Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hacked repeatedly...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hacked repeatedly...

Unread postby devastated » December 11th, 2010, 2:35 pm

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:19:21 AM, on 12/12/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\BR040286.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SpyShelter Personal Free\SpyShelter.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Ryan\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ryan\Desktop\ht\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe /a
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SpyShelter] C:\Program Files\SpyShelter Personal Free\SpyShelter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2870E960-C971-4403-96B2-4782582B7FFA}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F6EFF6C-56AF-4656-B2DF-B272859957E4}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Program Files\Acer\Bio-Protection fingerprint solution\WinNotify.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\Windows\System32\SUPDSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9837 bytes

µTorrent
2007 Microsoft Office system
7-Zip 4.65
Acer Bio-Protection fingerprint solution 5.0.2.3
Acer Crystal Eye
Acer Crystal Eye Webcam
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Profiles
ATI Catalyst Install Manager
ATI Stream SDK v2 Developer
AuthenTec Fingerprint Sensor Minimum Install
Auto Shutdown
avast! Free Antivirus
BlackShot Á¦°Å
Bonjour
Broadcom Gigabit Integrated Controller
CCleaner
COMODO Internet Security
Defraggler
DivX Setup
Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.12.00.803
FLV Converter 2.5
Garena
Google Earth
Google Update Helper
GTK+ Runtime 2.14.7 rev a (remove only)
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel PROSet Wireless
iTunes
Java(TM) 6 Update 17
JLC's Internet TV
KeyScrambler
Launch Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Lite
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
neroxml
Pando Media Booster
Pidgin
QuickTime
Realtek High Definition Audio Driver
Samsung Universal Print Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype web features
Skype™ 4.1
Spybot - Search & Destroy
SpyShelter Personal Free 5.01
SpywareBlaster 4.4
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office System 2007 Setup (KB929722)
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.18
Ventrilo Client
VLC media player 1.1.5
WIDCOMM Bluetooth Software 6.1.0.2000
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinRAR archiver
World of Warcraft
YouTube Downloader 2.6.3

World of warcraft account has been hacked repeatedly over the years as I stopped and continued playing. I suspect a keylogger although I can't seem to find any infections when I used, Malware Bytes, Avast, Spybot S&D, House Call scanners. All scanners were fully updated and performed a Full system scan.

Currently at my wits end. Thank you for you help in advance.
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm
Advertisement
Register to Remove

Re: hacked repeatedly...

Unread postby MWR 3 day Mod » December 14th, 2010, 9:40 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: hacked repeatedly...

Unread postby askey127 » December 15th, 2010, 10:32 am

Hi devastated,
Sorry for the delay.
If you still need help and are not receiving it elsewhere, please proceed as follows:
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P program utorrent in the removal instructions below, so we are not wasting our time.
If you have used this, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Limewire, Vuze, Shareaza, Bitlord.
(Limewire has just been shut down by the courts).
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
-----------------------------------------------------------
Disable Windows Defender
Open Windows Defender by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Defender.
If you don't see it in the Programs List, you can access it using the Control Panel.
Click Tools, and then click Options.
Under Administrator options, clear the Use Windows Defender check box, and then click Save.
Administrator permission is required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SpyShelter] C:\Program Files\SpyShelter Personal Free\SpyShelter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

µTorrent
Adobe Reader 8.1.0
Advertising Center
COMODO Internet Security
Java(TM) 6 Update 17
Pando Media Booster
Spybot - Search & Destroy

Take extra care in answering questions posed by any Uninstaller.
If the Spybot Uninstaller asks whether you want to remove all files and settings, answer YES. If it reports that it cannot remove all files, that's OK.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
---------------------------------------------
Run a Scan with OTL
  1. Please download OTL.exe by OldTimer and save it to your desktop.
  2. Right click on OTL.exe and select Run As Administrator to run it. If Windows UAC prompts you, please allow it.
  3. Click on the Run Scan button at the top left hand corner.
  4. OTL will start running. When done, 2 Notepad files will open; OTL.txt and Extras.txt.
    They will be saved on your desktop.
    Please post the contents of these files.
    You may use separate replies if you wish.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 10:59 am

hello,

thanks for your reply.

for some reason i cannot find "advertising centre" in add/remove programs. the rest are uninstalled though.

currently in midst of doing OTL scan

ryan
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 11:02 am

OTL logfile created on: 15/12/2010 10:57:32 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Ryan\Desktop\otl
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.57 Gb Total Space | 71.22 Gb Free Space | 63.83% Space Free | Partition Type: NTFS
Drive D: | 111.55 Gb Total Space | 59.19 Gb Free Space | 53.06% Space Free | Partition Type: NTFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/15 16:50:31 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Ryan\AppData\Local\Temp\RtkBtMnt.exe
PRC - [2010/12/14 04:02:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\otl\OTL.exe
PRC - [2010/11/24 01:16:04 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/23 00:29:41 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/10/27 10:51:54 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/10/27 10:51:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/09/07 23:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/08/29 11:32:30 | 000,432,672 | ---- | M] (QFX Software Corporation) -- C:\Program Files\KeyScrambler\KeyScrambler.exe
PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/09/24 14:47:17 | 002,882,560 | ---- | M] (Arachnoid Biometrics Identification Group Corp.) -- C:\Program Files\Acer\Bio-Protection fingerprint solution\CompPtcVUI.exe
PRC - [2008/10/29 14:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/16 17:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/10/16 16:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/01/21 10:24:16 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2008/01/08 07:51:46 | 000,858,632 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2008/01/07 16:25:14 | 004,853,760 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/03 01:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
PRC - [2007/12/20 11:32:04 | 000,131,072 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe
PRC - [2007/12/19 18:09:22 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
PRC - [2007/11/27 18:54:36 | 000,110,592 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe
PRC - [2007/10/01 16:42:36 | 000,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
PRC - [2007/09/20 13:57:28 | 000,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
PRC - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2007/09/08 03:35:10 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/05/08 20:48:26 | 000,053,248 | ---- | M] (Bison Inc.) -- C:\Windows\BR040286.exe


