Unsolved
This post is more than 5 years old
6 Posts
0
3878
Error Code 80073EFE and my HiJack This Log
Hi Forum:
My name is Nick and for the past 3-4 days now I've been having the Code 80073EFE problem that I've heard so much about. The following is my HiJack This Log. Hope we can get this fixed. :)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:48:43 AM, on 8/2/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\CNYHKey.exe
C:\Windows\ModLEDKey.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Users\Danny\AppData\Local\Apps\2.0\ZNC41K4P.JH9\LR8O3D64.8J2\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15179&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coIEPlg.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [MoLed] ModLEDKey.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\SD6\Software\SaiVolume.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccb55eb4\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
--
End of file - 7295 bytes
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 00:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
Please proceed as follows :-
Step 1
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
Step 2
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me see log from Combofix and Security Checks in reply please..
Kevin
Nickispro
6 Posts
0
August 3rd, 2010 00:00
Side note: I've also been getting some of my google searches redirected when I attempt to look up Microsoft Windows Updates.
Nickispro
6 Posts
0
August 3rd, 2010 01:00
Hi kevinf80,
Here are the logs in order: ComboFix first
ComboFix 10-08-02.03 - Danny 08/03/2010 3:29.3.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3324.2443 [GMT -4:00]
Running from: c:\users\Danny\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.
2010-08-03 07:40 . 2010-08-03 07:40 -------- dc----w- c:\users\Danny\AppData\Local\temp
2010-08-03 07:40 . 2010-08-03 07:40 -------- dc----w- c:\users\Public\AppData\Local\temp
2010-08-03 07:40 . 2010-08-03 07:40 -------- dc----w- c:\users\Default\AppData\Local\temp
2010-08-02 03:31 . 2010-08-02 03:31 -------- dc----w- c:\users\Danny\AppData\Roaming\Tific
2010-08-01 23:25 . 2010-08-01 23:25 -------- dc----w- c:\users\Danny\AppData\Roaming\Malwarebytes
2010-08-01 23:24 . 2010-04-29 19:39 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 23:24 . 2010-08-01 23:24 -------- dc----w- c:\programdata\Malwarebytes
2010-08-01 23:24 . 2010-08-02 16:36 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 23:24 . 2010-04-29 19:39 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 20:29 . 2010-08-01 20:30 -------- dc----w- c:\windows\system32\catroot2
2010-07-31 23:19 . 2010-07-31 23:20 -------- dc----w- C:\ARK
2010-07-31 22:19 . 2010-07-31 22:19 -------- dc----w- C:\_OTM
2010-07-31 22:18 . 2010-07-31 22:18 337444028 -c--a-w- C:\regback.reg
2010-07-31 22:10 . 2010-07-31 22:10 388096 -c--a-r- c:\users\Danny\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-31 22:10 . 2010-07-31 22:10 -------- dc----w- c:\program files\Trend Micro
2010-07-30 04:51 . 2010-07-30 04:51 2662112 -c--a-w- c:\users\Danny\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTransControlCenter.exe
2010-07-30 04:51 . 2010-07-30 04:53 5443752 -c--a-w- c:\users\Danny\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTrans.exe
2010-07-30 03:59 . 2010-07-09 22:37 56936 -c--a-w- c:\windows\system32\OpenCL.dll
2010-07-30 03:59 . 2010-07-09 22:37 11008040 -c--a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-07-30 03:59 . 2010-07-09 22:37 5107816 -c--a-w- c:\windows\system32\nvwgf2um.dll
2010-07-30 03:59 . 2010-07-09 22:37 2892904 -c--a-w- c:\windows\system32\nvcuvid.dll
2010-07-30 03:59 . 2010-07-09 22:37 2506344 -c--a-w- c:\windows\system32\nvcuvenc.dll
2010-07-30 03:59 . 2010-07-09 22:37 14092904 -c--a-w- c:\windows\system32\nvoglv32.dll
2010-07-30 03:59 . 2010-07-09 22:37 4553832 -c--a-w- c:\windows\system32\nvcuda.dll
2010-07-30 03:59 . 2010-07-09 22:37 236136 -c--a-w- c:\windows\system32\nvcod1922.dll
