Can someone tell me if this is a virus?

Seagate Barracuda 7200.12 1tb hard drive
December 5, 2009 at 13:44:28
Specs: Windows Vista, Amd Phenom II X4 965 Black edition/patriot DDR2 1066mhz
Hey everybody, I have a really awkward
problem so here it goes....

So one day I open my (C:) drive and
discover a file named "_scott_" every time I
delete this file it instantly reappears. This file
has survived 2 formats and even a 12 time
wipe using Wipedrive. So I guess my question
is... what the heck is this file? is it a virus?
and if it is, how can I get rid of it?

Also I have scanned my computer with AVG,Avast,Norton 2010 and Malwarebytes and Malwarebytes is the only program that detects it whatsoever.



See More: Can someone tell me if this is a virus?

Report •


#1
December 5, 2009 at 17:59:51

It may take a few scans to find the problem but it sounds like a rootkit that has infected your MBR.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 6, 2009 at 20:02:18
Logfile of random's system information tool 1.06 (written by
random/random)
Run by Justin Spade at 2009-12-06 20:01:25
Microsoft® Windows Vista™ Home Premium
System drive C: has 93 GB (61%) free of 153 GB
Total RAM: 3071 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:34 PM, on 12/6/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e
C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e
C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Justin Spade\Desktop\RSIT.exe
C:\Program Files\trend micro\Justin Spade.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO -
{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program
Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-
4686-AA43-5347D756017C} - C:\Program
Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-
4199-B1A6-9F516DD69829} - C:\Program
Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG9_TRAY]
C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [MSConfig]
"C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)]
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
/runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "C:\Users\Justin
Spade\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "C:\Program
Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program
Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar]
%ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter]
rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar]
%ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
(User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-
FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG
Technologies CZ, s.r.o. - C:\Program
Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG
Technologies CZ, s.r.o. - C:\Program
Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA
Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation -
C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo
Service) - NVIDIA Corporation -
C:\Windows\System32\nvSCPAPISvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. -
C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4158 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-
2906171305-1959716610-2737523662-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-
2906171305-1959716610-2737523662-1000UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-
6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll
[2009-12-05 1475864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-
1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program
Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-10-16 1119488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG
Security Toolbar - C:\Program
Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-10-16 1119488]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Run]
"Windows Defender"=C:\Program Files\Windows
Defender\MSASCui.exe [2006-11-02 1004136]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-06-10
13785632]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe
[2009-12-05 2020120]
"MSConfig"=C:\Windows\system32\msconfig.exe [2006-11-02
222208]
"Malwarebytes Anti-Malware (reboot)"=C:\Program
Files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-03
1394000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\Run]
"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter
[]
"Google Update"=C:\Users\Justin
Spade\AppData\Local\Google\Update\GoogleUpdate.exe
[2009-12-05 135664]
"uTorrent"=C:\Program Files\uTorrent\uTorrent.exe [2009-12-
05 289584]
"Steam"=C:\Program Files\Steam\Steam.exe [2009-12-05
1217808]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\uTorrent]
C:\Program Files\uTorrent\uTorrent.exe [2009-12-05 289584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VX3000]
C:\Windows\vVX3000.exe [2009-06-26 757248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\_scott_HKCU]
c:\_scott_\_scott_\_scott_svchost.exe [2005-07-26 1265664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\standardprofile\authori
zedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\
sharedaccess\parameters\firewallpolicy\domainprofile\authoriz
edapplications\list]