========== Modules (SafeList) ==========

MOD - [2010/12/14 04:02:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\otl\OTL.exe
MOD - [2010/08/31 23:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2010/10/27 10:51:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/10/11 16:50:28 | 003,641,832 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/03/16 17:01:22 | 000,132,464 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\Windows\System32\SUPDSvc.exe -- (Samsung UPD Service)
SRV - [2008/10/16 17:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/10/16 16:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/01/21 10:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/03 01:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/12/20 11:32:04 | 000,131,072 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/12/19 18:09:22 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/11/27 18:54:36 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2007/10/01 16:42:36 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/09/20 13:57:28 | 000,167,936 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/05/31 09:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 09:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Elements\1stboot\WisINT15.SYS -- (WisINT15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\pctNdis.sys -- (pctNDIS)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\F460.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Garena\plugins\UI\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Ryan\AppData\Local\Temp\MUHC2C9.tmp -- (GarenaPEngine)
DRV - [2010/12/01 12:53:08 | 000,174,528 | ---- | M] (SpyShelter) [Kernel | System | Running] -- C:\Program Files\SpyShelter Personal Free\SpyShelter.sys -- (SpyShelter)
DRV - [2010/10/27 11:59:14 | 006,573,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010/10/27 11:59:14 | 006,573,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/10/27 10:14:02 | 000,229,888 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/09/07 22:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 22:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 22:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 22:47:30 | 000,050,768 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/09/07 22:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/17 05:11:45 | 000,060,928 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\rakion.sys -- (rak)
DRV - [2010/05/11 02:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/18 02:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 23:03:56 | 000,114,952 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2009/11/11 16:16:08 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/11/17 07:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/02/20 11:13:30 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2008/01/21 10:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 10:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 10:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 10:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 10:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 10:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 10:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 10:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 10:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 10:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/21 10:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 10:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 10:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 10:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 10:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 10:23:47 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/21 10:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 10:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 10:23:47 | 000,030,720 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2008/01/21 10:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 10:23:46 | 000,073,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/01/21 10:23:45 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2008/01/21 10:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 10:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 10:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 10:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 10:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 10:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 10:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/08 17:06:04 | 002,044,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 04:07:26 | 000,059,952 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSDVdisk.sys -- (psdvdisk)
DRV - [2008/01/03 04:07:24 | 000,018,480 | ---- | M] (Egis Incorporated) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\psdfilter.sys -- (PSDFilter)
DRV - [2008/01/03 04:07:24 | 000,016,432 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSDNServ.sys -- (PSDNServ)
DRV - [2007/11/30 15:51:34 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (Int15)
DRV - [2007/11/01 02:36:32 | 002,252,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2007/10/29 14:46:42 | 000,829,096 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BisonC07.sys -- (Cam5607)
DRV - [2007/09/08 03:56:38 | 000,192,816 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/08/30 11:38:52 | 000,017,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2007/08/30 11:38:46 | 000,099,880 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2007/08/30 11:38:46 | 000,081,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2007/08/29 07:47:36 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/07/23 07:00:44 | 000,180,736 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2007/05/18 10:38:04 | 000,028,464 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2007/05/02 19:52:00 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/12/23 03:50:24 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/12/23 03:49:04 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/12/23 03:48:54 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/29 08:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/03 13:29:38 | 000,021,264 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\DKbFltr.sys -- (DKbFltr)
DRV - [2006/11/02 17:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 17:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 17:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 17:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 17:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 17:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 17:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 17:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 17:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 17:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 17:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 16:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 16:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 16:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 16:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 16:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 16:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 15:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com.sg/firefox"
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.5.1
FF - prefs.js..network.proxy.autoconfig_url: "http://proxy-config.tp.edu.sg/proxy.pac"
FF - prefs.js..network.proxy.backup.ftp: "84.203.137.146"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "84.203.137.146"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "84.203.137.146"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "84.203.137.146"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/24 01:16:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/24 01:16:07 | 000,000,000 | ---D | M]

