001-08-17 03:28   687999   -c--a-w-   c:\windows\system32\dllcache\usrwdxjs.sys
2010-08-24 10:26 . 2001-08-17 03:28   765884   -c--a-w-   c:\windows\system32\dllcache\usrti.sys
2010-08-24 10:26 . 2001-08-17 03:28   113762   -c--a-w-   c:\windows\system32\dllcache\usrpda.sys
2010-08-24 10:25 . 2001-08-17 03:28   7556   -c--a-w-   c:\windows\system32\dllcache\usroslba.sys
2010-08-24 10:25 . 2001-08-17 03:28   224802   -c--a-w-   c:\windows\system32\dllcache\usr1807a.sys
2010-08-24 10:25 . 2001-08-17 03:28   794399   -c--a-w-   c:\windows\system32\dllcache\usr1806v.sys
2010-08-24 10:25 . 2001-08-17 03:28   793598   -c--a-w-   c:\windows\system32\dllcache\usr1806.sys
2010-08-24 10:25 . 2001-08-17 03:28   794654   -c--a-w-   c:\windows\system32\dllcache\usr1801.sys
2010-08-24 10:25 . 2004-08-03 12:31   32384   -c--a-w-   c:\windows\system32\dllcache\usb101et.sys
2010-08-24 10:25 . 2001-08-17 12:36   94720   -c--a-w-   c:\windows\system32\dllcache\umaxud32.dll
2010-08-24 10:23 . 2001-08-17 12:36   31744   -c--a-w-   c:\windows\system32\dllcache\tp4.dll
2010-08-24 10:22 . 2001-08-17 04:07   30688   -c--a-w-   c:\windows\system32\dllcache\sym_u3.sys
2010-08-24 10:21 . 2001-08-17 02:51   37040   -c--a-w-   c:\windows\system32\dllcache\sonypi.sys
2010-08-24 10:20 . 2001-08-17 04:56   150144   -c--a-w-   c:\windows\system32\dllcache\sis6306v.dll
2010-08-24 10:20 . 2001-08-17 02:50   68608   -c--a-w-   c:\windows\system32\dllcache\sis6306p.sys
2010-08-24 10:20 . 2001-08-17 04:56   252032   -c--a-w-   c:\windows\system32\dllcache\sis300iv.dll
2010-08-24 10:20 . 2001-08-17 02:50   101760   -c--a-w-   c:\windows\system32\dllcache\sis300ip.sys
2010-08-24 10:20 . 2001-07-21 04:29   161568   -c--a-w-   c:\windows\system32\dllcache\sgsmusb.sys
2010-08-24 10:20 . 2001-07-21 04:29   18400   -c--a-w-   c:\windows\system32\dllcache\sgsmld.sys
2010-08-24 10:20 . 2001-08-17 02:51   98080   -c--a-w-   c:\windows\system32\dllcache\sgiulnt5.sys
2010-08-24 10:20 . 2001-08-17 12:36   386560   -c--a-w-   c:\windows\system32\dllcache\sgiul50.dll
2010-08-24 10:20 . 2001-08-17 02:19   36480   -c--a-w-   c:\windows\system32\dllcache\sfmanm.sys
2010-08-24 10:20 . 2001-08-17 03:53   6784   -c--a-w-   c:\windows\system32\dllcache\serscan.sys
2010-08-24 10:20 . 2001-08-17 03:48   17664   -c--a-w-   c:\windows\system32\dllcache\sermouse.sys
2010-08-24 10:20 . 2001-08-17 03:53   6912   -c--a-w-   c:\windows\system32\dllcache\seaddsmc.sys
2010-08-24 10:18 . 2004-08-03 12:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2010-08-24 10:18 . 2001-08-17 02:12   19017   -c--a-w-   c:\windows\system32\dllcache\rtl8029.sys
2010-08-24 10:18 . 2001-08-17 02:19   30720   -c--a-w-   c:\windows\system32\dllcache\rthwcls.sys
2010-08-24 10:18 . 2001-08-17 12:36   9216   -c--a-w-   c:\windows\system32\dllcache\rsmgrstr.dll
2010-08-24 10:18 . 2001-08-17 02:19   3840   -c--a-w-   c:\windows\system32\dllcache\rpfun.sys
2010-08-24 10:18 . 2001-08-17 02:12   37563   -c--a-w-   c:\windows\system32\dllcache\rlnet5.sys
2010-08-24 10:18 . 2001-08-17 12:36   86097   -c--a-w-   c:\windows\system32\dllcache\reslog32.dll
2010-08-24 10:18 . 2001-08-17 03:51   19584   -c--a-w-   c:\windows\system32\dllcache\rasirda.sys
2010-08-24 10:18 . 2001-08-17 03:28   714762   -c--a-w-   c:\windows\system32\dllcache\r2mdmkxx.sys
2010-08-24 10:18 . 2001-08-17 03:28   899146   -c--a-w-   c:\windows\system32\dllcache\r2mdkxga.sys
2010-08-24 10:16 . 2001-08-17 12:36   121344   -c--a-w-   c:\windows\system32\dllcache\phvfwext.dll
2010-08-24 10:15 . 2001-08-17 12:36   20480   -c--a-w-   c:\windows\system32\dllcache\ovcomc.dll
2010-08-24 10:14 . 2001-08-17 02:20   87040   -c--a-w-   c:\windows\system32\dllcache\nm6wdm.sys
2010-08-24 10:14 . 2001-08-17 02:20   126080   -c--a-w-   c:\windows\system32\dllcache\nm5a2wdm.sys
2010-08-24 10:14 . 2001-08-17 02:12   32840   -c--a-w-   c:\windows\system32\dllcache\ngrpci.sys
2010-08-24 10:14 . 2004-08-03 12:31   132695   -c--a-w-   c:\windows\system32\dllcache\netwlan5.sys
2010-08-24 10:14 . 2001-08-17 02:11   65278   -c--a-w-   c:\windows\system32\dllcache\netflx3.sys
2010-08-24 10:14 . 2001-08-17 02:50   39264   -c--a-w-   c:\windows\system32\dllcache\neo20xx.sys
2010-08-24 10:14 . 2001-08-17 12:36   60480   -c--a-w-   c:\windows\system32\dllcache\neo20xx.dll
2010-08-24 10:14 . 2001-08-17 03:49   15872   -c--a-w-   c:\windows\system32\dllcache\ne2000.sys
2010-08-24 10:14 . 2001-08-17 04:56   91488   -c--a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-08-24 10:14 . 2001-08-17 02:50   27936   -c--a-w-   c:\windows\system32\dllcache\n9i3d.sys
2010-08-24 10:14 . 2001-08-17 02:50   33088   -c--a-w-   c:\windows\system32\dllcache\n9i128v2.sys
2010-08-24 10:14 . 2001-08-17 12:36   59104   -c--a-w-   c:\windows\system32\dllcache\n9i128v2.dll
2010-08-24 10:14 . 2001-08-17 02:50   13664   -c--a-w-   c:\windows\system32\dllcache\n9i128.sys
2010-08-24 10:13 . 2001-08-17 04:56   35392   -c--a-w-   c:\windows\system32\dllcache\n9i128.dll
2010-08-24 10:13 . 2001-08-17 02:11   128000   -c--a-w-   c:\windows\system32\dllcache\n100325.sys
2010-08-24 10:13 . 2001-08-17 02:11   52255   -c--a-w-   c:\windows\system32\dllcache\n1000nt5.sys
2010-08-24 10:13 . 2001-08-17 03:50   75520   -c--a-w-   c:\windows\system32\dllcache\mxport.sys
2010-08-24 10:13 . 2001-08-17 12:36   7168   -c--a-w-   c:\windows\system32\dllcache\mxport.dll
2010-08-24 10:13 . 2001-08-17 03:49   19968   -c--a-w-   c:\windows\system32\dllcache\mxnic.sys
2010-08-24 10:13 . 2001-08-17 12:36   19968   -c--a-w-   c:\windows\system32\dllcache\mxicfg.dll
2010-08-24 10:13 . 2001-08-17 03:50   21888   -c--a-w-   c:\windows\system32\dllcache\mxcard.sys
2010-08-24 10:13 . 2001-08-17 02:50   103296   -c--a-w-   c:\windows\system32\dllcache\mtxvideo.sys
2010-08-24 10:13 . 2001-08-17 03:48   12416   -c--a-w-   c:\windows\system32\dllcache\msriffwv.sys
2010-08-24 10:13 . 2001-08-17 04:00   2944   -c--a-w-   c:\windows\system32\dllcache\msmpu401.sys
2010-08-24 10:12 . 2001-08-17 04:02   35200   -c--a-w-   c:\windows\system32\dllcache\msgame.sys
2010-08-24 10:12 . 2001-08-17 03:48   6016   -c--a-w-   c:\windows\system32\dllcache\msfsio.sys
2010-08-24 10:12 . 2001-08-17 03:52   17280   -c--a-w-   c:\windows\system32\dllcache\mraid35x.sys
2010-08-24 10:10 . 2001-08-17 03:28   802683   -c--a-w-   c:\windows\system32\dllcache\ltsm.sys
2010-08-24 10:09 . 2001-08-17 04:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
2010-08-24 10:09 . 2001-08-17 04:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
2010-08-24 10:09 . 2001-08-17 04:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
2010-08-24 10:09 . 2001-08-17 03:49   26624   -c--a-w-   c:\windows\system32\dllcache\irstusb.sys
2010-08-24 10:09 . 2001-08-17 03:51   18688   -c--a-w-   c:\windows\system32\dllcache\irsir.sys
2010-08-24 10:09 . 2001-08-17 03:49   23552   -c--a-w-   c:\windows\system32\dllcache\irmk7.sys
2010-08-24 10:09 . 2001-08-17 02:12   45632   -c--a-w-   c:\windows\system32\dllcache\ip5515.sys
2010-08-24 10:09 . 2001-08-17 12:36   90200   -c--a-w-   c:\windows\system32\dllcache\io8ports.dll
2010-08-24 10:09 . 2001-08-17 03:50   38784   -c--a-w-   c:\windows\system32\dllcache\io8.sys