2010-07-30 03:59 . 2010-07-09 22:37 236136 -c--a-w- c:\windows\system32\nvcod.dll
2010-07-30 03:59 . 2010-07-09 22:37 10267240 -c--a-w- c:\windows\system32\nvcompiler.dll
2010-07-30 03:47 . 2010-07-30 03:48 -------- dc----w- c:\program files\Common Files\Adobe
2010-07-30 02:33 . 2010-07-30 02:33 -------- dc----w- c:\program files\Common Files\Adobe AIR
2010-07-30 02:33 . 2010-07-30 03:50 -------- dc----w- c:\users\Danny\AppData\Local\NOS
2010-07-30 02:33 . 2010-07-30 02:33 77184 -c--a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-07-30 02:33 . 2010-07-30 02:37 -------- dc----w- c:\programdata\NOS
2010-07-30 02:32 . 2010-07-30 03:19 -------- dc----w- c:\users\Danny\AppData\Local\ojavlsacq
2010-07-25 23:54 . 2010-07-26 00:13 -------- dc----w- c:\users\Danny\AppData\Local\sitmeyoyw
2010-07-22 20:35 . 2010-07-22 20:35 -------- dc----w- c:\program files\iPod
2010-07-22 20:35 . 2010-07-22 20:36 -------- dc----w- c:\program files\iTunes
2010-07-22 20:31 . 2010-07-22 20:31 73000 -c--a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-09 20:37 . 2010-07-09 20:37 1469544 -c--a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 -c--a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 -c--a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 -c--a-w- c:\windows\system32\nvmctray.dll
2010-07-07 20:30 . 2010-04-12 21:29 411368 -c--a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 07:27 . 2010-03-17 19:55 -------- dc----w- c:\users\Danny\AppData\Roaming\LimeWire
2010-08-03 07:25 . 2010-01-18 20:21 55781 -c--a-w- c:\programdata\nvModes.dat
2010-08-03 07:24 . 2010-01-18 20:21 -------- dc----w- c:\programdata\NVIDIA
2010-08-02 04:22 . 2010-02-08 23:44 -------- dc----w- c:\programdata\Norton
2010-08-02 02:37 . 2010-05-25 00:09 -------- dc----w- c:\programdata\Spybot - Search & Destroy
2010-08-01 20:36 . 2010-03-31 21:55 -------- dc----w- c:\programdata\VMware
2010-08-01 20:34 . 2010-03-27 01:06 -------- dc----w- c:\program files\Steam
2010-07-31 20:50 . 2010-01-19 05:31 -------- dc----w- c:\users\Danny\AppData\Roaming\uTorrent
2010-07-31 06:31 . 2010-04-02 22:29 -------- dc----w- c:\users\Danny\AppData\Roaming\Skype
2010-07-31 06:30 . 2010-04-02 22:29 -------- dc----w- c:\users\Danny\AppData\Roaming\skypePM
2010-07-30 21:15 . 2010-01-31 16:03 137256 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-30 21:15 . 2010-01-31 16:02 218808 -c--a-w- c:\windows\system32\PnkBstrB.exe
2010-07-30 04:00 . 2010-03-09 08:18 -------- dc----w- c:\program files\NVIDIA Corporation
2010-07-26 02:44 . 2010-01-19 02:46 -------- dc----w- c:\users\Danny\AppData\Roaming\Ventrilo
2010-07-22 20:35 . 2010-02-18 05:08 -------- dc----w- c:\program files\Common Files\Apple
2010-07-18 09:35 . 2010-02-18 02:26 -------- dc----w- c:\users\Danny\AppData\Roaming\vlc
2010-07-14 07:04 . 2006-11-02 11:18 -------- dc----w- c:\program files\Windows Mail
2010-07-09 22:37 . 2010-07-30 03:59 10920 -c--a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-07-09 22:37 . 2009-09-28 04:12 9818728 -c--a-w- c:\windows\system32\nvd3dum.dll
2010-07-09 22:37 . 2009-09-28 04:12 604776 -c--a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:37 . 2009-09-28 04:12 1625192 -c--a-w- c:\windows\system32\nvapi.dll
2010-07-07 20:30 . 2010-02-11 05:50 -------- dc----w- c:\program files\Java
2010-07-07 17:46 . 2010-01-18 15:28 604776 -c--a-w- c:\windows\system32\nvuninst.exe
2010-06-30 10:14 . 2010-01-28 00:03 -------- dc----w- c:\program files\CCleaner
2010-06-29 23:19 . 2010-06-29 23:19 -------- dc----w- c:\program files\Driver-Soft
2010-06-29 23:13 . 2010-01-18 14:48 -------- dc----w- c:\program files\Intel
2010-06-28 07:56 . 2010-06-28 07:41 -------- dc----w- c:\program files\CamStudio
2010-06-27 07:01 . 2010-06-27 07:01 -------- dc----w- c:\programdata\NVIDIA Corporation
2010-06-27 06:58 . 2010-06-27 06:58 -------- dc----w- c:\program files\SystemRequirementsLab
2010-06-27 06:58 . 2010-06-27 06:58 -------- dc----w- c:\users\Danny\AppData\Roaming\SystemRequirementsLab