======List of files/folders created in the last 1
months======

2009-12-06 20:01:25 ----D---- C:\rsit
2009-12-06 20:01:25 ----D---- C:\Program Files\trend micro
2009-12-05 21:53:51 ----D---- C:\Users\Justin
Spade\AppData\Roaming\WinRAR
2009-12-05 21:53:41 ----D---- C:\Program Files\WinRAR
2009-12-05 15:27:57 ----D---- C:\Users\Justin
Spade\AppData\Roaming\Macromedia
2009-12-05 15:27:57 ----D---- C:\Users\Justin
Spade\AppData\Roaming\Adobe
2009-12-05 15:27:43 ----D----
C:\Windows\system32\Macromed
2009-12-05 14:57:45 ----D---- C:\Windows\Java
2009-12-05 14:57:45 ----D---- C:\Program Files\CPUID
2009-12-05 14:57:45 ----A---- C:\Windows\system32\cutil32.dll
2009-12-05 14:57:45 ----A---- C:\Windows\system32\cudart.dll
2009-12-05 14:39:54 ----D---- C:\Program Files\Common
Files\Steam
2009-12-05 14:39:53 ----D---- C:\Program Files\Steam
2009-12-05 11:21:58 ----D---- C:\ProgramData\Hewlett-
Packard
2009-12-05 11:06:00 ----HD---- C:\$AVG
2009-12-05 11:05:58 ----A----
C:\Windows\system32\avgrsstx.dll
2009-12-05 11:05:49 ----D---- C:\ProgramData\AVG Security
Toolbar
2009-12-05 11:05:28 ----D---- C:\Program Files\AVG
2009-12-05 11:05:26 ----D---- C:\ProgramData\avg9
2009-12-05 10:07:05 ----D---- C:\Program Files\SpeedFan
2009-12-05 09:52:13 ----D---- C:\Program Files\IObit
2009-12-05 09:46:32 ----A---- C:\Users\Justin
Spade\AppData\Roaming\SQLite3.dll
2009-12-05 09:46:30 ----D---- C:\_scott_
2009-12-05 09:46:21 ----AD---- C:\ProgramData\TEMP
2009-12-05 09:14:28 ----D---- C:\Program Files\uTorrent
2009-12-05 09:13:42 ----D---- C:\Users\Justin
Spade\AppData\Roaming\uTorrent
2009-12-05 09:12:09 ----D---- C:\Users\Justin
Spade\AppData\Roaming\Malwarebytes
2009-12-05 09:12:05 ----D---- C:\ProgramData\Malwarebytes
2009-12-05 09:12:05 ----D---- C:\Program Files\Malwarebytes'
Anti-Malware
2009-12-05 09:09:08 ----A----
C:\Windows\system32\D3DCompiler_41.dll
2009-12-05 09:09:07 ----A----
C:\Windows\system32\d3dx10_41.dll
2009-12-05 09:09:06 ----A----
C:\Windows\system32\XAudio2_4.dll
2009-12-05 09:09:06 ----A----
C:\Windows\system32\XAPOFX1_3.dll
2009-12-05 09:09:06 ----A----
C:\Windows\system32\xactengine3_4.dll
2009-12-05 09:09:06 ----A----
C:\Windows\system32\X3DAudio1_6.dll
2009-12-05 09:09:06 ----A----
C:\Windows\system32\D3DX9_41.dll
2009-12-05 09:09:05 ----A----
C:\Windows\system32\d3dx10_40.dll
2009-12-05 09:09:05 ----A----
C:\Windows\system32\D3DCompiler_40.dll
2009-12-05 09:09:04 ----A----
C:\Windows\system32\XAudio2_3.dll
2009-12-05 09:09:04 ----A----
C:\Windows\system32\XAPOFX1_2.dll
2009-12-05 09:09:04 ----A----
C:\Windows\system32\xactengine3_3.dll
2009-12-05 09:09:04 ----A----
C:\Windows\system32\X3DAudio1_5.dll
2009-12-05 09:09:04 ----A----
C:\Windows\system32\D3DX9_40.dll
2009-12-05 09:09:03 ----A----
C:\Windows\system32\XAudio2_2.dll
2009-12-05 09:09:03 ----A----
C:\Windows\system32\XAPOFX1_1.dll
2009-12-05 09:09:03 ----A----
C:\Windows\system32\xactengine3_2.dll
2009-12-05 09:09:03 ----A----
C:\Windows\system32\d3dx10_39.dll
2009-12-05 09:09:03 ----A----
C:\Windows\system32\D3DCompiler_39.dll
2009-12-05 09:09:01 ----A----
C:\Windows\system32\XAudio2_1.dll
2009-12-05 09:09:01 ----A----
C:\Windows\system32\XAPOFX1_0.dll
2009-12-05 09:09:01 ----A----
C:\Windows\system32\D3DX9_39.dll
2009-12-05 09:09:00 ----A----
C:\Windows\system32\xactengine3_1.dll
2009-12-05 09:09:00 ----A----
C:\Windows\system32\X3DAudio1_4.dll
2009-12-05 09:09:00 ----A----
C:\Windows\system32\d3dx10_38.dll
2009-12-05 09:09:00 ----A----
C:\Windows\system32\D3DCompiler_38.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\XAudio2_0.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\xactengine3_0.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\X3DAudio1_3.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\D3DX9_38.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\d3dx10_37.dll
2009-12-05 09:08:59 ----A----
C:\Windows\system32\D3DCompiler_37.dll
2009-12-05 09:08:58 ----A----
C:\Windows\system32\xactengine2_10.dll
2009-12-05 09:08:58 ----A----
C:\Windows\system32\D3DX9_37.dll
2009-12-05 09:08:57 ----A----
C:\Windows\system32\d3dx10_36.dll