2010-08-24 10:09 . 2001-08-17 03:47   13056   -c--a-w-   c:\windows\system32\dllcache\inport.sys
2010-08-24 10:09 . 2001-08-17 03:52   16000   -c--a-w-   c:\windows\system32\dllcache\ini910u.sys
2010-08-24 10:07 . 2001-08-17 03:28   488383   -c--a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-08-24 10:06 . 2001-08-17 02:49   322432   -c--a-w-   c:\windows\system32\dllcache\g400m.sys
2010-08-24 10:05 . 2001-08-17 02:10   19996   -c--a-w-   c:\windows\system32\dllcache\em556n4.sys
2010-08-24 10:04 . 2001-08-17 12:36   27136   -c--a-w-   c:\windows\system32\dllcache\cyzcoins.dll
2010-08-24 10:03 . 2001-08-17 03:51   13824   -c--a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2010-08-24 10:02 . 2001-08-17 04:56   66048   -c--a-w-   c:\windows\system32\dllcache\s3legacy.dll
2010-08-24 09:44 . 2009-12-16 18:43   343040   ----a-w-   c:\windows\system32\mspaint.exe
2010-08-24 09:44 . 2008-04-14 00:12   102912   ----a-w-   c:\windows\system32\clipbrd.exe
2010-08-24 09:43 . 2008-04-14 00:12   538624   ----a-w-   c:\windows\system32\spider.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 07:23 . 2009-03-21 07:17   16608   ----a-w-   c:\windows\gdrv.sys
2010-08-26 06:24 . 2010-04-20 08:37   --------   d-----w-   c:\documents and settings\Percy\Application Data\Azureus
2010-08-26 01:03 . 2009-03-21 08:11   --------   d-----w-   c:\program files\ESET
2010-08-25 17:18 . 2009-08-31 11:25   --------   d-----w-   c:\documents and settings\Percy\Application Data\vlc
2010-08-24 10:16 . 2010-08-24 10:16   --------   d-----w-   c:\program files\Zone Labs
2010-08-24 09:29 . 2009-03-21 07:09   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-08-24 04:51 . 2009-03-22 19:46   --------   d-----w-   c:\program files\World of Warcraft
2010-08-19 12:48 . 2009-03-21 10:24   --------   d-----w-   c:\documents and settings\Percy\Application Data\Skype
2010-08-19 10:56 . 2009-03-21 10:26   --------   d-----w-   c:\documents and settings\Percy\Application Data\skypePM
2010-08-16 13:33 . 2009-03-21 07:54   --------   d-----w-   c:\program files\Steam
2010-08-16 13:32 . 2009-04-11 13:22   --------   d-----w-   c:\program files\Common Files\BioWare
2010-07-26 19:47 . 2010-07-26 19:47   2766336   ----a-w-   c:\windows\freefire.scr
2010-07-22 11:25 . 2009-03-21 07:18   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-22 11:25 . 2009-12-20 14:47   --------   d-----w-   c:\documents and settings\Percy\Application Data\Panasonic
2010-07-22 11:06 . 2009-03-21 07:37   47232   ----a-w-   c:\documents and settings\Percy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-22 10:59 . 2010-07-22 10:59   --------   d-----w-   c:\program files\microsoft frontpage
2010-07-21 22:00 . 2010-07-21 22:00   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-21 11:38 . 2010-07-21 07:02   120   ----a-w-   c:\windows\Rzodozavuyu.dat
2010-07-21 11:15 . 2010-07-21 07:01   0   ----a-w-   c:\windows\system32\drivers\pnmruu.sys
2010-07-21 07:00 . 2010-07-21 07:00   --------   d-----w-   c:\documents and settings\Percy\Application Data\7DF15CC158DE8078A66620EEC944DA67
2010-07-20 06:24 . 2010-07-20 06:24   --------   d-----w-   c:\program files\etax2010
2010-07-16 16:20 . 2010-07-16 16:20   --------   d-----w-   c:\program files\GiPo@Utilities
2010-07-16 16:20 . 2010-07-16 16:20   --------   d-----w-   c:\program files\Common Files\Gibinsoft Shared
2010-07-09 02:10 . 2010-07-09 02:10   --------   d-----w-   c:\program files\IrfanView
2010-06-30 12:31 . 2004-08-04 12:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-04 12:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-19 07:23 . 2010-06-11 15:17   174080   ----a-w-   c:\documents and settings\Percy\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2010-06-17 14:03 . 2004-08-04 12:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-03-21 07:10   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-06-01 14:39 . 2010-05-08 06:31   218808   ----a-w-   c:\windows\system32\PnkBstrB.exe
2010-06-01 12:53 . 2010-05-08 06:32   137256   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m‘|\ü" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 01:28   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Percy^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Percy\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Percy^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\documents and settings\Percy\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
2008-01-07 22:28   864256   ----a-w-   c:\program files\Brownie\BrStsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-08-12 04:16   2215064   ----a-w-   c:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-23 23:54   136176   ----atw-   c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-10 18:40   218032   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 07:11   565008   ----a-w-   c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 07:15   2407184   ----a-w-   c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   --sh--w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 12:37   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-11 07:19   1238352   ----a-w-   c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 13:59   149280   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\BB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\Manual.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\StrategyGuide.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plain sight\\PlainSight.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\geometry wars\\GeometryWars.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/07/2010 1:31 PM 115008]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/08/2010 2:16 PM 810144]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/03/2009 5:18 PM 80392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/02/2010 8:17 AM 10384]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/03/2009 12:11 AM 717296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1993962763-839522115-1003Core.job
- c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-23 23:54]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1993962763-839522115-1003UA.job
- c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-23 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14593&l=dis
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Percy\Application Data\Mozilla\Firefox\Profiles\699fyk8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Percy\Application Data\Mozilla\Firefox\Profiles\699fyk8q.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-dloznc - c:\windows\system32\mstxtupn.dll
MSConfigStartUp-rmnzhp - c:\windows\system32\mswyxtnd.dll
MSConfigStartUp-szetyj67v - c:\windows\system32\szetyj67v.exe
MSConfigStartUp-szetyj67vx - c:\windows\system32\szetyj67vx.exe
MSConfigStartUp-Xfavucejaqa - c:\windows\ikizizufero.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 17:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1993962763-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:06,6b,6f,6c,b9,a1,70,2e,c2,b9,c0,42,f6,ca,02,d1,89,d4,ad,0e,7b,
   d5,f4,4d,d2,d8,9f,de,8e,7a,f8,5a,d1,29,fe,e3,82,19,34,06,75,18,7d,3c,1c,6f,\
"rkeysecu"=hex:48,00,ef,4b,69,69,8f,1f,15,33,06,77,17,4c,9e,45