2010-06-27 06:58 . 2010-06-27 06:58 290816 -c--a-w- c:\users\Danny\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-27 06:58 . 2010-06-27 06:58 290816 -c--a-w- c:\users\Danny\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-27 06:58 . 2010-06-27 06:58 290816 -c--a-w- c:\users\Danny\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-27 06:58 . 2010-06-27 06:58 290816 -c--a-w- c:\users\Danny\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-25 21:35 . 2010-03-31 23:48 -------- dc----w- c:\users\Danny\AppData\Roaming\VMware
2010-06-22 23:16 . 2010-01-26 21:52 -------- dc----w- c:\programdata\Blizzard Entertainment
2010-06-22 23:00 . 2010-03-22 01:17 -------- dc----w- c:\program files\Microsoft.NET
2010-06-16 22:01 . 2010-06-16 22:01 -------- dc----w- c:\program files\Bonjour
2010-06-09 07:06 . 2010-03-22 01:17 -------- dc----w- c:\programdata\Microsoft Help
2010-06-07 23:57 . 2010-06-27 06:59 232040 -c--a-w- c:\windows\system32\nvcod1921.dll
2010-06-07 03:10 . 2010-04-22 17:17 -------- dc----w- c:\program files\Project64 1.6
2010-06-04 21:31 . 2010-02-13 01:12 -------- dc----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-08 20:19 34304 -c--a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-08 20:19 289792 -c--a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2010-01-18 14:58 221568 -c----w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 -c--a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 -c--a-w- c:\windows\system32\dns-sd.exe
2010-05-07 01:21 . 2010-05-07 01:21 50354 -c--a-w- c:\users\Danny\AppData\Roaming\Facebook\uninstall.exe
2010-05-06 04:01 . 2010-05-24 23:01 339504 -c--a-w- c:\windows\system32\drivers\symtdiv.sys
2008-06-30 18:44 . 2010-01-18 22:37 324976 -c--a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-02_03.25.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-18 20:26 . 2010-08-03 02:53 53628 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-08-03 07:25 82928 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-18 14:47 . 2010-08-03 07:25 15372 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2593463518-2469363678-3587886041-1000_UserData.bin
+ 2006-11-02 13:02 . 2010-08-02 16:24 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-08-02 02:40 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-08-02 02:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:02 . 2010-08-02 16:24 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-18 22:38 . 2010-08-01 21:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-18 22:38 . 2010-08-03 02:52 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-18 22:38 . 2010-08-01 21:37 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-18 22:38 . 2010-08-03 02:52 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-18 22:38 . 2010-08-01 21:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-18 22:38 . 2010-08-03 02:52 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-25 09:58 . 2010-08-01 21:36 6146 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2010-01-25 09:58 . 2010-08-02 07:12 6146 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2010-08-03 07:24 . 2010-08-03 07:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-08-02 03:07 . 2010-08-02 03:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-08-02 03:07 . 2010-08-02 03:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-08-03 07:24 . 2010-08-03 07:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-08-03 07:31 604264 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-08-02 03:15 604264 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-08-03 07:31 103964 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-08-02 03:15 103964 c:\windows\System32\perfc009.dat
+ 2010-07-31 22:33 . 2010-08-02 16:24 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-31 22:33 . 2010-08-02 02:40 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-28 07:32 . 2010-08-02 23:35 1320496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-01-28 07:32 . 2010-08-02 00:59 1320496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ledpointer"="CNYHKey.exe" [2006-11-09 5585408]