2009-12-05 09:08:57 ----A----
C:\Windows\system32\D3DCompiler_36.dll
2009-12-05 09:08:56 ----A----
C:\Windows\system32\xactengine2_9.dll
2009-12-05 09:08:56 ----A----
C:\Windows\system32\d3dx9_36.dll
2009-12-05 09:08:55 ----A----
C:\Windows\system32\d3dx10_35.dll
2009-12-05 09:08:55 ----A----
C:\Windows\system32\D3DCompiler_35.dll
2009-12-05 09:08:54 ----A----
C:\Windows\system32\xactengine2_8.dll
2009-12-05 09:08:54 ----A----
C:\Windows\system32\X3DAudio1_2.dll
2009-12-05 09:08:54 ----A----
C:\Windows\system32\d3dx9_35.dll
2009-12-05 09:08:54 ----A----
C:\Windows\system32\d3dx10_34.dll
2009-12-05 09:08:54 ----A----
C:\Windows\system32\D3DCompiler_34.dll
2009-12-05 09:08:53 ----A----
C:\Windows\system32\xinput1_3.dll
2009-12-05 09:08:53 ----A----
C:\Windows\system32\xactengine2_7.dll
2009-12-05 09:08:53 ----A----
C:\Windows\system32\d3dx9_34.dll
2009-12-05 09:08:53 ----A----
C:\Windows\system32\d3dx10_33.dll
2009-12-05 09:08:53 ----A----
C:\Windows\system32\D3DCompiler_33.dll
2009-12-05 09:08:52 ----A----
C:\Windows\system32\xactengine2_6.dll
2009-12-05 09:08:52 ----A----
C:\Windows\system32\xactengine2_5.dll
2009-12-05 09:08:52 ----A----
C:\Windows\system32\d3dx9_33.dll
2009-12-05 09:08:51 ----A----
C:\Windows\system32\xactengine2_4.dll
2009-12-05 09:08:51 ----A----
C:\Windows\system32\x3daudio1_1.dll
2009-12-05 09:08:51 ----A----
C:\Windows\system32\d3dx9_32.dll
2009-12-05 09:08:51 ----A----
C:\Windows\system32\d3dx10.dll
2009-12-05 09:08:50 ----A----
C:\Windows\system32\xinput1_2.dll
2009-12-05 09:08:50 ----A----
C:\Windows\system32\xactengine2_3.dll
2009-12-05 09:08:50 ----A----
C:\Windows\system32\xactengine2_2.dll
2009-12-05 09:08:50 ----A----
C:\Windows\system32\d3dx9_31.dll
2009-12-05 09:08:49 ----A----
C:\Windows\system32\xinput1_1.dll
2009-12-05 09:08:49 ----A----
C:\Windows\system32\xactengine2_1.dll
2009-12-05 09:08:38 ----A----
C:\Windows\system32\xactengine2_0.dll
2009-12-05 09:08:38 ----A----
C:\Windows\system32\x3daudio1_0.dll
2009-12-05 09:08:38 ----A----
C:\Windows\system32\d3dx9_30.dll
2009-12-05 09:08:37 ----A----
C:\Windows\system32\d3dx9_29.dll
2009-12-05 09:08:36 ----A----
C:\Windows\system32\d3dx9_28.dll
2009-12-05 09:08:35 ----A----
C:\Windows\system32\d3dx9_27.dll
2009-12-05 09:08:34 ----A----
C:\Windows\system32\d3dx9_26.dll
2009-12-05 09:08:33 ----A----
C:\Windows\system32\d3dx9_25.dll
2009-12-05 09:08:32 ----A----
C:\Windows\system32\d3dx9_24.dll
2009-12-05 09:04:43 ----D---- C:\ProgramData\NVIDIA
2009-12-05 09:03:30 ----A----
C:\Windows\system32\nvudisp.exe
2009-12-05 09:02:18 ----A----
C:\Windows\system32\nvuninst.exe
2009-12-05 09:01:52 ----D---- C:\Program Files\CONEXANT
2009-12-05 08:58:36 ----D---- C:\Windows\system32\AGEIA
2009-12-05 08:58:36 ----D---- C:\Program Files\AGEIA
Technologies
2009-12-05 08:58:15 ----SHD---- C:\Windows\Installer
2009-12-05 08:58:14 ----D---- C:\Program Files\Common
Files\Wise Installation Wizard
2009-12-05 08:55:03 ----D---- C:\Users\Justin
Spade\AppData\Roaming\Identities
2009-12-05 08:54:58 ----SD---- C:\Users\Justin
Spade\AppData\Roaming\Microsoft
2009-12-05 08:54:58 ----D---- C:\Users\Justin
Spade\AppData\Roaming\Media Center Programs
2009-12-05 08:54:34 ----A---- C:\Windows\system32\wups2.dll
2009-12-05 08:54:34 ----A----
C:\Windows\system32\wucltux.dll
2009-12-05 08:54:34 ----A----
C:\Windows\system32\wuaueng.dll
2009-12-05 08:54:34 ----A----
C:\Windows\system32\wuauclt.exe
2009-12-05 08:54:03 ----A---- C:\Windows\system32\wups.dll
2009-12-05 08:54:03 ----A----
C:\Windows\system32\wudriver.dll
2009-12-05 08:54:03 ----A---- C:\Windows\system32\wuapi.dll
2009-12-05 08:53:34 ----A----
C:\Windows\system32\wuwebv.dll
2009-12-05 08:53:33 ----A----
C:\Windows\system32\wuapp.exe
2009-12-05 08:32:44 ----D---- C:\Windows\SoftwareDistribution
2009-12-05 08:31:47 ----D---- C:\Windows\Debug
2009-12-05 08:30:47 ----D---- C:\Windows\Prefetch
2009-12-05 08:30:37 ----SHD---- C:\System Volume
Information
2009-12-05 08:29:53 ----D---- C:\Windows\Panther
2009-12-05 08:29:39 ----RAS---- C:\BOOTSECT.BAK
2009-12-05 08:29:37 ----SHD---- C:\Boot
2009-12-05 08:29:23 ----D---- C:\Windows\system32\OEM