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(7684)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiamenu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Microsoft Office\OFFICE11\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2010-08-26  17:27:29 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-26 07:27

Pre-Run: 234,238,386,176 bytes free
Post-Run: 234,247,200,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 8CE4B977A02C0F6CFA35BE842DB6AA91
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #3 on: August 26, 2010, 02:17:29 AM »
Hiya percyrich,

Yep, nasty infection you picked up for sure. Please proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it: ** note the scroll bar, make sure you get them all

Code: [Select]

KillAll::

File::
c:\documents and settings\Percy\Application Data\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
c:\windows\system32\emptyregdb.dat
c:\windows\Rzodozavuyu.dat
c:\windows\system32\drivers\pnmruu.sys
Folder::
c:\documents and settings\Percy\Application Data\Azureus
c:\documents and settings\Percy\Application Data\7DF15CC158DE8078A66620EEC944DA67
RegNull::
[HKEY_USERS\S-1-5-21-1708537768-1993962763-839522115-1003\Software\SecuROM\License information*]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe






Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select  Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

The following animation may help.

Kaspersky Gif

Post those two logs in your reply please, also let me know how your system is responding. All in normal...

Kevin.
Logged

Offline percyrich

  • Bronze Member
  • Posts: 6
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #4 on: August 26, 2010, 08:59:44 AM »
Hi again,

Here are the logs.