[2009/09/24 15:12:11 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions
[2010/11/24 01:50:59 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\6huqsfha.default\extensions
[2010/11/24 01:16:44 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\6huqsfha.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/12/15 22:53:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/24 01:16:06 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/11/24 01:16:06 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/11/24 01:16:06 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/24 01:16:06 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/19 05:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BisonInst0402] C:\Windows\BR040286.exe (Bison Inc.)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [KeePass 2 PreLoad] C:\Program Files\KeePass Password Safe 2\KeePass.exe (Dominik Reichl)
O4 - HKLM..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe (QFX Software Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe ()
O9 - Extra 'Tools' menuitem : Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resourc ... oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 05:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{07c9b4b4-8129-11da-b3a8-001d721b14f6}\Shell\AutoRun\command - "" = FIREFOX SETUP 3.5.2.EXE
O33 - MountPoints2\{eb9f88a8-5ea4-11df-b017-001d721b14f6}\Shell - "" = AutoRun
O33 - MountPoints2\{eb9f88a8-5ea4-11df-b017-001d721b14f6}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f49a3b53-61b9-11df-a55c-001d721b14f6}\Shell\AutoRun\command - "" = F:\pccompanion\Startme.exe -- File not found
O33 - MountPoints2\{f49a3b53-61b9-11df-a55c-001d721b14f6}\Shell\menu1\command - "" = F:\pccompanion\Startme.exe -- File not found
O33 - MountPoints2\{fe8c98e5-d506-11de-b8b8-000000000000}\Shell - "" = AutoRun
O33 - MountPoints2\{fe8c98e5-d506-11de-b8b8-000000000000}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/14 22:52:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/14 04:02:16 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\otl
[2010/12/14 03:52:57 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\ck
[2010/12/14 00:49:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/12/13 22:45:37 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\gamer
[2010/12/13 22:41:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\aark
[2010/12/13 22:39:06 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\rb
[2010/12/13 22:39:00 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\KeePass
[2010/12/13 22:20:16 | 000,000,000 | ---D | C] -- C:\Program Files\KeePass Password Safe 2
[2010/12/13 22:19:19 | 001,992,548 | ---- | C] (Dominik Reichl ) -- C:\Users\Ryan\Desktop\KeePass-2.13-Setup.exe
[2010/12/13 00:55:06 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Pavark
[2010/12/12 12:36:14 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010/12/12 04:01:37 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
[2010/12/12 04:01:37 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/12/12 04:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/12/12 03:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/12/12 03:27:25 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\IObit
[2010/12/12 03:27:20 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2010/12/12 03:27:17 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/12/12 03:25:05 | 007,484,936 | ---- | C] (IObit ) -- C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe
[2010/12/12 02:13:38 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\ht
[2010/12/12 01:53:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/12/11 14:17:15 | 000,000,000 | ---D | C] -- C:\Program Files\SpyShelter Personal Free
[2010/12/11 14:17:15 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SpyShelter
[2010/12/11 00:18:26 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Apps
[2010/12/10 02:58:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/10 02:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/10 02:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/12/10 01:54:18 | 000,157,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/12/10 01:54:11 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/10 01:54:08 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/10 01:54:08 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/12/10 01:54:08 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/12/10 01:54:04 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/10 01:54:03 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/10 01:54:02 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/12/10 01:54:02 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/10 01:54:01 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/12/10 01:54:00 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/10 01:54:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/12/10 01:53:59 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/10 01:53:59 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/10 01:53:58 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/10 01:53:57 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/12/10 01:53:57 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/12/10 01:53:57 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/10 01:53:39 | 008,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2010/12/10 01:53:01 | 003,598,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/12/10 01:53:01 | 003,545,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/12/10 01:52:50 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll
[2010/12/10 01:52:49 | 000,866,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll
[2010/12/10 01:52:46 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/10 01:52:42 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll
[2010/12/10 01:52:37 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL
[2010/12/10 01:52:34 | 000,248,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll
[2010/12/10 01:52:29 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll
[2010/12/10 01:52:29 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll
[2010/12/05 15:43:36 | 003,641,832 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\System32\GameMon.des
[2010/12/05 15:42:42 | 000,004,682 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\System32\npptNT2.sys
[2010/12/05 15:42:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[2010/12/05 14:43:15 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Garena
[2010/12/05 11:43:07 | 001,912,872 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2010/12/05 03:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2010/12/05 01:54:30 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/12/05 01:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Stream
[2010/12/05 01:48:19 | 000,000,000 | ---D | C] -- C:\ATI
[2010/12/05 01:37:08 | 000,000,000 | ---D | C] -- C:\AMD
[2010/12/05 01:29:30 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/12/04 05:45:29 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\AutoShutdown
[2010/12/04 05:45:04 | 000,000,000 | ---D | C] -- C:\Program Files\Auto Shutdown
[2010/11/26 01:26:54 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\vlc
[2010/11/24 02:07:48 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\old desktop
[2010/11/24 02:00:45 | 000,000,000 | -H-D | C] -- C:\VritualRoot
[2010/11/24 01:55:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2010/11/24 01:54:02 | 000,000,000 | ---D | C] -- C:\Program Files\Pidgin
[2010/11/24 01:30:49 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\JLC's Software
[2010/11/24 01:30:45 | 000,000,000 | ---D | C] -- C:\Program Files\JLC's Software
[2010/11/24 01:18:22 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/11/24 00:36:00 | 000,114,952 | ---- | C] (QFX Software Corporation) -- C:\Windows\System32\drivers\keyscrambler.sys
[2010/11/24 00:35:59 | 000,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2010/11/23 23:36:20 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\AutoHideIP
[2010/11/23 23:36:20 | 000,000,000 | ---D | C] -- C:\ProgramData\AutoHideIP
[2010/11/22 01:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/15 22:57:09 | 000,603,282 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/15 22:57:09 | 000,106,696 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/15 22:49:28 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/15 22:49:24 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/15 22:49:24 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/15 22:49:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/15 22:49:15 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/15 22:48:13 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/12/15 22:18:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/14 00:33:26 | 003,988,425 | ---- | M] () -- C:\Users\Ryan\Desktop\ComboFix.exe
[2010/12/13 22:19:33 | 001,992,548 | ---- | M] (Dominik Reichl ) -- C:\Users\Ryan\Desktop\KeePass-2.13-Setup.exe
[2010/12/13 21:24:16 | 000,013,588 | ---- | M] () -- C:\Users\Ryan\Desktop\asdas.htm
[2010/12/12 04:01:31 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/12 03:33:29 | 001,376,832 | ---- | M] () -- C:\Users\Ryan\Desktop\sar_15_sfx.exe
[2010/12/12 03:26:13 | 007,484,936 | ---- | M] (IObit ) -- C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe
[2010/12/12 02:06:30 | 000,002,521 | ---- | M] () -- C:\Users\Ryan\Desktop\HiJackThis.lnk
[2010/12/10 23:49:27 | 000,370,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/10 02:48:33 | 001,649,186 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2010/12/05 11:44:00 | 000,000,036 | ---- | M] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2010/12/05 11:43:17 | 001,912,872 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2010/12/05 10:49:26 | 000,034,196 | ---- | M] () -- C:\Users\Ryan\Desktop\Timetable.htm
[2010/11/29 20:02:28 | 000,021,952 | ---- | M] () -- C:\Windows\System32\SpyShelterShellExt.dll
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/11/28 03:37:16 | 000,000,680 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2010/11/24 02:10:28 | 000,320,063 | ---- | M] () -- C:\Users\Ryan\Documents\sg mrt.jpg
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/14 00:33:05 | 003,988,425 | ---- | C] () -- C:\Users\Ryan\Desktop\ComboFix.exe
[2010/12/13 21:24:15 | 000,013,588 | ---- | C] () -- C:\Users\Ryan\Desktop\asdas.htm
[2010/12/12 04:01:31 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/12 03:33:25 | 001,376,832 | ---- | C] () -- C:\Users\Ryan\Desktop\sar_15_sfx.exe
[2010/12/12 01:53:42 | 000,002,521 | ---- | C] () -- C:\Users\Ryan\Desktop\HiJackThis.lnk
[2010/12/11 14:17:16 | 001,740,800 | ---- | C] () -- C:\Windows\System32\Osklauncher.exe
[2010/12/11 14:17:16 | 000,054,784 | ---- | C] () -- C:\Windows\System32\inject_logon_dll.dll
[2010/12/11 14:17:16 | 000,021,952 | ---- | C] () -- C:\Windows\System32\SpyShelterShellExt.dll
[2010/12/10 02:47:38 | 001,649,186 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2010/12/05 15:42:42 | 000,005,174 | ---- | C] () -- C:\Windows\System32\nppt9x.vxd
[2010/12/05 11:44:00 | 000,000,036 | ---- | C] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2010/12/05 10:49:26 | 000,034,196 | ---- | C] () -- C:\Users\Ryan\Desktop\Timetable.htm
[2010/11/28 03:37:16 | 000,000,680 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2010/11/24 02:10:27 | 000,320,063 | ---- | C] () -- C:\Users\Ryan\Documents\sg mrt.jpg
[2010/10/27 10:13:02 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/09/17 11:54:15 | 000,000,092 | ---- | C] () -- C:\Users\Ryan\AppData\Local\fusioncache.dat
[2010/09/14 23:56:41 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2010/06/17 05:11:45 | 000,060,928 | ---- | C] () -- C:\Windows\System32\rakion.sys
[2010/05/13 01:29:18 | 000,282,624 | ---- | C] () -- C:\Windows\System32\DscPnt.dll
[2010/05/13 01:29:18 | 000,026,624 | ---- | C] () -- C:\Windows\System32\spd__l.dll
[2010/02/07 21:02:30 | 000,000,210 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/08 22:56:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/11/11 16:16:07 | 000,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/09/24 14:54:24 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2009/09/24 14:53:09 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2009/09/24 14:51:30 | 000,110,014 | ---- | C] () -- C:\Users\Ryan\AppData\Local\edsinstaller.txt-20090924.log
[2009/09/24 14:48:06 | 000,267,388 | ---- | C] () -- C:\ProgramData\LuUninstall.LiveUpdate
[2009/09/24 14:47:09 | 000,073,728 | ---- | C] () -- C:\Windows\System32\AtNav.dll
[2009/09/24 14:44:06 | 000,015,190 | ---- | C] () -- C:\Windows\M3000Twn.ini
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008/02/21 17:32:30 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/02/20 10:50:25 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/02/20 10:50:12 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2008/02/20 10:50:12 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2008/02/20 10:50:10 | 000,000,040 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2007/08/28 18:03:14 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 15:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/12/27 08:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[2001/09/04 15:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 08:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 14:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:C43ED645
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:C31F31E6