======List of files/folders modified in the last 1
months======

2009-12-06 20:01:25 ----RD---- C:\Program Files
2009-12-06 20:01:19 ----D---- C:\Windows\Temp
2009-12-06 07:21:20 ----D---- C:\Windows\system32\catroot
2009-12-06 07:21:12 ----D---- C:\Windows\winsxs
2009-12-06 07:06:40 ----D---- C:\Windows\system32\catroot2
2009-12-06 03:02:31 ----D---- C:\Windows\Logs
2009-12-05 15:27:43 ----D---- C:\Windows\System32
2009-12-05 14:57:45 ----D---- C:\Windows
2009-12-05 14:39:54 ----D---- C:\Program Files\Common Files
2009-12-05 14:11:08 ----D---- C:\Windows\inf
2009-12-05 14:11:08 ----A----
C:\Windows\system32\PerfStringBackup.INI
2009-12-05 14:05:49 ----D---- C:\Windows\system32\drivers
2009-12-05 14:04:48 ----D---- C:\Windows\DigitalLocker
2009-12-05 13:33:58 ----D---- C:\Windows\system32\WDI
2009-12-05 13:13:39 ----D---- C:\Windows\system32\LogFiles
2009-12-05 11:21:58 ----HD---- C:\ProgramData
2009-12-05 11:05:06 ----D---- C:\Program Files\Common
Files\microsoft shared
2009-12-05 09:25:49 ----D---- C:\Windows\Tasks
2009-12-05 09:25:49 ----D---- C:\Windows\system32\Tasks
2009-12-05 09:08:49 ----RSD---- C:\Windows\assembly
2009-12-05 09:08:41 ----D---- C:\Windows\Microsoft.NET
2009-12-05 09:06:51 ----D---- C:\Windows\rescache
2009-12-05 09:06:16 ----D---- C:\Windows\system32\en-US
2009-12-05 09:02:33 ----D---- C:\Windows\Help
2009-12-05 09:01:39 ----D---- C:\Windows\twain_32
2009-12-05 08:55:14 ----SHD---- C:\$Recycle.Bin
2009-12-05 08:54:35 ----RD---- C:\Users
2009-12-05 08:52:27 ----D---- C:\Windows\system32\restore

======List of drivers (R=Running, S=Stopped, 0=Boot,
1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86;
C:\Windows\System32\Drivers\avgldx86.sys [2009-12-05
333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver
x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-12-
05 28424]
R1 AvgTdiX;AVG Free Network Redirector;
C:\Windows\System32\Drivers\avgtdix.sys [2009-12-05
360584]
R2 mdmxsdk;mdmxsdk;
C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19
12672]
R2 XAudio;XAudio;
C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-29
8704]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for
High Definition Audio Service;
C:\Windows\system32\drivers\HdAudio.sys [2006-11-01
235520]
R3 HSF_DPV;HSF_DPV;
C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20
984064]
R3 HSXHWBS2;HSXHWBS2;
C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2007-06-
20 267264]
R3 nvlddmkm;nvlddmkm;
C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-07-20
9899296]
R3 RTL8169;Realtek 8169 NT Driver;
C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-01
44544]
R3 winachsf;winachsf;
C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20
660480]
R3 WmiAcpi;Microsoft Windows Management Interface for
ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2006-
11-02 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler;
C:\Windows\system32\drivers\drmkaud.sys [2006-11-02
5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy;
C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02
8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy;
C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02
5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy;
C:\Windows\system32\drivers\MSPQM.sys [2006-11-02
5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter;
C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 usbaudio;USB Audio Driver (WDM);
C:\Windows\system32\drivers\usbaudio.sys [2006-11-02
71552]
S3 VX3000;VX-3000;
C:\Windows\system32\DRIVERS\VX3000.sys [2009-06-26
1956352]