"MoLed"="ModLEDKey.exe" [2006-11-09 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-29 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-29 131072]
"SaiVolume"="c:\program files\Saitek\SD6\Software\SaiVolume.exe" [2007-10-29 126976]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-02 442467]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\users\Danny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-8-1 0]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-16 503808]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3d,d2,b8,c0,f1,9a,ca,01
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-02-09 102448]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys
R3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2010-01-18 5504]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 SaiH0728;SaiH0728;c:\windows\system32\DRIVERS\SaiH0728.sys [2007-10-30 136448]
R3 SaiK0728;SaiK0728;c:\windows\system32\DRIVERS\SaiK0728.sys [2009-03-06 108544]
R3 SQTECH9090;TOP Cam;c:\windows\system32\Drivers\Capt9090.sys [2008-01-14 48384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-28 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-01-12 185640]
S3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTV.sys [2007-04-12 38288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-07-18 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2010-01-18 22:29]
2010-08-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Danny.job
- c:\program files\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-05-24 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15179&l=dis
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\9h8undjl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\users\Danny\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 03:40
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2593463518-2469363678-3587886041-1000\Software\SecuROM\License information*]
"datasecu"=hex:83,99,50,6e,6f,de,30,78,3f,b5,28,6d,01,65,96,1c,ef,04,e6,95,77,
82,5a,88,cc,c4,86,5f,a4,9e,ef,72,40,5d,86,88,cd,80,75,24,3e,10,eb,51,41,e7,\
"rkeysecu"=hex:f4,0a,b9,0b,67,0b,e7,2b,46,ed,03,ce,b6,cf,00,2b
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-03 03:43:38
ComboFix-quarantined-files.txt 2010-08-03 07:43
ComboFix2.txt 2010-08-02 03:31
ComboFix3.txt 2010-08-01 21:23
Pre-Run: 122,926,956,544 bytes free
Post-Run: 122,698,547,200 bytes free
- - End Of File - - 343AE513E15206BA833E2C5B1CA5B1D6
Now the other one:
Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Windows Defender MSASCui.exe
Spybot Teatimer.exe is disabled!
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 12:00
From the Combofix log it would appear you`ve had help previously, CF has been run 3 time before this run. there is evidence of ARK and OTM. What happened, why are these tools still in place. I also see evidence of P2P applications, uTorrent and Limewire for sure. I`m not being judgemental but you must realize that using P2P is one of the definite routes to get infected.
Before we go any further you must uninstall all P2P applications, also tell me why CF and GMER etc were run previously. What was the problem?
Run the following scan and post the log for me..
Download CKScanner from here
Important : Save it to your desktop.
In your reply let me see the CKScanner log also the ARK log, that will be in the folder C:\Ark, also confirmation the P2P applications are uninstalled.
Kevin
Nickispro
6 Posts
0
August 3rd, 2010 13:00
Hey kevinf80,
In response the your question about the CF logs and etc, I encountered a thread virtually identical to my own and followed most of the steps in it, minus the ones where files did not directly apply to my pc (i.e they had the other user's name and folder destinations in them.). If you tell me how, I can remove the ARK and OTM files properly, and also, in relation to the P2P: Limewire and uTorrent its how I get my music. I'm aware it's a threat, but I steamrolled the risk for it, and I'm guessing it may have come back to bite me.