ComboFix 10-08-25.01 - Percy 26/08/2010  20:22:32.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2716 [GMT 10:00]
Running from: c:\documents and settings\Percy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Percy\Desktop\CFScript.txt
AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\documents and settings\Percy\Application Data\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe"
"c:\windows\Rzodozavuyu.dat"
"c:\windows\system32\drivers\pnmruu.sys"
"c:\windows\system32\emptyregdb.dat"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Percy\Application Data\7DF15CC158DE8078A66620EEC944DA67
c:\documents and settings\Percy\Application Data\Azureus
c:\documents and settings\Percy\Application Data\Azureus\.certs
c:\documents and settings\Percy\Application Data\Azureus\.keystore
c:\documents and settings\Percy\Application Data\Azureus\.lock
c:\documents and settings\Percy\Application Data\Azureus\active\15CA65DA47054D109F8F482F85B309F4FECFEA9D.dat
c:\documents and settings\Percy\Application Data\Azureus\active\15CA65DA47054D109F8F482F85B309F4FECFEA9D.dat.bak
c:\documents and settings\Percy\Application Data\Azureus\active\BAB7CD1FB743E4776EE73D52F3B45F818858990F.dat
c:\documents and settings\Percy\Application Data\Azureus\active\BAB7CD1FB743E4776EE73D52F3B45F818858990F.dat.bak
c:\documents and settings\Percy\Application Data\Azureus\active\cache.dat
c:\documents and settings\Percy\Application Data\Azureus\active\D8CC1AA5916D8E5FA480DDE3267D222F9A61C008.dat
c:\documents and settings\Percy\Application Data\Azureus\active\D8CC1AA5916D8E5FA480DDE3267D222F9A61C008.dat.bak
c:\documents and settings\Percy\Application Data\Azureus\active\D9B61D8D80E016699C6611637F072CAE6A346281.dat
c:\documents and settings\Percy\Application Data\Azureus\active\D9B61D8D80E016699C6611637F072CAE6A346281.dat.bak
c:\documents and settings\Percy\Application Data\Azureus\azureus.config
c:\documents and settings\Percy\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Percy\Application Data\Azureus\azureus.statistics
c:\documents and settings\Percy\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Percy\Application Data\Azureus\banips.config
c:\documents and settings\Percy\Application Data\Azureus\banips.config.bak
c:\documents and settings\Percy\Application Data\Azureus\devices.config
c:\documents and settings\Percy\Application Data\Azureus\devices.config.bak
c:\documents and settings\Percy\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Percy\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Percy\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Percy\Application Data\Azureus\dht\general.dat
c:\documents and settings\Percy\Application Data\Azureus\dht\version.dat
c:\documents and settings\Percy\Application Data\Azureus\downloads.config
c:\documents and settings\Percy\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Percy\Application Data\Azureus\filters.config
c:\documents and settings\Percy\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Percy\Application Data\Azureus\java.vmoptions
c:\documents and settings\Percy\Application Data\Azureus\java.vmoptions.lastgood
c:\documents and settings\Percy\Application Data\Azureus\metasearch.config
c:\documents and settings\Percy\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Percy\Application Data\Azureus\net\pm_4802.dat
c:\documents and settings\Percy\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Percy\Application Data\Azureus\plugins\aefeatman_v\aefeatman_v_1.0.2.jar
c:\documents and settings\Percy\Application Data\Azureus\plugins\aefeatman_v\aefeatman_v_1.0.2.zip
c:\documents and settings\Percy\Application Data\Azureus\plugins\aefeatman_v\plugin.properties
c:\documents and settings\Percy\Application Data\Azureus\plugins\aefeatman_v\plugin.properties_1.0.2
c:\documents and settings\Percy\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Percy\Application Data\Azureus\rcm.config
c:\documents and settings\Percy\Application Data\Azureus\rcm.config.bak
c:\documents and settings\Percy\Application Data\Azureus\sharing.config
c:\documents and settings\Percy\Application Data\Azureus\sharing.config.bak
c:\documents and settings\Percy\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Percy\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Percy\Application Data\Azureus\subs\0014E64A31B2482766A0.vuze
~1,000 other files in this folder, cut out to fit under maximum allowed length...
c:\documents and settings\Percy\Application Data\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
c:\windows\Rzodozavuyu.dat
c:\windows\system32\drivers\pnmruu.sys
c:\windows\system32\emptyregdb.dat

.
(((((((((((((((((((((((((   Files Created from 2010-07-26 to 2010-08-26  )))))))))))))))))))))))))))))))
.