======List of services (R=Running, S=Stopped, 0=Boot,
1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG Free E-mail Scanner; C:\Program
Files\AVG\AVG9\avgemc.exe [2009-12-05 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program
Files\AVG\AVG9\avgwdsvc.exe [2009-12-05 285392]
R2 nvsvc;NVIDIA Display Driver Service;
C:\Windows\system32\nvvsvc.exe [2009-06-10 211488]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;
C:\Windows\System32\nvSCPAPISvr.exe [2009-06-10
232960]
R2 XAudioService;XAudioService;
C:\Windows\system32\DRIVERS\xaudio.exe [2007-06-29
386560]
S3 Steam Client Service;Steam Client Service; C:\Program
Files\Common Files\Steam\SteamService.exe [2009-12-05
320760]

-----------------EOF-----------------


Report •

#3
December 6, 2009 at 20:03:15
info.txt logfile of random's system information tool 1.06 2009-
12-06 20:01:36

======Uninstall list======

-->MsiExec /X{1C4551A6-4743-4093-91E4-1477CD655043}
µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe"
/UNINSTALL
Adobe Flash Player 10 Plugin--
>C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe
/UNINSTALL
Game Booster-->"C:\Program Files\IObit\Game
Booster\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend
micro\HijackThis.exe" /uninstall
Left 4 Dead-->"C:\Program Files\Steam\steam.exe"
steam://uninstall/500
Malwarebytes' Anti-Malware-->"C:\Program
Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe
/X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe
UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{1C4551A6-4743-4093-91E4-
1477CD655043}
NVIDIA Stereoscopic 3D Driver--
>C:\Windows\system32\nvStInst.exe /uninstall /ask
PC Wizard 2009.1.91-->"C:\Program Files\CPUID\PC Wizard
2009\unins000.exe"
PVSonyDll-->MsiExec.exe /I{3D3E663D-4E7E-4577-A560-
7ECDDD45548A}
Soft Data Fax Modem with SmartCP-->C:\Program
Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -
I*.INF
SpeedFan (remove only)-->"C:\Program
Files\SpeedFan\uninstall.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-
AB023A9238F3}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: AVG Anti-Virus Free
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender (disabled)

======System event log======

Computer Name: JustinSpade-PC
Event Code: 263
Message: The service 'TabletInputService' may not have
unregistered for device event notifications before it was
stopped.
Record Number: 9619
Source Name: PlugPlayManager
Time Written: 20091206194336.000000-000
Event Type: Warning
User:

Computer Name: JustinSpade-PC
Event Code: 51
Message: An error was detected on device \Device\CdRom0
during a paging operation.
Record Number: 9631
Source Name: cdrom
Time Written: 20091206224034.310919-000
Event Type: Warning
User:

Computer Name: JustinSpade-PC
Event Code: 51
Message: An error was detected on device \Device\CdRom0
during a paging operation.
Record Number: 9632
Source Name: cdrom
Time Written: 20091206224034.311895-000
Event Type: Warning
User:

Computer Name: JustinSpade-PC
Event Code: 51
Message: An error was detected on device \Device\CdRom0
during a paging operation.
Record Number: 9633
Source Name: cdrom
Time Written: 20091206224034.312872-000
Event Type: Warning
User:

Computer Name: JustinSpade-PC
Event Code: 51
Message: An error was detected on device \Device\CdRom0
during a paging operation.
Record Number: 9634
Source Name: cdrom
Time Written: 20091206224034.313848-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: JustinSpade-PC
Event Code: 1002
Message: The program iexplore.exe version 7.0.6000.16386
stopped interacting with Windows and was closed. To see if
more information about the problem is available, check the
problem history in the Problem Reports and Solutions control
panel. Process ID: a58 Start Time: 01ca75cf8f5586ac
Termination Time: 16
Record Number: 141
Source Name: Application Hang
Time Written: 20091205172520.000000-000
Event Type: Error
User:

Computer Name: JustinSpade-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected
error querying for the IVssWriterCallback interface. hr =
0x80070005. This is often caused by incorrect security
settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {bdae742b-21c7-4a6e-a041-
78edae74479e}
Record Number: 206
Source Name: VSS
Time Written: 20091205220420.000000-000
Event Type: Error
User:

Computer Name: JustinSpade-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected
error querying for the IVssWriterCallback interface. hr =
0x80070005. This is often caused by incorrect security
settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {bdae742b-21c7-4a6e-a041-
78edae74479e}
Record Number: 211
Source Name: VSS
Time Written: 20091205220458.000000-000
Event Type: Error
User:

Computer Name: JustinSpade-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected
error querying for the IVssWriterCallback interface. hr =
0x80070005. This is often caused by incorrect security
settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {57bbe7ed-15e5-44f4-922c-
267a7629fc9c}
Record Number: 255
Source Name: VSS
Time Written: 20091206174223.000000-000
Event Type: Error
User:

Computer Name: JustinSpade-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected
error querying for the IVssWriterCallback interface. hr =
0x80070005. This is often caused by incorrect security
settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {57bbe7ed-15e5-44f4-922c-
267a7629fc9c}
Record Number: 261
Source Name: VSS
Time Written: 20091206174411.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: JustinSpade-PC
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x36c82c

Logon Type: 3

This event is generated when a logon session is destroyed. It
may be positively correlated with a logon event using the
Logon ID value. Logon IDs are only unique between reboots
on the same computer.
Record Number: 356
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091206194336.632052-000
Event Type: Audit Success
User:

Computer Name: JustinSpade-PC
Event Code: 4616
Message: The system time was changed.

Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Process Information:
Process ID: 0x5b4
Name: C:\Windows\System32\svchost.exe

Previous Time: 11:43:38 AM 12/6/2009
New Time: 11:43:38 AM 12/6/2009

This event is generated when the system time is changed. It
is normal for the Windows Time Service, which runs with
System privilege, to change the system time on a regular
basis. Other system time changes may be indicative of
attempts to tamper with the computer.
Record Number: 357
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091206194338.209250-000
Event Type: Audit Success
User:

Computer Name: JustinSpade-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: JUSTINSPADE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-
000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-
000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x248
Process Name:
C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an
account by explicitly specifying that account’s credentials.
This most commonly occurs in batch-type configurations
such as scheduled tasks, or when using the RUNAS
command.
Record Number: 358
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207011801.264869-000
Event Type: Audit Success
User:

Computer Name: JustinSpade-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: JUSTINSPADE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-
000000000000}

Process Information:
Process ID: 0x248
Process Name:
C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is
generated on the computer that was accessed.

The subject fields indicate the account on the local system
which requested the logon. This is most commonly a service
such as the Server service, or a local process such as
Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred.
The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new
logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request
originated. Workstation name is not always available and may
be left blank in some cases.

The authentication information fields provide detailed
information about this specific logon request.
- Logon GUID is a unique identifier that can be used to
correlate this event with a KDC event.
- Transited services indicate which intermediate services
have participated in this logon request.
- Package name indicates which sub-protocol was used
among the NTLM protocols.
- Key length indicates the length of the generated
session key. This will be 0 if no session key was requested.
Record Number: 359
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207011801.264869-000
Event Type: Audit Success
User:

Computer Name: JustinSpade-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 360
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091207011801.264869-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%Syste
mRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.W
SF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 127
Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=7f02
"NUMBER_OF_PROCESSORS"=1

-----------------EOF-----------------


Report •

Related Solutions

#4
December 6, 2009 at 20:16:44
And the Gmer.exe log please.

Report •

#5
December 6, 2009 at 20:20:35
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 20:23:19
Windows 6.0.6000
Running: umrqws0e.exe; Driver:
C:\Users\JUSTIN~1\AppData\Local\Temp\kxdirfow.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\drivers\aemfu.sys
The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtCreateFile + 6 7798F41A 4 Bytes
[28, 00, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtCreateFile + B 7798F41F 1 Byte
[E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtMapViewOfSection + 6 7798FB6A 1
Byte [28]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtMapViewOfSection + 6 7798FB6A 4
Bytes [28, 03, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtMapViewOfSection + B 7798FB6F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenFile + 6 7798FBFA 4 Bytes
[68, 00, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenFile + B 7798FBFF 1 Byte
[E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcess + 6 7798FC7A 4
Bytes [A8, 01, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcess + B 7798FC7F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcessToken + 6 7798FC8A 4
Bytes CALL 76990290 C:\Windows\system32\ole32.dll
(Microsoft OLE for Windows/Microsoft Corporation)
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcessToken + B 7798FC8F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcessTokenEx + 6 7798FC9A 4
Bytes [A8, 02, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenProcessTokenEx + B 7798FC9F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThread + 6 7798FCEA 4
Bytes [68, 01, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThread + B 7798FCEF 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThreadToken + 6 7798FCFA 4
Bytes [68, 02, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThreadToken + B 7798FCFF 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThreadTokenEx + 6 7798FD0A 4
Bytes CALL 76990311 C:\Windows\system32\ole32.dll
(Microsoft OLE for Windows/Microsoft Corporation)
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtOpenThreadTokenEx + B 7798FD0F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtQueryAttributesFile + 6 7798FD9A 4
Bytes [A8, 00, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtQueryAttributesFile + B 7798FD9F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtQueryFullAttributesFile + 6 7798FE4A 4
Bytes CALL 7699044F C:\Windows\system32\ole32.dll
(Microsoft OLE for Windows/Microsoft Corporation)
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtQueryFullAttributesFile + B 7798FE4F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtSetInformationFile + 6 7799036A 4
Bytes [28, 01, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtSetInformationFile + B 7799036F 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtSetInformationThread + 6 779903BA 4
Bytes [28, 02, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtSetInformationThread + B 779903BF 1
Byte [E2]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtUnmapViewOfSection + 6 7799065A 1
Byte [68]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtUnmapViewOfSection + 6 7799065A 4
Bytes [68, 03, 06, 00]
.text C:\Users\Justin
Spade\AppData\Local\Google\Chrome\Application\chrome.ex
e[3752] ntdll.dll!NtUnmapViewOfSection + B 7799065F 1
Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp
avgtdix.sys (AVG Network connection watcher/AVG
Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp
avgtdix.sys (AVG Network connection watcher/AVG
Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp
avgtdix.sys (AVG Network connection watcher/AVG
Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Report •

#6
December 6, 2009 at 20:22:46
JABUCK I really appreciate you trying to help, I apologize if I
have done any of these steps incorrect but I am not computer
savvy.