< End of report >


i cant find the Extras notepad, i used to have it while doing scans of my own while trying to figure out my own problem.
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby askey127 » December 15th, 2010, 11:21 am

devastated,
From trying to run tools like Combofix and OTL on your own, your machine has become more difficult to analyze, and fixing it is less certain.
OTL only produces the Extras log on its first run.
----------------------------------------------
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    [2010/12/12 03:26:13 | 007,484,936 | ---- | M] (IObit ) -- C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe
    PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
    PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
    SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
    O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
    [2010/12/12 03:27:25 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\IObit
    [2010/12/12 03:27:20 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
    [2010/12/12 03:27:17 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/12/12 03:25:05 | 007,484,936 | ---- | C] (IObit ) -- C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe
    @Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:C43ED645
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:C31F31E6
    
    :Files
    C:\Program Files\IObit
    C:\Users\Ryan\AppData\Roaming\IObit
    
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

So we are looking for the OTL log and the report from Gmer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 11:34 am

yes i understand. just to clarify, i merely scanned in hopes of identifying what was in my laptop and took no further action. for combofix, i clicked NO at the terms conditions prompt, so it did not actually run.

sorry about the Extras notepad. i deleted the first one and assumed it would reproduce with the next scan.

currently scanning GMER, here is the OTL post reboot log

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe moved successfully.
No active process named is360tray.exe was found!
Process is360srv.exe killed successfully!
Service IS360service stopped successfully!
Service IS360service deleted successfully!
C:\Program Files\IObit\IObit Security 360\is360srv.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IObit Security 360 deleted successfully.
C:\Program Files\IObit\IObit Security 360\is360tray.exe moved successfully.
C:\Users\Ryan\AppData\Roaming\IObit\IObit SmartDefrag folder moved successfully.
C:\Users\Ryan\AppData\Roaming\IObit folder moved successfully.
C:\ProgramData\IObit\IObit Security 360 folder moved successfully.
C:\ProgramData\IObit folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Update folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Quarantine Zone folder moved successfully.
C:\Program Files\IObit\IObit Security 360\log\Scan folder moved successfully.
C:\Program Files\IObit\IObit Security 360\log folder moved successfully.
C:\Program Files\IObit\IObit Security 360\language folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Images folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Downloaded folder moved successfully.
C:\Program Files\IObit\IObit Security 360 folder moved successfully.
C:\Program Files\IObit folder moved successfully.
File C:\Users\Ryan\Desktop\advancedsystemcare-setup-aff.exe not found.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
ADS C:\ProgramData\TEMP:C43ED645 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:C31F31E6 deleted successfully.
========== FILES ==========
File\Folder C:\Program Files\IObit not found.
File\Folder C:\Users\Ryan\AppData\Roaming\IObit not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Ryan
->Temp folder emptied: 2346112 bytes
->Temporary Internet Files folder emptied: 184978 bytes
->Java cache emptied: 28348204 bytes
->FireFox cache emptied: 51339693 bytes
->Flash cache emptied: 5213 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33597 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 78.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12152010_232704

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 11:48 am

uh i experienced a BSOD twice in a row while attempting the GMER scan.

I am currently in safe mode with networking, shall i proceed with the scanning?

waiting for your consent to start...
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby askey127 » December 15th, 2010, 11:58 am

devastated,
That's a good result with OTL.
Skip Gmer.
-----------------------------------------------------------
Download and Run ComboFix If you have an older one, delete it and download the newest one.
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVAST
    Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
    Avast On-Access Protection is now disabled.
    (Reverse the procedure later to re-enable the On-Access Protection).
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 12:34 pm

okay roger

i have disabled AVAST and then run combofix.

combofix still detected AVAST, and requested me to terminate AVAST and click ok. (which i already did?)

i clicked ok, it AGAIN detected avast and said, it'll run at my own risk anyway.

should i proceed? or have i not turned off AVAST completely?
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby devastated » December 15th, 2010, 1:45 pm

i got it figured out. here is the combofix log.