The CKScanner Log:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\programdata\rosetta stone\content\rosetta.stone.v3.4.5.win.all-rbs\crack\fninterface_libfnp.dll
c:\programdata\rosetta stone\rosetta.stone.v3.4.5.win.all-rbs\crack\fninterface_libfnp.dll
c:\users\danny\desktop\rosetta.stone.v3.4.5.win.all-rbs\crack\fninterface_libfnp.dll
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3.nfo
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3.sfv
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\read me.txt
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\xdelta.exe
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\xpa-mal3-cracked.nds
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\xpa-mal3.nds
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\xpa-ml3.bat
c:\users\danny\downloads\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\mario_and_luigi_bowsers_inside_story_usa_crack_nds-xpa\xpa-ml3\xpa-ml3.crack
scanner sequence 3.CH.11
----- EOF -----
ARK Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-03 15:36:10
Windows 6.0.6002 Service Pack 2
Running: 403ls3ub.exe; Driver: C:\Users\Danny\AppData\Local\Temp\fglcapog.sys
---- System - GMER 1.0.15 ----
SSDT 87712150 ZwAlpcConnectPort
SSDT 876F2890 ZwLoadDriver
INT 0x51 ? 86F9BF00
INT 0x62 ? 86F9BF00
INT 0x72 ? 86F9BF00
INT 0x82 ? 85692BF8
INT 0x82 ? 86F9BF00
INT 0x82 ? 85692BF8
INT 0x92 ? 8568DBF8
INT 0xA2 ? 8568DBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!KeInsertQueue + 32D 820B4924 4 Bytes [50, 21, 71, 87] {PUSH EAX; AND [ECX-0x79], ESI}
.text ntoskrnl.exe!KeInsertQueue + 56D 820B4B64 4 Bytes [90, 28, 6F, 87] {NOP ; SUB [EDI-0x79], CH}
? System32\Drivers\spnp.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8F54441B 5 Bytes JMP 86F9B4E0
.text aoqbsjmu.SYS 8F5B6000 22 Bytes [82, B3, 01, 82, 6C, B2, 01, ...]
.text aoqbsjmu.SYS 8F5B6017 45 Bytes [00, 32, 27, F4, 8A, 3D, 25, ...]
.text aoqbsjmu.SYS 8F5B6045 121 Bytes [33, 0A, 82, 4C, 4F, 0D, 82, ...]
.text aoqbsjmu.SYS 8F5B60BF 13 Bytes [82, 00, 00, 00, 00, 00, 00, ...] {ADD BYTE [EAX], 0x0; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text aoqbsjmu.SYS 8F5B60CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1260] USER32.dll!TrackPopupMenu 758F14F3 5 Bytes JMP 654B721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3344] ntdll.dll!LdrLoadDll 76F79390 5 Bytes JMP 00B113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8568C2D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [8AE70DDC] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [8AE70E30] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8AE466D6] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8AE46042] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8AE46800] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8AE460C0] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8AE4613E] \SystemRoot\System32\Drivers\spnp.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 8568D2D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F9B5E0
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortWritePortUchar] 838F5DCF
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8F5DA0
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortRequestCallback] [8B55CC00] \SystemRoot\system32\drivers\NETIO.SYS (Network I/O Subsystem/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortMoveMemory] [8B108910] \SystemRoot\system32\drivers\iastorv.sys (Intel Matrix Storage Manager driver (base)/Intel Corporation)
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D
IAT \SystemRoot\System32\Drivers\aoqbsjmu.SYS[NTOSKRNL.exe!KeTickCount] [8B118920] \SystemRoot\system32\drivers\iastorv.sys (Intel Matrix Storage Manager driver (base)/Intel Corporation)
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 870942D8
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 856941F8
Device \Driver\netbt \Device\NetBT_Tcpip_{C3FC2F62-3585-450A-AF97-02FD1179CAFE} 877101F8
Device \Driver\volmgr \Device\VolMgrControl 8568F1F8
Device \Driver\usbuhci \Device\USBPDO-0 870811F8
Device \Driver\usbuhci \Device\USBPDO-1 870811F8