2010-08-26 06:03 . 2010-08-26 06:03   388096   ----a-r-   c:\documents and settings\Percy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-26 06:03 . 2010-08-26 06:03   --------   d-----w-   c:\program files\Trend Micro
2010-08-26 05:36 . 2008-04-13 18:45   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-08-26 05:36 . 2008-04-13 18:45   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-08-26 05:36 . 2001-08-17 12:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-08-26 05:36 . 2008-04-14 00:12   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-08-26 01:31 . 2010-06-21 15:27   354304   -c----w-   c:\windows\system32\dllcache\srv.sys
2010-08-26 01:27 . 2009-08-13 15:16   512000   -c----w-   c:\windows\system32\dllcache\jscript.dll
2010-08-26 00:21 . 2010-08-26 00:21   --------   d-----w-   c:\program files\MSXML 6.0
2010-08-26 00:02 . 2006-02-28 12:00   403   -c----w-   c:\windows\system32\dllcache\npdrmv2.zip
2010-08-26 00:02 . 2006-02-28 12:00   22060   -c----w-   c:\windows\system32\dllcache\npds.zip
2010-08-26 00:02 . 2008-04-13 17:27   79872   -c----w-   c:\windows\system32\dllcache\msxml6r.dll
2010-08-26 00:02 . 2008-04-14 00:12   294912   -c----w-   c:\windows\system32\dllcache\dlimport.exe
2010-08-25 23:55 . 2008-06-13 11:05   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-08-25 23:54 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-08-25 23:54 . 2009-10-15 16:28   81920   -c----w-   c:\windows\system32\dllcache\fontsub.dll
2010-08-25 23:54 . 2009-10-15 16:28   119808   -c----w-   c:\windows\system32\dllcache\t2embed.dll
2010-08-25 23:52 . 2010-02-24 13:11   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-08-25 23:52 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-08-25 23:48 . 2008-10-15 16:34   337408   -c----w-   c:\windows\system32\dllcache\netapi32.dll
2010-08-25 07:29 . 2010-08-25 07:29   --------   d-----w-   c:\documents and settings\Percy\Application Data\dvdcss
2010-08-24 15:54 . 2010-08-24 15:54   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-08-24 13:47 . 2010-08-24 13:53   --------   d-----w-   c:\documents and settings\Percy\Local Settings\Application Data\TwinglyScreensaver
2010-08-24 13:47 . 2010-08-24 13:47   --------   d-----w-   c:\program files\Primelabs
2010-08-24 13:42 . 2010-08-24 13:42   --------   d-----w-   c:\program files\Free Fire Screensaver
2010-08-24 13:42 . 2010-08-24 13:42   --------   d-----w-   c:\documents and settings\Percy\Application Data\Laconic Software
2010-08-24 13:40 . 2010-08-24 13:40   33443   ----a-w-   c:\windows\fire-un.exe
2010-08-24 13:33 . 2010-08-24 13:33   --------   d-----w-   c:\program files\KellySoftware
2010-08-24 10:29 . 2001-08-17 12:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-24 10:29 . 2001-08-17 12:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-08-24 10:29 . 2001-08-17 12:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-08-24 10:29 . 2001-08-17 12:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2010-08-24 10:28 . 2001-08-17 02:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-08-24 10:28 . 2004-08-03 12:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-08-24 10:28 . 2004-08-03 12:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-08-24 10:26 . 2001-08-17 03:28   397502   -c--a-w-   c:\windows\system32\dllcache\vpctcom.sys
2010-08-24 10:26 . 2001-08-17 03:28   604253   -c--a-w-   c:\windows\system32\dllcache\vmodem.sys
2010-08-24 10:26 . 2001-08-17 02:14   249402   -c--a-w-   c:\windows\system32\dllcache\vinwm.sys
2010-08-24 10:26 . 2001-08-17 03:49   24576   -c--a-w-   c:\windows\system32\dllcache\viairda.sys
2010-08-24 10:26 . 2001-08-17 03:28   687999   -c--a-w-   c:\windows\system32\dllcache\usrwdxjs.sys
2010-08-24 10:26 . 2001-08-17 03:28   765884   -c--a-w-   c:\windows\system32\dllcache\usrti.sys
2010-08-24 10:26 . 2001-08-17 03:28   113762   -c--a-w-   c:\windows\system32\dllcache\usrpda.sys
2010-08-24 10:25 . 2001-08-17 03:28   7556   -c--a-w-   c:\windows\system32\dllcache\usroslba.sys
2010-08-24 10:25 . 2001-08-17 03:28   224802   -c--a-w-   c:\windows\system32\dllcache\usr1807a.sys
2010-08-24 10:25 . 2001-08-17 03:28   794399   -c--a-w-   c:\windows\system32\dllcache\usr1806v.sys
2010-08-24 10:25 . 2001-08-17 03:28   793598   -c--a-w-   c:\windows\system32\dllcache\usr1806.sys
2010-08-24 10:25 . 2001-08-17 03:28   794654   -c--a-w-   c:\windows\system32\dllcache\usr1801.sys
2010-08-24 10:25 . 2004-08-03 12:31   32384   -c--a-w-   c:\windows\system32\dllcache\usb101et.sys
2010-08-24 10:25 . 2001-08-17 12:36   94720   -c--a-w-   c:\windows\system32\dllcache\umaxud32.dll
2010-08-24 10:23 . 2001-08-17 12:36   31744   -c--a-w-   c:\windows\system32\dllcache\tp4.dll
2010-08-24 10:22 . 2001-08-17 04:07   30688   -c--a-w-   c:\windows\system32\dllcache\sym_u3.sys
2010-08-24 10:21 . 2001-08-17 02:51   37040   -c--a-w-   c:\windows\system32\dllcache\sonypi.sys
2010-08-24 10:20 . 2001-08-17 04:56   150144   -c--a-w-   c:\windows\system32\dllcache\sis6306v.dll
2010-08-24 10:20 . 2001-08-17 02:50   68608   -c--a-w-   c:\windows\system32\dllcache\sis6306p.sys
2010-08-24 10:20 . 2001-08-17 04:56   252032   -c--a-w-   c:\windows\system32\dllcache\sis300iv.dll
2010-08-24 10:20 . 2001-08-17 02:50   101760   -c--a-w-   c:\windows\system32\dllcache\sis300ip.sys
2010-08-24 10:20 . 2001-07-21 04:29   161568   -c--a-w-   c:\windows\system32\dllcache\sgsmusb.sys
2010-08-24 10:20 . 2001-07-21 04:29   18400   -c--a-w-   c:\windows\system32\dllcache\sgsmld.sys
2010-08-24 10:20 . 2001-08-17 02:51   98080   -c--a-w-   c:\windows\system32\dllcache\sgiulnt5.sys
2010-08-24 10:20 . 2001-08-17 12:36   386560   -c--a-w-   c:\windows\system32\dllcache\sgiul50.dll
2010-08-24 10:20 . 2001-08-17 02:19   36480   -c--a-w-   c:\windows\system32\dllcache\sfmanm.sys
2010-08-24 10:20 . 2001-08-17 03:53   6784   -c--a-w-   c:\windows\system32\dllcache\serscan.sys