ComboFix 10-12-14.07 - Ryan 16/12/2010 1:23.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.65.1033.18.3070.1934 [GMT 8:00]
Running from: c:\users\Ryan\Desktop\zzz.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Acer\Bio-Protection fingerprint solution\PwdFilter.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 17:29 . 2010-12-15 17:40 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2010-12-15 15:27 . 2010-12-15 15:27 -------- d-----w- C:\_OTL
2010-12-13 16:49 . 2010-12-13 16:49 -------- d-----w- c:\program files\ESET
2010-12-13 14:39 . 2010-12-13 14:39 -------- d-----w- c:\users\Ryan\AppData\Roaming\KeePass
2010-12-13 14:20 . 2010-12-13 14:20 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-12-12 16:55 . 2010-12-12 16:55 -------- d-----w- c:\users\Ryan\Pavark
2010-12-12 04:36 . 2010-12-12 05:29 -------- d-----w- c:\windows\BDOSCAN8
2010-12-11 20:01 . 2010-12-11 20:01 -------- d-----w- c:\users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
2010-12-11 20:01 . 2010-12-11 20:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-12-11 20:01 . 2010-12-11 20:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-11 19:34 . 2010-12-11 19:34 -------- d-----w- c:\program files\Sophos
2010-12-11 17:53 . 2010-12-11 17:53 388096 ----a-r- c:\users\Ryan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-11 17:53 . 2010-12-11 17:53 -------- d-----w- c:\program files\Trend Micro
2010-12-11 06:17 . 2010-11-29 12:02 21952 ----a-w- c:\windows\system32\SpyShelterShellExt.dll
2010-12-11 06:17 . 2010-04-21 03:57 1740800 ----a-w- c:\windows\system32\Osklauncher.exe
2010-12-11 06:17 . 2009-06-24 06:34 54784 ----a-w- c:\windows\system32\inject_logon_dll.dll
2010-12-11 06:17 . 2010-12-11 06:17 -------- d-----w- c:\users\Ryan\AppData\Roaming\SpyShelter
2010-12-11 06:17 . 2010-12-11 06:17 -------- d-----w- c:\program files\SpyShelter Personal Free
2010-12-10 17:34 . 2010-11-16 04:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{34139B9C-F818-47FE-8513-5E4109DDF2C7}\mpengine.dll
2010-12-10 16:18 . 2010-12-10 16:18 -------- d-----w- c:\users\Ryan\AppData\Local\Apps
2010-12-09 18:58 . 2010-12-15 14:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-09 18:58 . 2010-12-15 14:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-09 18:39 . 2010-12-11 18:02 -------- d-----w- c:\programdata\PC Tools
2010-12-09 17:52 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-12-09 17:48 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-09 17:48 . 2010-08-31 15:40 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-05 07:43 . 2010-10-11 08:50 3641832 ----a-w- c:\windows\system32\GameMon.des
2010-12-05 07:42 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-12-05 07:42 . 2003-07-19 15:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2010-12-05 07:42 . 2010-12-05 07:42 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-12-05 06:43 . 2010-12-05 06:43 -------- d-----w- c:\users\Ryan\AppData\Local\Garena
2010-12-04 19:53 . 2010-12-04 19:54 -------- d-----w- c:\program files\Veetle
2010-12-04 17:54 . 2010-12-04 17:54 -------- d-----w- c:\programdata\ATI
2010-12-04 17:53 . 2010-12-04 17:53 -------- d-----w- c:\program files\ATI Stream
2010-12-04 17:48 . 2010-12-04 17:48 -------- d-----w- C:\ATI
2010-12-04 17:37 . 2010-12-04 17:46 -------- d-----w- C:\AMD
2010-12-03 21:45 . 2010-12-03 21:45 -------- d-----w- c:\users\Ryan\AppData\Local\AutoShutdown
2010-12-03 21:45 . 2010-12-03 21:45 -------- d-----w- c:\program files\Auto Shutdown
2010-11-25 17:26 . 2010-11-25 17:27 -------- d-----w- c:\users\Ryan\AppData\Roaming\vlc
2010-11-23 18:00 . 2010-12-10 17:26 -------- d-----w- C:\VritualRoot
2010-11-23 17:55 . 2010-12-15 14:47 -------- d-----w- c:\programdata\Comodo
2010-11-23 17:54 . 2010-11-23 17:54 -------- d-----w- c:\program files\Pidgin
2010-11-23 17:30 . 2010-11-23 17:30 -------- d-----w- c:\users\Ryan\AppData\Roaming\JLC's Software
2010-11-23 17:30 . 2010-11-23 17:30 -------- d-----w- c:\program files\JLC's Software
2010-11-23 17:18 . 2010-11-23 17:18 -------- d-----w- c:\program files\YouTube Downloader
2010-11-23 17:16 . 2010-11-23 17:16 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-11-23 17:16 . 2010-11-23 17:16 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-11-23 16:36 . 2010-02-11 15:03 114952 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2010-11-23 16:35 . 2010-11-23 16:42 -------- d-----w- c:\program files\KeyScrambler
2010-11-23 15:36 . 2010-11-23 15:40 -------- d-----w- c:\programdata\AutoHideIP
2010-11-23 15:36 . 2010-11-23 15:36 -------- d-----w- c:\users\Ryan\AppData\Roaming\AutoHideIP
2010-11-21 17:56 . 2010-11-21 17:56 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 09:42 . 2010-08-07 08:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 09:42 . 2010-08-07 08:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 03:59 . 2010-10-27 03:59 6573568 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\system32\atioglxx.dll
2010-10-27 02:55 . 2010-10-27 02:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\system32\aticfx32.dll
2010-10-27 02:52 . 2010-10-27 02:52 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-10-27 02:51 . 2010-10-27 02:51 393216 ----a-w- c:\windows\system32\atieclxx.exe
2010-10-27 02:51 . 2010-10-27 02:51 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-10-27 02:50 . 2009-09-24 22:24 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-10-27 02:50 . 2009-09-24 22:24 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-10-27 02:49 . 2010-10-27 02:49 15872 ----a-w- c:\windows\system32\atimuixx.dll
2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\system32\atidxx32.dll
2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\system32\aticaldd.dll
2010-10-27 02:28 . 2009-01-15 19:09 4094464 ----a-w- c:\windows\system32\atiumdag.dll
2010-10-27 02:14 . 2010-10-27 02:14 52736 ----a-w- c:\windows\system32\coinst.dll
2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\system32\atiadlxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\system32\atigktxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 229888 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\system32\atiuxpag.dll
2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\system32\atiu9pag.dll
2010-10-27 02:13 . 2010-10-27 02:13 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-10-27 02:12 . 2010-10-27 02:12 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-10-27 01:50 . 2009-01-15 18:46 3460096 ----a-w- c:\windows\system32\atiumdva.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-10-19 02:41 . 2009-10-27 14:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-02 18:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"BisonInst0402"="c:\windows\BR040286.exe" [2007-05-08 53248]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-07 4853760]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2010-08-29 432672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-26 98304]
"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Auto Shutdown.lnk]
path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Auto Shutdown.lnk
backup=c:\windows\pss\Auto Shutdown.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 08:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 17:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 01:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZPdtWzdVitaKey MC3000]
2009-09-24 06:47 3801088 ----a-w- c:\program files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-20 136176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464]
R3 GarenaPEngine;GarenaPEngine;c:\users\Ryan\AppData\Local\Temp\MUHC2C9.tmp [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\plugins\UI\safedrv.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F460.tmp [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-11 3641832]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [x]
R3 rak;rak;c:\windows\system32\rakion.sys [2010-06-16 60928]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-03-16 132464]
R3 WisINT15;WisINT15;c:\elements\1stboot\WisINT15.SYS [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-11 721904]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SpyShelter;SpyShelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [2010-12-01 174528]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 176128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 6573568]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 229888]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-20 11:08]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-20 11:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {7F6EFF6C-56AF-4656-B2DF-B272859957E4} = 192.168.1.254
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\6huqsfha.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/firefox
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-IObit Security 360_is1 - c:\program files\IObit\IObit Security 360\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 01:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\Ryan\AppData\Local\Temp\MUHC2C9.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F460.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6788)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Acer\Bio-Protection fingerprint solution\CompPtcVUI.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-12-16 01:42:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 17:42

Pre-Run: 75,094,220,800 bytes free
Post-Run: 74,683,322,368 bytes free

- - End Of File - - 66E367517FE62B729B70DC82F513DB0B
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby askey127 » December 15th, 2010, 2:33 pm

devastated,
----------------------------------------------
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\F460.tmp -- (MEMSWEEP2)
    
    :Files
    C:\Windows\System32\F460.tmp
    
    :Commands
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
---------------------------------------------
Run CKScanner
Download CKScanner from HERE
Important - Save it to your desktop.
Right-Click CKScanner.exe, choose Run as administrator and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hacked repeatedly...