Device \Driver\usbuhci \Device\USBPDO-2 870811F8
Device \Driver\PCI_PNP5402 \Device\00000054 spnp.sys
Device \Driver\usbuhci \Device\USBPDO-3 870811F8
Device \Driver\usbehci \Device\USBPDO-4 86E901F8
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\USBSTOR \Device\00000070 87648500
Device \Driver\volmgr \Device\HarddiskVolume1 8568F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8568F1F8
Device \Driver\cdrom \Device\CdRom0 86F751F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 856931F8
Device \Driver\iaStor \Device\Ide\iaStor0 [8B157FA0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 856931F8
Device \Driver\atapi \Device\Ide\IdePort1 856931F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8B157FA0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume3 8568F1F8
Device \Driver\cdrom \Device\CdRom1 86F751F8
Device \Driver\volmgr \Device\HarddiskVolume4 8568F1F8
Device \Driver\volmgr \Device\HarddiskVolume5 8568F1F8
Device \Driver\volmgr \Device\HarddiskVolume6 8568F1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 877101F8
Device \Driver\Smb \Device\NetbiosSmb 8770C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 870951F8
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\USBSTOR \Device\0000006c 87648500
Device \Driver\usbuhci \Device\USBFDO-0 870811F8
Device \Driver\usbuhci \Device\USBFDO-1 870811F8
Device \Driver\USBSTOR \Device\0000006d 87648500
Device \Driver\usbuhci \Device\USBFDO-2 870811F8
Device \Driver\USBSTOR \Device\0000006e 87648500
Device \Driver\sptd \Device\2897907902 spnp.sys
Device \Driver\usbuhci \Device\USBFDO-3 870811F8
Device \Driver\USBSTOR \Device\0000006f 87648500
Device \Driver\usbehci \Device\USBFDO-4 86E901F8
Device \Driver\aoqbsjmu \Device\Scsi\aoqbsjmu1Port4Path0Target0Lun0 870FD1F8
Device \Driver\aoqbsjmu \Device\Scsi\aoqbsjmu1 870FD1F8
Device \FileSystem\cdfs \Cdfs 888AE1F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x90 0x48 0xA4 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD7 0xA1 0x95 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xF9 0x91 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x55 0xD2 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD7 0xA1 0x95 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xF9 0x91 0xEC ...
---- EOF - GMER 1.0.15 ----
All P2P programs are uninstalled.
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 16:00
Hi Nickispro,
Sorry to keep you waiting, had to check out some issues. OK here it is, whilst having uTorrent and Limewire applications is not illegal per se, using them for file sharing of copyright protected material certainly is.
This type of program and its use is one of the major conduits for malware writers to distribute infected material. You have admitted using them for d/l music and there is certainly evidence of cracked software in your logs.
There are plenty of guys who get infected through no fault of there own and have to wait for help due to a lack of trained security analysts. Then there are others who get infected due to illegal activities.
You will find that the majority, if not all help sites will deny assistance once it is established cracked or illegal material is onboard. So there it is, my help stops right here.
Thankyou for your understanding, feel free to contact one of the Admin staff if you disagree with this decision, link to this thread with the query if you do.
kevinf80
Nickispro
6 Posts
0
August 3rd, 2010 20:00
It is thoroughly disappointing that my cry for help ends so short, but I guess I understand why. Can you at least do me a major favor and at least tell me whether or not, based on the logs I've sent you, you see anything majorly wrong with my pc?
Nickispro
6 Posts
0
August 4th, 2010 01:00
Oh and also? The thread that indicates how to format our help request says nothing about denying someone help if they use or have used P2P programs like Limewire and such or download cracked files and I find that unfair. Had I known I would get swatted off immediately for it I wouldn't have bothered. -_- As I said, I understand, to a degree, but am very very upset and hope to God that I can get help from someone.