2010-08-24 10:20 . 2001-08-17 03:48   17664   -c--a-w-   c:\windows\system32\dllcache\sermouse.sys
2010-08-24 10:20 . 2001-08-17 03:53   6912   -c--a-w-   c:\windows\system32\dllcache\seaddsmc.sys
2010-08-24 10:18 . 2004-08-03 12:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2010-08-24 10:18 . 2001-08-17 02:12   19017   -c--a-w-   c:\windows\system32\dllcache\rtl8029.sys
2010-08-24 10:18 . 2001-08-17 02:19   30720   -c--a-w-   c:\windows\system32\dllcache\rthwcls.sys
2010-08-24 10:18 . 2001-08-17 12:36   9216   -c--a-w-   c:\windows\system32\dllcache\rsmgrstr.dll
2010-08-24 10:18 . 2001-08-17 02:19   3840   -c--a-w-   c:\windows\system32\dllcache\rpfun.sys
2010-08-24 10:18 . 2001-08-17 02:12   37563   -c--a-w-   c:\windows\system32\dllcache\rlnet5.sys
2010-08-24 10:18 . 2001-08-17 12:36   86097   -c--a-w-   c:\windows\system32\dllcache\reslog32.dll
2010-08-24 10:18 . 2001-08-17 03:51   19584   -c--a-w-   c:\windows\system32\dllcache\rasirda.sys
2010-08-24 10:18 . 2001-08-17 03:28   714762   -c--a-w-   c:\windows\system32\dllcache\r2mdmkxx.sys
2010-08-24 10:18 . 2001-08-17 03:28   899146   -c--a-w-   c:\windows\system32\dllcache\r2mdkxga.sys
2010-08-24 10:16 . 2001-08-17 12:36   121344   -c--a-w-   c:\windows\system32\dllcache\phvfwext.dll
2010-08-24 10:15 . 2001-08-17 12:36   20480   -c--a-w-   c:\windows\system32\dllcache\ovcomc.dll
2010-08-24 10:14 . 2001-08-17 02:20   87040   -c--a-w-   c:\windows\system32\dllcache\nm6wdm.sys
2010-08-24 10:14 . 2001-08-17 02:20   126080   -c--a-w-   c:\windows\system32\dllcache\nm5a2wdm.sys
2010-08-24 10:14 . 2001-08-17 02:12   32840   -c--a-w-   c:\windows\system32\dllcache\ngrpci.sys
2010-08-24 10:14 . 2004-08-03 12:31   132695   -c--a-w-   c:\windows\system32\dllcache\netwlan5.sys
2010-08-24 10:14 . 2001-08-17 02:11   65278   -c--a-w-   c:\windows\system32\dllcache\netflx3.sys
2010-08-24 10:14 . 2001-08-17 02:50   39264   -c--a-w-   c:\windows\system32\dllcache\neo20xx.sys
2010-08-24 10:14 . 2001-08-17 12:36   60480   -c--a-w-   c:\windows\system32\dllcache\neo20xx.dll
2010-08-24 10:14 . 2001-08-17 03:49   15872   -c--a-w-   c:\windows\system32\dllcache\ne2000.sys
2010-08-24 10:14 . 2001-08-17 04:56   91488   -c--a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-08-24 10:14 . 2001-08-17 02:50   27936   -c--a-w-   c:\windows\system32\dllcache\n9i3d.sys
2010-08-24 10:14 . 2001-08-17 02:50   33088   -c--a-w-   c:\windows\system32\dllcache\n9i128v2.sys
2010-08-24 10:14 . 2001-08-17 12:36   59104   -c--a-w-   c:\windows\system32\dllcache\n9i128v2.dll
2010-08-24 10:14 . 2001-08-17 02:50   13664   -c--a-w-   c:\windows\system32\dllcache\n9i128.sys
2010-08-24 10:13 . 2001-08-17 04:56   35392   -c--a-w-   c:\windows\system32\dllcache\n9i128.dll
2010-08-24 10:13 . 2001-08-17 02:11   128000   -c--a-w-   c:\windows\system32\dllcache\n100325.sys
2010-08-24 10:13 . 2001-08-17 02:11   52255   -c--a-w-   c:\windows\system32\dllcache\n1000nt5.sys
2010-08-24 10:13 . 2001-08-17 03:50   75520   -c--a-w-   c:\windows\system32\dllcache\mxport.sys
2010-08-24 10:13 . 2001-08-17 12:36   7168   -c--a-w-   c:\windows\system32\dllcache\mxport.dll
2010-08-24 10:13 . 2001-08-17 03:49   19968   -c--a-w-   c:\windows\system32\dllcache\mxnic.sys
2010-08-24 10:13 . 2001-08-17 12:36   19968   -c--a-w-   c:\windows\system32\dllcache\mxicfg.dll
2010-08-24 10:13 . 2001-08-17 03:50   21888   -c--a-w-   c:\windows\system32\dllcache\mxcard.sys
2010-08-24 10:13 . 2001-08-17 02:50   103296   -c--a-w-   c:\windows\system32\dllcache\mtxvideo.sys
2010-08-24 10:13 . 2001-08-17 03:48   12416   -c--a-w-   c:\windows\system32\dllcache\msriffwv.sys
2010-08-24 10:13 . 2001-08-17 04:00   2944   -c--a-w-   c:\windows\system32\dllcache\msmpu401.sys
2010-08-24 10:12 . 2001-08-17 04:02   35200   -c--a-w-   c:\windows\system32\dllcache\msgame.sys
2010-08-24 10:12 . 2001-08-17 03:48   6016   -c--a-w-   c:\windows\system32\dllcache\msfsio.sys
2010-08-24 10:12 . 2001-08-17 03:52   17280   -c--a-w-   c:\windows\system32\dllcache\mraid35x.sys
2010-08-24 10:10 . 2001-08-17 03:28   802683   -c--a-w-   c:\windows\system32\dllcache\ltsm.sys
2010-08-24 10:09 . 2001-08-17 04:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
2010-08-24 10:09 . 2001-08-17 04:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
2010-08-24 10:09 . 2001-08-17 04:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
2010-08-24 10:09 . 2001-08-17 03:49   26624   -c--a-w-   c:\windows\system32\dllcache\irstusb.sys
2010-08-24 10:09 . 2001-08-17 03:51   18688   -c--a-w-   c:\windows\system32\dllcache\irsir.sys
2010-08-24 10:09 . 2001-08-17 03:49   23552   -c--a-w-   c:\windows\system32\dllcache\irmk7.sys
2010-08-24 10:09 . 2001-08-17 02:12   45632   -c--a-w-   c:\windows\system32\dllcache\ip5515.sys
2010-08-24 10:09 . 2001-08-17 12:36   90200   -c--a-w-   c:\windows\system32\dllcache\io8ports.dll
2010-08-24 10:09 . 2001-08-17 03:50   38784   -c--a-w-   c:\windows\system32\dllcache\io8.sys
2010-08-24 10:09 . 2001-08-17 03:47   13056   -c--a-w-   c:\windows\system32\dllcache\inport.sys
2010-08-24 10:09 . 2001-08-17 03:52   16000   -c--a-w-   c:\windows\system32\dllcache\ini910u.sys
2010-08-24 10:07 . 2001-08-17 03:28   488383   -c--a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-08-24 10:06 . 2001-08-17 02:49   322432   -c--a-w-   c:\windows\system32\dllcache\g400m.sys
2010-08-24 10:05 . 2001-08-17 02:10   19996   -c--a-w-   c:\windows\system32\dllcache\em556n4.sys
2010-08-24 10:04 . 2001-08-17 12:36   27136   -c--a-w-   c:\windows\system32\dllcache\cyzcoins.dll
2010-08-24 10:03 . 2001-08-17 03:51   13824   -c--a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2010-08-24 10:02 . 2001-08-17 04:56   66048   -c--a-w-   c:\windows\system32\dllcache\s3legacy.dll
2010-08-24 09:44 . 2009-12-16 18:43   343040   ----a-w-   c:\windows\system32\mspaint.exe
2010-08-24 09:44 . 2008-04-14 00:12   102912   ----a-w-   c:\windows\system32\clipbrd.exe