Unread postby devastated » December 16th, 2010, 11:32 am

OTL logfile created on: 16/12/2010 11:28:09 PM - Run 6
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Ryan\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.57 Gb Total Space | 69.65 Gb Free Space | 62.43% Space Free | Partition Type: NTFS
Drive D: | 111.55 Gb Total Space | 59.19 Gb Free Space | 53.06% Space Free | Partition Type: NTFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/16 23:21:17 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Ryan\AppData\Local\temp\RtkBtMnt.exe
PRC - [2010/12/15 23:05:09 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
PRC - [2010/11/24 01:16:04 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/23 00:29:41 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/10/27 10:51:54 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/10/27 10:51:26 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/08/29 11:32:30 | 000,432,672 | ---- | M] (QFX Software Corporation) -- C:\Program Files\KeyScrambler\KeyScrambler.exe
PRC - [2009/09/24 14:47:17 | 002,882,560 | ---- | M] (Arachnoid Biometrics Identification Group Corp.) -- C:\Program Files\Acer\Bio-Protection fingerprint solution\CompPtcVUI.exe
PRC - [2008/10/29 14:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/16 17:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/10/16 16:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/01/08 07:51:46 | 000,858,632 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2008/01/07 16:25:14 | 004,853,760 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/03 01:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
PRC - [2007/12/20 11:32:04 | 000,131,072 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe
PRC - [2007/12/19 18:09:22 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
PRC - [2007/11/27 18:54:36 | 000,110,592 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe
PRC - [2007/10/01 16:42:36 | 000,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
PRC - [2007/09/20 13:57:28 | 000,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
PRC - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2007/09/08 03:35:10 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/05/08 20:48:26 | 000,053,248 | ---- | M] (Bison Inc.) -- C:\Windows\BR040286.exe


========== Modules (SafeList) ==========

MOD - [2010/12/15 23:05:09 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
MOD - [2010/08/31 23:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2010/10/27 10:51:26 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/10/11 16:50:28 | 003,641,832 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 23:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/16 17:01:22 | 000,132,464 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\Windows\System32\SUPDSvc.exe -- (Samsung UPD Service)
SRV - [2008/10/16 17:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/10/16 16:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/01/21 10:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/03 01:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/12/20 11:32:04 | 000,131,072 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/12/19 18:09:22 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/11/27 18:54:36 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2007/10/01 16:42:36 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/09/20 13:57:28 | 000,167,936 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/05/31 09:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 09:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Elements\1stboot\WisINT15.SYS -- (WisINT15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\pctNdis.sys -- (pctNDIS)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Garena\plugins\UI\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Ryan\AppData\Local\Temp\MUHC2C9.tmp -- (GarenaPEngine)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\zzz\catchme.sys -- (catchme)
DRV - [2010/12/01 12:53:08 | 000,174,528 | ---- | M] (SpyShelter) [Kernel | System | Running] -- C:\Program Files\SpyShelter Personal Free\SpyShelter.sys -- (SpyShelter)
DRV - [2010/10/27 11:59:14 | 006,573,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010/10/27 11:59:14 | 006,573,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/10/27 10:14:02 | 000,229,888 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/09/07 22:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 22:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 22:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 22:47:30 | 000,050,768 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/09/07 22:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/17 05:11:45 | 000,060,928 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\rakion.sys -- (rak)
DRV - [2010/05/11 02:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/18 02:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 23:03:56 | 000,114,952 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2009/11/11 16:16:08 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/11/17 07:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/02/20 11:13:30 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2008/01/21 10:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 10:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 10:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 10:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 10:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 10:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 10:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 10:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 10:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 10:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/21 10:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 10:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 10:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 10:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 10:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 10:23:47 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/21 10:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 10:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 10:23:47 | 000,030,720 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2008/01/21 10:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 10:23:46 | 000,073,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/01/21 10:23:45 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2008/01/21 10:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 10:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 10:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 10:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 10:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 10:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 10:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/08 17:06:04 | 002,044,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 04:07:26 | 000,059,952 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSDVdisk.sys -- (psdvdisk)
DRV - [2008/01/03 04:07:24 | 000,018,480 | ---- | M] (Egis Incorporated) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\psdfilter.sys -- (PSDFilter)
DRV - [2008/01/03 04:07:24 | 000,016,432 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSDNServ.sys -- (PSDNServ)
DRV - [2007/11/30 15:51:34 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (Int15)
DRV - [2007/11/01 02:36:32 | 002,252,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2007/10/29 14:46:42 | 000,829,096 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BisonC07.sys -- (Cam5607)
DRV - [2007/09/08 03:56:38 | 000,192,816 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/08/30 11:38:52 | 000,017,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2007/08/30 11:38:46 | 000,099,880 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2007/08/30 11:38:46 | 000,081,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2007/08/29 07:47:36 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/07/23 07:00:44 | 000,180,736 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2007/05/18 10:38:04 | 000,028,464 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2007/05/02 19:52:00 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/12/23 03:50:24 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/12/23 03:49:04 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/12/23 03:48:54 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/29 08:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/03 13:29:38 | 000,021,264 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\DKbFltr.sys -- (DKbFltr)
DRV - [2006/11/02 17:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 17:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 17:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 17:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 17:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 17:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 17:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 17:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 17:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 17:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 17:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 16:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 16:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 16:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 16:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 16:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 16:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 15:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com.sg/firefox"
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.5.1
FF - prefs.js..network.proxy.autoconfig_url: "http://proxy-config.tp.edu.sg/proxy.pac"
FF - prefs.js..network.proxy.backup.ftp: "84.203.137.146"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "84.203.137.146"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "84.203.137.146"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "84.203.137.146"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/24 01:16:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/24 01:16:07 | 000,000,000 | ---D | M]