Justin.


Report •

#7
December 6, 2009 at 20:42:26

Remember..your AVG antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#8
December 6, 2009 at 21:29:12
ComboFix 09-12-06.09 - Justin Spade 12/06/2009 21:15.1.1 -
x86
Microsoft® Windows Vista™ Home Premium
6.0.6000.0.1252.1.1033.18.3071.2187 [GMT -8:00]
Running from: c:\users\Justin Spade\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-
500

.
((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-
07 )))))))))))))))))))))))))))))))
.

2009-12-07 05:24 . 2009-12-07 05:25 -------- d-----w-
c:\users\Justin Spade\AppData\Local\temp
2009-12-07 05:24 . 2009-12-07 05:24 -------- d-----w-
c:\users\Default\AppData\Local\temp
2009-12-07 04:01 . 2009-12-07 04:01 -------- d-----w-
C:\rsit
2009-12-07 04:01 . 2009-12-07 04:01 4096 d-----w-
c:\program files\trend micro
2009-12-05 23:27 . 2009-12-05 23:27 -------- d-----w-
c:\windows\system32\Macromed
2009-12-05 22:57 . 2009-12-05 22:57 -------- d-----w-
c:\windows\Java
2009-12-05 22:57 . 2009-12-05 22:57 -------- d-----w-
c:\program files\CPUID
2009-12-05 22:57 . 2009-10-07 02:32 327168 ----a-w-
c:\windows\system32\cutil32.dll
2009-12-05 22:57 . 2009-08-04 04:25 285696 ----a-w-
c:\windows\system32\cudart.dll
2009-12-05 22:39 . 2009-12-06 06:04 -------- d-----w-
c:\program files\Common Files\Steam
2009-12-05 22:39 . 2009-12-07 04:56 8192 d-----w-
c:\program files\Steam
2009-12-05 19:21 . 2009-12-05 19:21 -------- d-----w-
c:\programdata\Hewlett-Packard
2009-12-05 19:05 . 2009-12-05 19:05 -------- d-----w-
c:\program files\AVG
2009-12-05 18:07 . 2009-12-05 18:07 4096 d-----w-
c:\program files\SpeedFan
2009-12-05 17:52 . 2009-12-05 17:52 -------- d-----w-
c:\program files\IObit
2009-12-05 17:46 . 2009-12-05 17:46 33256 ----a-w-
c:\users\Justin Spade\AppData\Roaming\SQLite3.dll
2009-12-05 17:46 . 2009-12-05 17:46 -------- d-----w-
C:\_scott_
2009-12-05 17:25 . 2009-12-05 17:26 -------- d-----w-
c:\users\Justin Spade\AppData\Local\Google
2009-12-05 17:25 . 2009-12-05 17:25 -------- d-----w-
c:\users\Justin Spade\AppData\Local\Apps
2009-12-05 17:25 . 2009-12-05 17:25 -------- d-----w-
c:\users\Justin Spade\AppData\Local\Deployment
2009-12-05 17:14 . 2009-12-05 17:14 -------- d-----w-
c:\program files\uTorrent
2009-12-05 17:13 . 2009-12-07 04:56 4096 d-----w-
c:\users\Justin Spade\AppData\Roaming\uTorrent
2009-12-05 17:12 . 2009-12-05 17:12 -------- d-----w-
c:\users\Justin Spade\AppData\Roaming\Malwarebytes
2009-12-05 17:12 . 2009-12-04 00:14 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 17:12 . 2009-12-05 17:12 4096 d-----w-
c:\program files\Malwarebytes' Anti-Malware
2009-12-05 17:12 . 2009-12-05 17:12 -------- d-----w-
c:\programdata\Malwarebytes
2009-12-05 17:12 . 2009-12-04 00:13 19160 ----a-w-
c:\windows\system32\drivers\mbam.sys
2009-12-05 17:08 . 2008-05-30 22:11 3850760 ----a-w-
c:\windows\system32\D3DX9_38.dll
2009-12-05 17:04 . 2009-12-07 05:14 4096 d-----w-
c:\programdata\NVIDIA
2009-12-05 17:03 . 2009-07-20 15:58 457248 ----a-w-
c:\windows\system32\nvudisp.exe
2009-12-05 17:02 . 2009-09-28 07:12 490088 ----a-w-
c:\windows\system32\nvuninst.exe
2009-12-05 17:01 . 2009-12-05 17:01 -------- d-----w-
c:\program files\CONEXANT
2009-12-05 16:58 . 2009-12-05 16:58 8192 d-----w-
c:\program files\AGEIA Technologies
2009-12-05 16:58 . 2009-12-05 16:58 -------- d-----w-
c:\windows\system32\AGEIA
2009-12-05 16:58 . 2009-12-05 22:39 4096 d-sh--w-
c:\windows\Installer
2009-12-05 16:58 . 2009-12-05 16:58 -------- d-----w-
c:\program files\Common Files\Wise Installation Wizard
2009-12-05 16:55 . 2009-12-05 16:55 48600 ----a-w-
c:\users\Justin
Spade\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 16:53 . 2009-12-05 16:53 171608 ----a-w-
c:\windows\system32\wuwebv.dll
2009-12-05 16:53 . 2009-12-05 16:53 33792 ----a-w-
c:\windows\system32\wuapp.exe
2009-12-05 16:31 . 2009-12-05 16:52 -------- d-----w-
c:\windows\Debug
2009-12-05 16:29 . 2009-12-05 16:33 4096 d-----w-
c:\windows\Panther
2009-12-05 16:29 . 2009-12-05 16:29 4096 d-----w-
C:\Boot
2009-12-05 16:29 . 2009-12-05 16:29 -------- d-----w-
c:\windows\system32\OEM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 05:13 . 2009-12-05 17:07 57432 ----a-w-
c:\programdata\nvModes.dat
2009-12-05 16:57 . 2009-12-05 16:54 680 ----a-w-
c:\users\Justin Spade\AppData\Local\d3d9caps.dat
2009-12-05 16:54 . 2009-12-05 16:54 53472 ----a-w-
c:\windows\system32\wuauclt.exe
2009-12-05 16:54 . 2009-12-05 16:54 44768 ----a-w-
c:\windows\system32\wups2.dll
2009-12-05 16:54 . 2009-12-05 16:54 2421760 ----a-w-
c:\windows\system32\wucltux.dll
2009-12-05 16:54 . 2009-12-05 16:54 1929952 ----a-w-
c:\windows\system32\wuaueng.dll
2009-12-05 16:54 . 2009-12-05 16:54 87552 ----a-w-
c:\windows\system32\wudriver.dll
2009-12-05 16:54 . 2009-12-05 16:54 575704 ----a-w-
c:\windows\system32\wuapi.dll
2009-12-05 16:54 . 2009-12-05 16:54 35552 ----a-w-
c:\windows\system32\wups.dll
2009-09-28 07:12 . 2009-09-28 07:12 795104 ----a-w-
c:\windows\system32\dpinst.exe
2009-09-28 07:12 . 2009-09-28 07:12 170600 ----a-w-
c:\windows\system32\nvcod167.dll
2009-09-28 01:47 . 2009-09-28 01:47 92776 ----a-w-
c:\windows\system32\nvmctray.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02
2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-
10 13785632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Update]
2009-12-05 17:25 135664 ----atw- c:\users\Justin
Spade\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Malwarebytes Anti-Malware
(reboot)]
2009-12-04 00:14 1394000 ----a-w- c:\program
files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Steam]
2009-12-05 22:40 1217808 ----a-w- c:\program
files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\uTorrent]
2009-12-05 17:14 289584 ----a-w- c:\program
files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VX3000]
2009-06-27 01:21 757248 ----a-w-
c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Windows Defender]
2006-11-02 12:34 1004136 ----a-w- c:\program
files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\_scott_HKCU]
2005-07-27 00:13 1265664 --sha-r-
c:\_scott_\_scott_\_scott_svchost.exe

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver
Service;c:\windows\System32\nvSCPAPISvr.exe [6/10/2009
6:33 AM 232960]
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no
file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} -
(no file)
MSConfigStartUp-AVG9_TRAY -
c:\progra~1\AVG\AVG9\avgtray.exe
AddRemove-NVIDIA Drivers -
c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-Steam App 500 - c:\program
files\Steam\steam.exe steam://uninstall/500

***********************************************************************
***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 21:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\C
lass\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-06 21:26
ComboFix-quarantined-files.txt 2009-12-07 05:26

Pre-Run: 97,033,961,472 bytes free
Post-Run: 97,224,642,560 bytes free

- - End Of File - -
06D8BDADD0C210EBDDE44E20C3369BAC


Report •

#9
December 7, 2009 at 03:41:10
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\_scott_\_scott_\_scott_svchost.exe

Driver::
_scott_

Folder::
C:\_scott_
c:\_scott_\_scott_\_scott_svchost.exe


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\_scott_HKCU]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •


Ask Question