2010-08-24 09:43 . 2008-04-14 00:12   538624   ----a-w-   c:\windows\system32\spider.exe
2010-08-24 09:34 . 2008-04-14 00:09   274489   -c--a-w-   c:\windows\system32\dllcache\imjputyc.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 10:27 . 2009-03-21 07:17   16608   ----a-w-   c:\windows\gdrv.sys
2010-08-26 10:16 . 2009-03-21 10:24   --------   d-----w-   c:\documents and settings\Percy\Application Data\Skype
2010-08-26 07:38 . 2009-03-21 10:26   --------   d-----w-   c:\documents and settings\Percy\Application Data\skypePM
2010-08-26 01:03 . 2009-03-21 08:11   --------   d-----w-   c:\program files\ESET
2010-08-25 17:18 . 2009-08-31 11:25   --------   d-----w-   c:\documents and settings\Percy\Application Data\vlc
2010-08-24 10:16 . 2010-08-24 10:16   --------   d-----w-   c:\program files\Zone Labs
2010-08-24 04:51 . 2009-03-22 19:46   --------   d-----w-   c:\program files\World of Warcraft
2010-08-16 13:33 . 2009-03-21 07:54   --------   d-----w-   c:\program files\Steam
2010-08-16 13:32 . 2009-04-11 13:22   --------   d-----w-   c:\program files\Common Files\BioWare
2010-07-26 19:47 . 2010-07-26 19:47   2766336   ----a-w-   c:\windows\freefire.scr
2010-07-22 11:25 . 2009-03-21 07:18   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-22 11:25 . 2009-12-20 14:47   --------   d-----w-   c:\documents and settings\Percy\Application Data\Panasonic
2010-07-22 11:06 . 2009-03-21 07:37   47232   ----a-w-   c:\documents and settings\Percy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-22 10:59 . 2010-07-22 10:59   --------   d-----w-   c:\program files\microsoft frontpage
2010-07-21 22:00 . 2010-07-21 22:00   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-20 06:24 . 2010-07-20 06:24   --------   d-----w-   c:\program files\etax2010
2010-07-16 16:20 . 2010-07-16 16:20   --------   d-----w-   c:\program files\GiPo@Utilities
2010-07-16 16:20 . 2010-07-16 16:20   --------   d-----w-   c:\program files\Common Files\Gibinsoft Shared
2010-07-09 02:10 . 2010-07-09 02:10   --------   d-----w-   c:\program files\IrfanView
2010-06-30 12:31 . 2004-08-04 12:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-04 12:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-19 07:23 . 2010-06-11 15:17   174080   ----a-w-   c:\documents and settings\Percy\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2010-06-17 14:03 . 2004-08-04 12:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-03-21 07:10   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-06-01 14:39 . 2010-05-08 06:31   218808   ----a-w-   c:\windows\system32\PnkBstrB.exe
2010-06-01 12:53 . 2010-05-08 06:32   137256   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-08-26_07.23.33   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-26 10:27 . 2010-08-26 10:27   16384              c:\windows\temp\Perflib_Perfdata_2c8.dat
+ 2010-08-26 10:27 . 2010-08-26 10:27   16384              c:\windows\temp\Perflib_Perfdata_298.dat
+ 2010-08-26 10:27 . 2008-07-25 22:25   109080              c:\windows\temp\logishrd\LVPrcInj01.dll
- 2010-08-26 07:23 . 2008-07-25 22:25   109080              c:\windows\Temp\logishrd\LVPrcInj01.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m‘|\ü" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 01:28   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Percy^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Percy\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Percy^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\documents and settings\Percy\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
2008-01-07 22:28   864256   ----a-w-   c:\program files\Brownie\BrStsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-08-12 04:16   2215064   ----a-w-   c:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-23 23:54   136176   ----atw-   c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-10 18:40   218032   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 07:11   565008   ----a-w-   c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 07:15   2407184   ----a-w-   c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   --sh--w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 12:37   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-11 07:19   1238352   ----a-w-   c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 13:59   149280   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\BB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\Manual.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\blood bowl\\StrategyGuide.pdf"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plain sight\\PlainSight.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\geometry wars\\GeometryWars.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/07/2010 1:31 PM 115008]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/08/2010 2:16 PM 810144]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/03/2009 5:18 PM 80392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/02/2010 8:17 AM 10384]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/03/2009 12:11 AM 717296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1993962763-839522115-1003Core.job
- c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-23 23:54]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1993962763-839522115-1003UA.job
- c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-23 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14593&l=dis
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Percy\Application Data\Mozilla\Firefox\Profiles\699fyk8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Percy\Application Data\Mozilla\Firefox\Profiles\699fyk8q.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Percy\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(8068)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-08-26  20:32:04 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-26 10:32
ComboFix2.txt  2010-08-26 07:27

Pre-Run: 234,498,207,744 bytes free
Post-Run: 234,495,381,504 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - F0C8D7558963D556C3CA363553EA2237




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Friday, August 27, 2010
 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Thursday, August 26, 2010 06:21:44
 Records in database: 4152235
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   H:\

Scan statistics:
   Objects scanned: 168985
   Threats found: 1
   Infected objects found: 7
   Suspicious objects found: 0
   Scan duration: 02:20:04


File name / Threat / Threats count
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP11\A0010488.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP12\A0010513.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011509.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011515.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011524.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011529.exe   Infected: Trojan.Win32.Swisyn.agnq   1
C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP9\A0010034.exe   Infected: Trojan.Win32.Swisyn.agnq   1

Selected area has been scanned.




Thank you so much for your help so far.
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #5 on: August 26, 2010, 11:45:33 AM »
Hiya percyrich,

Please continue as follows :-

Step 1

Please download OTM by OldTimer.
Alternative Mirror 
Save it to your desktop.
Double click OTM.exe to start the tool.
  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    -------------------------------------------------------------------

    :Processes
    explorer.exe
    :Files
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP11\A0010488.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP12\A0010513.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011509.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011515.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011524.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011529.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP9\A0010034.exe   Infected: Trojan.Win32.Swisyn.agnq   1
    :Commands
    [EmptyFlash]
    [EmptyTemp]
    [Purity]
    [Reboot]

    ---------------------------------------------------------------------
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 2

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

  • Log from OTM
  • Log from Security Checks
  • How is your system responding, any specific issues

Kevin
Logged

Offline percyrich

  • Bronze Member
  • Posts: 6
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #6 on: August 26, 2010, 05:14:49 PM »
OTM Log:


All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP11\A0010488.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP12\A0010513.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011509.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011515.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011524.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP13\A0011529.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
File/Folder C:\System Volume Information\_restore{41B684C5-9D18-462F-A315-4E75B705925C}\RP9\A0010034.exe   Infected: Trojan.Win32.Swisyn.agnq   1 not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 456 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
 
User: Percy
->Temp folder emptied: 106559800 bytes
->Temporary Internet Files folder emptied: 34149 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 94120180 bytes
->Google Chrome cache emptied: 100973109 bytes
->Flash cache emptied: 9350 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6467280 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 109591 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 294.00 mb
 
 
OTM by OldTimer - Version 3.1.15.0 log created on 08272010_090705

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Security check log:


 Results of screen317's Security Check version 0.99.5 
 Windows XP Service Pack 3 
 Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 ESET Online Scanner v3   
 ESET Smart Security   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner (remove only)   
 Java Platform, Enterprise Edition 5 SDK
 Java(TM) 6 Update 16 
 Out of date Java installed!
 Adobe Flash Player 10.0.22.87 
Adobe Reader 9.3.3
 Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````



As for how my system is going, I can honestly say that if not for the scans telling me I'm infected, I wouldn't know the difference. There are no strange processes running as far as I can tell, nothing is popping up or messing with my internet browsing... performance wise, my computer is as it was when I first set it up.
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #7 on: August 26, 2010, 05:34:34 PM »
Hiya percyrich,

Thats definitely the response I was wanting to read, proceed as follows :-

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")



  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will:
  • Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Step 2

  • Download OTC by OldTimer and save it to your Desktop.
    Alternative mirror
  • Double click icon to start the program.
    If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.It will also remove the OTC application.
Anything left on the Desktop can be safely removed by deleting.

Step 3

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to "JDK 6 Update 21 (JDK or JRE).
  • Click the Download JRE button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Post me a final HJT log and let me know if there are any specific issues.

Kevin..
Logged

Offline percyrich

  • Bronze Member
  • Posts: 6
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #8 on: August 27, 2010, 11:21:50 PM »
Here is my log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:25:45 PM, on 27/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=14593&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - Unknown owner - c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/commons/f/f4/24-cell.gif

--
End of file - 5915 bytes


I've since run Kapersky and ESET and both of them tell me my computer is clean!

It makes me very happy to know places like this exist, and that people like you exist. Thank you so much!  :D
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #9 on: August 27, 2010, 11:43:52 PM »
Hiya percyrich,

Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.

You are still using Internet Explorer 6, I strongly recommend that you update to IE8 at your earliest convenience. 

Here are some tips to reduce the potential for malware infection in the future; I strongly recommend  that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here   Before clicking the Start scan  button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.


Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
 
Firefox,

Opera, and

Chrome.
 
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Please reply so I know you have read this, its been a pleasure to work with you.
Take care,

Kevin

edit for typo
« Last Edit: August 28, 2010, 04:56:37 AM by kevinf80 »
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #10 on: August 30, 2010, 04:17:13 AM »
Since this issue appears to be resolved  the topic has been closed. Glad we could help. :t 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.
Logged

Offline percyrich

  • Bronze Member
  • Posts: 6
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #11 on: August 30, 2010, 08:30:02 AM »
Hi Kevin,

Apologies for not getting back to you sooner. I've updated Internet Explorer (even though I never use it, I use Firefox with NoScript), and I've bit the bullet and paid for ESET's security centre. I'll check out these new, free ones though, thank you very much for the link!

Thank you so very much for your help. It makes me feel so much better to know that there are people like you in the world :D
Logged

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 6348
Re: [Resolved] Trojan attack, no AV software can help...
« Reply #12 on: August 30, 2010, 08:46:45 AM »
Quote
Thank you so very much for your help. It makes me feel so much better to know that there are people like you in the world

Hiya peryrich,

Come back anytime, you`ll always be welcome. Make sure you keep your system and all programs updated. Any vulnerability will be used by malware writers, it`s what they do.
Keep system updates on automatic, likewise with your security system. Run Secunia regularly to make sure all other programs are patched and upto date.
Don`t forget, common sense is the best form of defense...

Kevin
Logged
Pages: [1]   Go Up
« previous next »