[2009/09/24 15:12:11 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions
[2010/11/24 01:50:59 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\6huqsfha.default\extensions
[2010/11/24 01:16:44 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\6huqsfha.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/12/15 22:53:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/24 01:16:06 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/11/24 01:16:06 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/11/24 01:16:06 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/24 01:16:06 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/12/16 01:40:05 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [BisonInst0402] C:\Windows\BR040286.exe (Bison Inc.)
O4 - HKLM..\Run: [KeePass 2 PreLoad] C:\Program Files\KeePass Password Safe 2\KeePass.exe (Dominik Reichl)
O4 - HKLM..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe (QFX Software Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe ()
O9 - Extra 'Tools' menuitem : Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resourc ... oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 05:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/16 01:40:08 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/12/16 01:29:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/12/16 01:29:22 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\temp
[2010/12/16 01:21:32 | 000,000,000 | ---D | C] -- C:\zzz
[2010/12/16 01:21:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/12/16 00:26:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/12/16 00:26:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/12/16 00:26:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/12/16 00:26:35 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/15 23:37:20 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\gamer1
[2010/12/15 23:27:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/15 23:05:05 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2010/12/14 22:52:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/14 04:02:16 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\otl
[2010/12/14 03:52:57 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\ck
[2010/12/14 00:49:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/12/13 22:41:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\aark
[2010/12/13 22:39:06 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\rb
[2010/12/13 22:39:00 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\KeePass
[2010/12/13 22:20:16 | 000,000,000 | ---D | C] -- C:\Program Files\KeePass Password Safe 2
[2010/12/13 22:19:19 | 001,992,548 | ---- | C] (Dominik Reichl ) -- C:\Users\Ryan\Desktop\KeePass-2.13-Setup.exe
[2010/12/13 00:55:06 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Pavark
[2010/12/12 12:36:14 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010/12/12 04:01:37 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
[2010/12/12 04:01:37 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/12/12 04:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/12/12 03:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/12/12 02:13:38 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\ht
[2010/12/12 01:53:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/12/11 14:17:15 | 000,000,000 | ---D | C] -- C:\Program Files\SpyShelter Personal Free
[2010/12/11 14:17:15 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SpyShelter
[2010/12/11 00:18:26 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Apps
[2010/12/10 02:58:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/10 02:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/10 02:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/12/05 15:43:36 | 003,641,832 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\System32\GameMon.des
[2010/12/05 15:42:42 | 000,004,682 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\System32\npptNT2.sys
[2010/12/05 15:42:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[2010/12/05 14:43:15 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Garena
[2010/12/05 11:43:07 | 001,912,872 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2010/12/05 03:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2010/12/05 01:54:30 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/12/05 01:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Stream
[2010/12/05 01:48:19 | 000,000,000 | ---D | C] -- C:\ATI
[2010/12/05 01:37:08 | 000,000,000 | ---D | C] -- C:\AMD
[2010/12/05 01:29:30 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/12/04 05:45:29 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\AutoShutdown
[2010/12/04 05:45:04 | 000,000,000 | ---D | C] -- C:\Program Files\Auto Shutdown
[2010/11/26 01:26:54 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\vlc
[2010/11/24 02:07:48 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\old desktop
[2010/11/24 02:00:45 | 000,000,000 | ---D | C] -- C:\VritualRoot
[2010/11/24 01:55:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2010/11/24 01:54:02 | 000,000,000 | ---D | C] -- C:\Program Files\Pidgin
[2010/11/24 01:30:49 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\JLC's Software
[2010/11/24 01:30:45 | 000,000,000 | ---D | C] -- C:\Program Files\JLC's Software
[2010/11/24 01:18:22 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/11/24 00:36:00 | 000,114,952 | ---- | C] (QFX Software Corporation) -- C:\Windows\System32\drivers\keyscrambler.sys
[2010/11/24 00:35:59 | 000,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2010/11/23 23:36:20 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\AutoHideIP
[2010/11/23 23:36:20 | 000,000,000 | ---D | C] -- C:\ProgramData\AutoHideIP
[2010/11/22 01:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler

========== Files - Modified Within 30 Days ==========

[2010/12/16 23:30:23 | 000,443,392 | ---- | M] () -- C:\Users\Ryan\Desktop\CKScanner.exe
[2010/12/16 23:25:59 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/16 23:25:50 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/16 23:25:49 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/16 23:25:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/16 23:25:41 | 3217,522,688 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/16 23:24:40 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/12/16 02:18:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/16 01:40:05 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/12/16 01:38:44 | 000,603,282 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/16 01:38:44 | 000,106,696 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/16 00:24:58 | 000,000,680 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2010/12/16 00:22:08 | 003,990,715 | R--- | M] () -- C:\Users\Ryan\Desktop\zzz.exe
[2010/12/15 23:43:52 | 255,188,047 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/12/15 23:05:09 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2010/12/13 22:19:33 | 001,992,548 | ---- | M] (Dominik Reichl ) -- C:\Users\Ryan\Desktop\KeePass-2.13-Setup.exe
[2010/12/13 21:24:16 | 000,013,588 | ---- | M] () -- C:\Users\Ryan\Desktop\asdas.htm
[2010/12/12 04:01:31 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/12 03:33:29 | 001,376,832 | ---- | M] () -- C:\Users\Ryan\Desktop\sar_15_sfx.exe
[2010/12/12 02:06:30 | 000,002,521 | ---- | M] () -- C:\Users\Ryan\Desktop\HiJackThis.lnk
[2010/12/10 23:49:27 | 000,370,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/10 02:48:33 | 001,649,186 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2010/12/05 11:44:00 | 000,000,036 | ---- | M] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2010/12/05 11:43:17 | 001,912,872 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2010/12/05 10:49:26 | 000,034,196 | ---- | M] () -- C:\Users\Ryan\Desktop\Timetable.htm
[2010/11/29 20:02:28 | 000,021,952 | ---- | M] () -- C:\Windows\System32\SpyShelterShellExt.dll
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/11/24 02:10:28 | 000,320,063 | ---- | M] () -- C:\Users\Ryan\Documents\sg mrt.jpg

========== Files Created - No Company Name ==========

[2010/12/16 23:30:03 | 000,443,392 | ---- | C] () -- C:\Users\Ryan\Desktop\CKScanner.exe
[2010/12/16 00:26:48 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/12/16 00:26:48 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/12/16 00:26:48 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2010/12/16 00:26:48 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/12/16 00:26:48 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/12/16 00:22:54 | 3217,522,688 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/16 00:21:37 | 003,990,715 | R--- | C] () -- C:\Users\Ryan\Desktop\zzz.exe
[2010/12/15 23:40:08 | 255,188,047 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/12/13 21:24:15 | 000,013,588 | ---- | C] () -- C:\Users\Ryan\Desktop\asdas.htm
[2010/12/12 04:01:31 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/12 03:33:25 | 001,376,832 | ---- | C] () -- C:\Users\Ryan\Desktop\sar_15_sfx.exe
[2010/12/12 01:53:42 | 000,002,521 | ---- | C] () -- C:\Users\Ryan\Desktop\HiJackThis.lnk
[2010/12/11 14:17:16 | 001,740,800 | ---- | C] () -- C:\Windows\System32\Osklauncher.exe
[2010/12/11 14:17:16 | 000,054,784 | ---- | C] () -- C:\Windows\System32\inject_logon_dll.dll
[2010/12/11 14:17:16 | 000,021,952 | ---- | C] () -- C:\Windows\System32\SpyShelterShellExt.dll
[2010/12/10 02:47:38 | 001,649,186 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2010/12/05 15:42:42 | 000,005,174 | ---- | C] () -- C:\Windows\System32\nppt9x.vxd
[2010/12/05 11:44:00 | 000,000,036 | ---- | C] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2010/12/05 10:49:26 | 000,034,196 | ---- | C] () -- C:\Users\Ryan\Desktop\Timetable.htm
[2010/11/28 03:37:16 | 000,000,680 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2010/11/24 02:10:27 | 000,320,063 | ---- | C] () -- C:\Users\Ryan\Documents\sg mrt.jpg
[2010/10/27 10:13:02 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/09/17 11:54:15 | 000,000,092 | ---- | C] () -- C:\Users\Ryan\AppData\Local\fusioncache.dat
[2010/09/14 23:56:41 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2010/06/17 05:11:45 | 000,060,928 | ---- | C] () -- C:\Windows\System32\rakion.sys
[2010/05/13 01:29:18 | 000,282,624 | ---- | C] () -- C:\Windows\System32\DscPnt.dll
[2010/05/13 01:29:18 | 000,026,624 | ---- | C] () -- C:\Windows\System32\spd__l.dll
[2010/02/07 21:02:30 | 000,000,210 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/08 22:56:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/11/11 16:16:07 | 000,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/09/24 14:54:24 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2009/09/24 14:53:09 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2009/09/24 14:51:30 | 000,110,014 | ---- | C] () -- C:\Users\Ryan\AppData\Local\edsinstaller.txt-20090924.log
[2009/09/24 14:48:06 | 000,267,388 | ---- | C] () -- C:\ProgramData\LuUninstall.LiveUpdate
[2009/09/24 14:47:09 | 000,073,728 | ---- | C] () -- C:\Windows\System32\AtNav.dll
[2009/09/24 14:44:06 | 000,015,190 | ---- | C] () -- C:\Windows\M3000Twn.ini
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008/02/21 17:32:30 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/02/20 10:50:25 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/02/20 10:50:12 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2008/02/20 10:50:12 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2008/02/20 10:50:10 | 000,000,040 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2007/08/28 18:03:14 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 15:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/12/27 08:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[2001/09/04 15:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 08:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 14:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2010/11/26 01:03:51 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\.purple
[2009/09/24 15:27:04 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Acer
[2010/11/23 23:36:20 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\AutoHideIP
[2010/01/24 22:01:41 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\gtk-2.0
[2010/11/24 01:30:49 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\JLC's Software
[2010/12/13 22:39:00 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\KeePass
[2010/12/11 14:17:29 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\SpyShelter
[2010/09/17 11:54:42 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Turbine
[2010/12/15 22:42:21 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\uTorrent
[2010/12/16 23:24:41 | 000,032,618 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >


CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\garena\plugins\ui\avoidcrackplugin.dll
scanner sequence 3.NA.11
----- EOF -----
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm

Re: hacked repeatedly...

Unread postby askey127 » December 16th, 2010, 3:21 pm

devastated,
Good so far.
Check to make sure you have Avast! enabled again.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware. (right click and choose "Run as admninistrator")
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.
------------------------------------------
Scan with the ESET Online Scanner:
  • Open Internet Explorer by right-clicking the IE icon (on the Start menu or quick launch) and selecting Run as administrator
  • NOTE: Internet Explorer will temporarily have administrator privileges, this is required for the scan but dangerous for normal surfing so do NOT open any other websites in IE until after the scan has finished and this window has been closed.
  • Open the ESET Online Scanner in Internet Explorer
  • Tick the box next to YES, I accept the Terms of Use. and click Start
  • Allow the ActiveX control to be installed by Internet Explorer
  • Once the ActiveX has finished loading click Start to initialize and update the scanner
  • When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
  • Once complete and the summary page appears, press Start, copy/paste the following command into the search box and press Enter:
    notepad "C:\Program Files\EsetOnlineScanner\log.txt"
  • The log file should now appear in Notepad, copy and paste the contents in your next response.
  • Please be sure to close this Internet Explorer window before continuing.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hacked repeatedly...

Unread postby devastated » December 16th, 2010, 11:32 pm

morning askey, thanks for helping me thus far.

here are the logs.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=67e197c19b1aba4c8ac26df8fdc1e198
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-13 05:38:35
# local_time=2010-12-14 01:38:35 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 169242 169242 0 0
# compatibility_mode=770 16774141 100 93 5880560 68969136 0 0
# compatibility_mode=3073 16777213 80 92 1723845 8450076 0 0
# compatibility_mode=5892 16776573 100 100 256769 129788366 0 0
# compatibility_mode=8192 67108863 100 0 320 320 0 0
# scanned=109036
# found=0
# cleaned=0
# scan_time=2651
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=67e197c19b1aba4c8ac26df8fdc1e198
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-17 02:52:03
# local_time=2010-12-17 10:52:03 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 463870 463870 0 0
# compatibility_mode=770 16774141 100 93 6175188 69263764 0 0
# compatibility_mode=5892 16776574 100 100 551397 130082994 0 0
# compatibility_mode=8192 67108863 100 0 294948 294948 0 0
# scanned=6884
# found=0
# cleaned=0
# scan_time=431
esets_scanner_update returned -1 esets_gle=53251

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5340

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18975

17/12/2010 10:51:28 AM
mbam-log-2010-12-17 (10-51-28).txt

Scan type: Quick scan
Objects scanned: 141883
Time elapsed: 8 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i sincerely doubt the worthiness of these 2 logs though, they have repeatedly stated im free of infections though i recently got hacked. i do frequent scans myself. =/
devastated
Regular Member
 
Posts: 15
Joined: December 11th, 2010, 2:22 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware