Possible garrys mod virus?

Possible garrys mod virus?10th July 2011, 1:56 am

Last week my computer began running CHKDSK at every start up. After some investigating I discovered it was related to garrys mod. CHKDSK would only run if my brother had been playing garrys mod the last time the computer was on. My brother plays it online and whenever he joins a server I noticed a blue screen which pops up and says "A Lua Script is creating a render target". This only started happening within the last few weeks.

To try to fix the CHKDSK problem I tried to uninstall garrys mod but to my surprise one of the folders wouldn't delete. Its path was "C:\Program Files\Steam\steamapps\user\garrysmod\garrysmod\lua_temp\weapons_______________".

The strange folder name is what caught my attention. Besides the long line of underscores, every time I tried to delete it said "Cannot delete weapons__________________: The directory is not empty". Trying to open it gave me an error message saying it was not accessible and "The file or directory is corrupted and unreadable."

After searching for solutions online and using various methods to remove it I decided to run a full CHKDSK. It didn't work. The folder is empty and it can be renamed and moved, just not deleted. Right now it's on my desktop (I've deleted all other garrys mod files successfully) and renamed it to "what_is_this". I ran another full CHKDSK earlier today and still can't delete it.

I've heard of people getting viruses through shady garrys mod servers and they involve lua files. My guess is it's either that or my hard drive is just dying but I thought I'd check here first before I replace it.

edit: Just some additional information. When I tried deleting it with Unlocker a yellow triangle with an exclamation point appeared in the tray with a bubble saying "Unlocker.exe - Corrupt File The file or directory C: is corrupt and unreadable. Please run the Chkdsk utility."

This warning also popped up when I ran Spybot S&D earlier today and just a few minutes ago when I ran OTL.

Last edited by planetsngalaxies on 10th July 2011, 11:56 pm; edited 3 times in total

Re: Possible garrys mod virus?10th July 2011, 1:59 am

OTL logfile created on: 7/9/2011 6:15:03 PM - Run 2
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\memoirs\Desktop\gmod virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.71 Gb Available Physical Memory | 83.44% Memory free
5.11 Gb Paging File | 4.58 Gb Available in Paging File | 89.60% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 390.63 Gb Total Space | 41.24 Gb Free Space | 10.56% Space Free | Partition Type: NTFS

Computer Name: ADRIAN-9B9F6298 | User Name: memoirs | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/09 18:01:17 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\gmod virus\OTL.com
PRC - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/11/16 16:52:45 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2010/10/03 01:13:42 | 000,470,544 | ---- | M] () -- C:\Program Files\Core Temp\Core Temp.exe
PRC - [2010/04/12 17:29:29 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\JDK\bin\jqs.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/09/08 11:10:20 | 000,450,560 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
PRC - [2008/09/08 11:09:40 | 000,184,320 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
PRC - [2008/04/13 17:12:19 | 000,975,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

========== Modules (SafeList) ==========

MOD - [2011/07/09 18:01:17 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\memoirs\Desktop\gmod virus\OTL.com
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/11/11 13:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 13:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 13:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 13:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/04/12 17:29:29 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\JDK\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/15 13:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2008/09/08 11:10:20 | 000,450,560 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2008/09/08 11:09:40 | 000,184,320 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (ALSysIO)
DRV - [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/04/06 15:33:50 | 006,388,328 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/12/23 22:53:26 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/12/23 22:53:25 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009/11/18 07:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 07:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/08/01 11:36:00 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/08/01 11:36:00 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 11:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2004/12/01 03:46:20 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/12/01 03:46:20 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.9.9
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.1.1
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.49
FF - prefs.js..extensions.enabledItems: tabscope@xuldev.org:1.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.5.2
FF - prefs.js..extensions.enabledItems: hidemenubar@moztw.org:4.0.20110225
FF - prefs.js..extensions.enabledItems: {446c03e0-2c35-11db-a98b-0800200c9a67}:0.5
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: nasanightlaunch@example.com:0.6.20101009
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1032

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\JDK\lib\deploy\jqs\ff [2009/05/09 21:22:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/01/30 00:30:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/01/30 00:30:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0b8\extensions\\Components: C:\Program Files\Mozilla Firefox 4.0 Beta 7\components [2010/12/23 00:05:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0b8\extensions\\Plugins: C:\Program Files\Mozilla Firefox 4.0 Beta 7\plugins [2011/01/30 00:30:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/25 01:40:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 22:19:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2008/11/03 08:27:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/04/25 19:30:09 | 000,000,000 | ---D | M]

[2009/06/12 19:15:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Extensions
[2011/07/07 04:09:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions
[2011/01/02 20:48:04 | 000,000,000 | ---D | M] (Forecastfox Weather) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/07/08 22:15:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/07 12:08:36 | 000,000,000 | ---D | M] (WeatherBug) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
[2011/01/03 02:19:02 | 000,000,000 | ---D | M] (Favicon Picker 3) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
[2011/01/30 00:18:46 | 000,000,000 | ---D | M] (mediaplayerconnectivity) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{84b24861-62f6-364b-eba5-2e5e2061d7e6}
[2011/03/12 00:13:58 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2011/04/21 17:37:12 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\firefox@ghostery.com
[2011/02/15 22:41:30 | 000,000,000 | ---D | M] (Read It Later) -- C:\Documents and Settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\extensions\isreaditlater@ideashower.com
[2011/06/25 01:40:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/07 20:26:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\{46551EC9-40F0-4E47-8E18-8E5CF550CFB8}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\{D40F5E7B-D2CF-4856-B441-CC613EEFFBE3}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\{E4A8A97B-F2ED-450B-B12D-EE082BA24781}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\STATUS4EVAR@CALIGONSTUDIOS.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MEMOIRS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0A4ZO8AH.DEFAULT\EXTENSIONS\TABSCOPE@XULDEV.ORG.XPI
[2009/05/09 21:22:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\JDK\LIB\DEPLOY\JQS\FF
[2011/06/15 21:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2010/08/26 16:40:37 | 000,416,183 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14390 more lines...
O2 - BHO: (DivX Plus Web Player HTML5

Re: Possible garrys mod virus?10th July 2011, 2:00 am

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/07/09 18:13:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Desktop\gmod virus
[2011/07/09 00:18:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\memoirs\Recent
[2011/07/09 00:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/07/08 23:52:03 | 000,000,000 | ---D | C] -- C:\Program Files\G-Programs
[2011/07/08 02:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Local Settings\Application Data\fotw
[2011/07/08 02:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Application Data\fotw
[2011/07/07 00:50:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
[2011/07/07 00:50:13 | 000,145,000 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcolor.exe
[2011/07/07 00:50:09 | 013,895,272 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcpl.dll
[2011/07/07 00:50:09 | 000,111,208 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvmctray.dll
[2011/07/07 00:50:06 | 000,543,336 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\easyupdatusapiu.dll
[2011/07/07 00:50:06 | 000,054,272 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwddi.dll
[2011/07/07 00:48:55 | 000,061,440 | ---- | C] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2011/07/07 00:48:54 | 016,068,608 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvoglnt.dll
[2011/07/07 00:48:54 | 000,865,896 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvgenco322090.dll
[2011/07/07 00:48:53 | 000,899,688 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvdispco3220150.dll
[2011/07/07 00:48:47 | 013,004,800 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcompiler.dll
[2011/07/07 00:48:47 | 012,753,664 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\dllcache\nv4_mini.sys
[2011/07/07 00:48:47 | 005,332,992 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuda.dll
[2011/07/07 00:48:47 | 004,198,272 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nv4_disp.dll
[2011/07/07 00:48:47 | 002,808,936 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvid.dll
[2011/07/07 00:48:47 | 002,328,576 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvapi.dll
[2011/07/07 00:48:47 | 002,082,408 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvcuvenc.dll
[2011/06/30 06:40:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Desktop\what_is_this
[2011/06/20 18:43:38 | 000,131,072 | ---- | C] (JCA Consulting) -- C:\WINDOWS\System32\JCDtEx.dll
[2011/06/20 18:43:38 | 000,081,920 | ---- | C] (JCA Consulting) -- C:\WINDOWS\System32\JCRegEx.dll
[2011/06/20 18:43:38 | 000,028,672 | ---- | C] (JCA Consulting) -- C:\WINDOWS\System32\JCSortEx.dll
[2011/06/20 18:43:38 | 000,000,000 | ---D | C] -- C:\Program Files\AOK Mod Pack Studio Lite
[2011/06/20 18:43:25 | 000,299,520 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
[2011/06/20 17:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Games
[2011/06/20 17:33:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\memoirs\Start Menu\Programs\Age of Chivalry Hegemony
[2011/06/15 14:02:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2011/06/14 14:01:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/06/14 13:57:00 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vgx.dll
[2011/06/14 13:55:34 | 000,105,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2006/09/03 23:08:01 | 000,131,072 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.SHDocVw.dll
[2006/09/03 23:08:01 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\AxInterop.SHDocVw.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/09 17:49:21 | 000,000,314 | -HS- | M] () -- C:\boot.ini
[2011/07/09 17:38:02 | 000,002,163 | ---- | M] () -- C:\Documents and Settings\memoirs\Application Data\Microsoft\Internet Explorer\Quick Launch\Steam.lnk
[2011/07/09 17:30:00 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007UA.job
[2011/07/09 17:24:15 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/07/09 17:21:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/09 03:27:53 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\xvideoscomf3c03456fd58a7f058c460668439c5bb.html
[2011/07/09 00:20:11 | 000,431,588 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\cc_20110709_001956.reg
[2011/07/07 14:46:23 | 000,273,344 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/07 14:46:23 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/07/07 01:05:48 | 000,273,344 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/07 00:49:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvdrswr.lk
[2011/07/06 21:30:00 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007Core.job
[2011/07/05 00:43:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/01 17:18:06 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\memoirs\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/06/25 19:16:27 | 006,220,854 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad 3.bmp
[2011/06/25 18:34:00 | 000,004,804 | ---- | M] () -- C:\Documents and Settings\memoirs\.recently-used.xbel
[2011/06/25 18:23:38 | 006,220,854 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad 2.bmp
[2011/06/25 01:40:43 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\memoirs\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/23 03:13:16 | 000,081,920 | ---- | M] () -- C:\Documents and Settings\memoirs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/23 01:05:35 | 006,220,854 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad.bmp
[2011/06/22 02:15:02 | 006,220,854 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\shaunfail1.bmp
[2011/06/19 03:50:39 | 006,220,854 | ---- | M] () -- C:\Documents and Settings\memoirs\Desktop\untitled.bmp
[2011/06/15 17:04:01 | 000,441,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/15 17:04:01 | 000,071,482 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/12 23:47:25 | 000,140,024 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2011/06/12 23:47:17 | 000,280,768 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/09 03:27:53 | 000,010,076 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\Skin.swf
[2011/07/09 03:27:53 | 000,009,038 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\FLVPlayer.swf
[2011/07/09 03:27:53 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\xvideoscomf3c03456fd58a7f058c460668439c5bb.html
[2011/07/09 00:19:58 | 000,431,588 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\cc_20110709_001956.reg
[2011/07/07 00:49:47 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/07 00:49:47 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/07 00:49:47 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/07/07 00:49:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nvdrswr.lk
[2011/07/07 00:48:54 | 000,003,249 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2011/07/07 00:48:50 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/06/25 19:16:26 | 006,220,854 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad 3.bmp
[2011/06/25 18:34:00 | 000,004,804 | ---- | C] () -- C:\Documents and Settings\memoirs\.recently-used.xbel
[2011/06/25 18:23:37 | 006,220,854 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad 2.bmp
[2011/06/23 01:05:34 | 006,220,854 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\shauncore mad.bmp
[2011/06/22 02:15:01 | 006,220,854 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\shaunfail1.bmp
[2011/06/19 03:50:38 | 006,220,854 | ---- | C] () -- C:\Documents and Settings\memoirs\Desktop\untitled.bmp
[2011/05/03 20:48:18 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2011/03/20 18:43:39 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\SI.bin
[2010/12/17 20:58:36 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\memoirs\Local Settings\Application Data\d3d9caps.dat
[2010/09/15 20:21:49 | 000,041,240 | ---- | C] () -- C:\WINDOWS\System32\firewallinstallhelper.dll
[2010/07/11 16:00:19 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\memoirs\Application Data\PnkBstrK.sys
[2010/07/11 15:59:39 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe
[2010/05/10 18:08:02 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/02/13 13:58:34 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2010/02/13 13:58:34 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2010/01/04 19:08:06 | 000,000,531 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2009/09/29 14:10:25 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/08/26 11:16:56 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2009/08/26 11:16:43 | 000,004,254 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2009/07/06 18:59:21 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/06/10 14:16:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/06/04 14:20:46 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\memoirs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/12 04:23:42 | 000,000,227 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2009/05/12 04:23:41 | 000,045,568 | ---- | C] () -- C:\WINDOWS\UniFish3.exe
[2009/03/08 19:19:02 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/03/08 19:19:02 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/02/22 17:16:59 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/02/22 17:16:59 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/02/22 17:16:59 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/02/22 16:30:05 | 000,035,708 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2009/02/19 08:54:57 | 000,000,281 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2009/01/09 03:10:42 | 000,020,163 | ---- | C] () -- C:\WINDOWS\W2BNEUnin.dat
[2008/12/28 15:51:45 | 000,001,188 | ---- | C] () -- C:\WINDOWS\nwplayer.ini
[2008/11/14 21:52:47 | 000,140,024 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/11/14 21:52:39 | 000,280,768 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2008/11/14 21:52:13 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2008/11/03 15:10:43 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/11/03 14:30:11 | 000,154,679 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2008/11/03 08:26:55 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/11/03 07:02:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/11/03 06:55:08 | 000,001,732 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/11/03 06:21:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/11/03 06:16:48 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/11/02 16:28:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/11/02 16:25:56 | 000,149,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/12/01 03:46:31 | 000,441,546 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/12/01 03:46:31 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/12/01 03:46:31 | 000,071,482 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/12/01 03:46:31 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/12/01 03:46:23 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/12/01 03:46:22 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/12/01 03:46:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/12/01 03:45:49 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/12/01 03:45:48 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/12/01 03:44:56 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/03 18:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 07:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[1997/06/13 18:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Custom Scans ==========

< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/06/15 21:17:34 | 000,125,912 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/06/15 21:17:34 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/06/15 21:17:34 | 000,265,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2008/11/03 07:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\7-Zip
[2008/11/20 18:09:41 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2011/06/20 18:43:39 | 000,000,000 | ---D | M] -- C:\Program Files\AOK Mod Pack Studio Lite
[2010/12/16 01:06:20 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/01/09 02:27:14 | 000,000,000 | ---D | M] -- C:\Program Files\Ashampoo
[2008/11/03 07:08:41 | 000,000,000 | ---D | M] -- C:\Program Files\AutoPatcher
[2011/07/09 00:15:00 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2011/04/09 22:08:00 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2011/01/26 16:42:12 | 000,000,000 | ---D | M] -- C:\Program Files\Core Temp
[2010/06/23 08:06:26 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Lite
[2010/07/09 00:15:40 | 000,000,000 | ---D | M] -- C:\Program Files\Deluge
[2010/12/23 23:54:10 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo II
[2010/12/25 10:54:26 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2011/01/30 00:30:11 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2011/03/08 15:34:54 | 000,000,000 | ---D | M] -- C:\Program Files\Dragon Age
[2011/03/22 22:17:05 | 000,000,000 | ---D | M] -- C:\Program Files\Dragon Age 2
[2011/03/20 18:54:15 | 000,000,000 | ---D | M] -- C:\Program Files\Electronic Arts
[2011/06/23 02:12:19 | 000,000,000 | ---D | M] -- C:\Program Files\Free FLV Converter
[2011/07/08 23:52:03 | 000,000,000 | ---D | M] -- C:\Program Files\G-Programs
[2011/04/09 02:08:07 | 000,000,000 | ---D | M] -- C:\Program Files\GeMM
[2011/05/25 21:24:24 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2010/07/09 00:16:37 | 000,000,000 | ---D | M] -- C:\Program Files\GTK2-Runtime
[2008/11/14 23:00:57 | 000,000,000 | ---D | M] -- C:\Program Files\Guitar Pro 5
[2009/06/12 18:33:55 | 000,000,000 | ---D | M] -- C:\Program Files\HighMAT CD Writing Wizard
[2010/03/03 18:31:17 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallJammer Registry
[2011/04/17 14:43:19 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/07/29 21:47:56 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/11/03 07:39:55 | 000,000,000 | ---D | M] -- C:\Program Files\Malicious Software Removal Tool
[2011/07/08 22:35:43 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/18 15:04:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mass Effect
[2010/09/13 18:59:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mass Effect 2
[2009/06/12 23:13:15 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/06/14 15:35:25 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2008/11/03 06:19:56 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/06/20 18:51:51 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2010/07/23 21:19:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2008/11/29 20:17:42 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SDKs
[2011/06/15 19:59:11 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2008/11/29 20:21:21 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server
[2008/11/29 20:20:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 9.0
[2009/12/27 03:00:38 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft WSE
[2008/11/29 20:18:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/04/27 00:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\mIRC
[2010/06/22 21:21:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mount&Blade Warband
[2011/04/08 22:14:40 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/06/25 01:40:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2011/01/30 00:30:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox 4.0 Beta 7
[2009/01/16 22:52:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Thunderbird
[2008/11/03 07:38:43 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/07/23 21:19:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2008/11/03 06:15:40 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/11/03 06:16:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2008/11/03 07:39:37 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/01/17 05:26:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2009/06/12 23:06:33 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/05/23 21:48:46 | 000,000,000 | ---D | M] -- C:\Program Files\Notepad++
[2008/12/30 00:46:09 | 000,000,000 | ---D | M] -- C:\Program Files\NoteWorthy Player
[2011/03/06 02:56:15 | 000,000,000 | ---D | M] -- C:\Program Files\NTCore
[2011/07/07 00:54:54 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2010/12/25 12:09:23 | 000,000,000 | ---D | M] -- C:\Program Files\Olympus
[2010/12/15 21:12:23 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/06/04 10:15:01 | 000,000,000 | ---D | M] -- C:\Program Files\Paradox Interactive
[2011/03/22 22:18:22 | 000,000,000 | ---D | M] -- C:\Program Files\paulstretch
[2010/12/28 22:46:39 | 000,000,000 | ---D | M] -- C:\Program Files\Phyxion.net
[2010/07/11 20:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\PS3 Media Server
[2010/12/16 01:07:10 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2008/11/03 08:26:37 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2010/09/21 21:10:15 | 000,000,000 | ---D | M] -- C:\Program Files\Rectangle Red
[2008/11/03 07:35:52 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2009/05/12 15:41:47 | 000,000,000 | ---D | M] -- C:\Program Files\RollerCoaster Tycoon
[2010/06/13 07:42:59 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2009/08/21 17:26:14 | 000,000,000 | ---D | M] -- C:\Program Files\StarCraft
[2011/02/04 19:10:02 | 000,000,000 | ---D | M] -- C:\Program Files\Stardock
[2011/02/04 19:09:44 | 000,000,000 | ---D | M] -- C:\Program Files\Stardock Games
[2011/07/09 17:38:09 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2009/05/09 21:23:11 | 000,000,000 | ---D | M] -- C:\Program Files\Sun
[2011/04/17 18:34:57 | 000,000,000 | ---D | M] -- C:\Program Files\The Witcher Enhanced Edition
[2009/09/29 14:09:43 | 000,000,000 | ---D | M] -- C:\Program Files\Thief - Deadly Shadows
[2011/03/20 18:47:59 | 000,000,000 | ---D | M] -- C:\Program Files\Ubisoft
[2011/07/08 15:05:59 | 000,000,000 | ---D | M] -- C:\Program Files\Unlocker
[2009/03/08 23:56:50 | 000,000,000 | ---D | M] -- C:\Program Files\Unreal Anthology
[2008/11/03 15:25:01 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009/04/26 14:06:07 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft II BNE
[2011/07/02 09:35:50 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2008/11/03 07:25:38 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Defender
[2008/11/03 07:11:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Journal Viewer
[2010/06/14 15:34:36 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2010/06/14 15:35:04 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2009/01/21 23:15:08 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/06/12 23:06:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/06/12 23:06:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/12/23 01:55:59 | 000,000,000 | ---D | M] -- C:\Program Files\WinMerge
[2011/03/28 22:35:50 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/11/03 06:19:56 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/12/15 21:05:56 | 000,000,000 | ---D | M] -- C:\Program Files\Zune

< MD5 for: AGP440.SYS >
[2004/08/03 18:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 18:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 15:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/03 18:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2009/06/12 23:01:05 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/03 15:59:56 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 17:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-07-08 21:59:13

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2008/04/13 17:12:22 | 000,832,512 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/06/15 21:17:34 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/06/15 21:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\memoirs\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/06/23 23:25:50 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 17:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2008/04/13 17:12:22 | 000,832,512 | ---- | M] (Microsoft Corporation)

< End of report >

Re: Possible garrys mod virus?10th July 2011, 2:03 am

aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-09 18:32:01
-----------------------------
18:32:01.765 OS Version: Windows 5.1.2600 Service Pack 3
18:32:01.765 Number of processors: 4 586 0x203
18:32:01.765 ComputerName: ADRIAN-9B9F6298 UserName: memoirs
18:32:03.296 Initialize success
18:32:54.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
18:32:54.031 Disk 0 Vendor: WDC_WD5000AACS-00ZUB0 01.01B01 Size: 476940MB BusType: 3
18:32:56.421 Disk 0 MBR read successfully
18:32:56.421 Disk 0 MBR scan
18:32:56.421 Disk 0 unknown MBR code
18:32:58.421 Disk 0 scanning sectors +976768065
18:32:58.437 Disk 0 scanning C:\WINDOWS\system32\drivers
18:33:04.484 Service scanning
18:33:05.343 Disk 0 trace - called modules:
18:33:05.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:33:05.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfcc5dab8]
18:33:05.343 3 CLASSPNP.SYS[f5e07fd7] -> nt!IofCallDriver -> \Device\00000078[0xfcc1cf18]
18:33:05.343 5 ACPI.sys[f5c9e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0xfcc99940]
18:33:05.343 Scan finished successfully
18:33:19.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\memoirs\Desktop\MBR.dat"
18:33:19.765 The log file has been saved successfully to "C:\Documents and Settings\memoirs\Desktop\aswMBR.txt"

Re: Possible garrys mod virus?10th July 2011, 2:03 am

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 13
Java DB 10.4.1.3
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.1.53.64
Mozilla Firefox (x86 en-US..)
Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Malwarebytes' Anti-Malware mbamservice.exe
Windows Defender MsMpEng.exe
Windows Defender MSASCui.exe
``````````End of Log````````````

Re: Possible garrys mod virus?12th July 2011, 2:11 am

bump

Re: Possible garrys mod virus?13th July 2011, 12:23 am

Hi,

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click PCHelpForum.exe to run it.

You will see the following image:

Possible garrys mod virus? NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

Possible garrys mod virus? NSIS_extraction

Possible garrys mod virus? NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Possible garrys mod virus? RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Possible garrys mod virus? Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Re: Possible garrys mod virus?13th July 2011, 7:39 am

Hi Belahzur,

I followed the instructions for Combofix but a major problem has occurred. After I ran it my computer restarted but at the black load screen where you select which way to run Windows, it gave the error:

"Windows could not start because the following file is missing or corrupt:
{Windows root}\system32\hal.dll
Please re-install a copy of the above file."

The only reason I could think this could be happening is, several months ago I edited the boot.ini so Windows would run in a "3gb enabled mode". Unfortunately, I can't find the backup I made then and I don't remember what the original boot.ini read.

I'm still able to run Fedora (Linux) instead of Windows on the same machine. Here is the boot.ini as it is now:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Professional SP2" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Professional w/3GB" /fastdetect /3GB /Userva=2900

Re: Possible garrys mod virus?13th July 2011, 8:35 am

Alright, I was able to get Windows to start again by replacing boot.ini with the backup that was created. The backup was:

[boot loader]
timeout=6
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Professional SP2" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Professional w/3GB" /fastdetect /3GB /Userva=2900

which I assume was the boot.ini before I ran PCHelpForum.exe

However, there is no ComboFix.txt in the C:\ directory and for some reason it created an Internet Explorer icon on my desktop. Should I run PCHelpForum.exe again and, if so, what should I do to prevent the hal.dll error from happening again?

Re: Possible garrys mod virus?15th July 2011, 9:52 am

Is my situation hopeless? Please don't give up on me, Belahzur! Sad tearing

Just some additional information: Every time I log on to my regular administrator account the little blue ComboFix box pops up for a millisecond (this is right when I log on and all my startup programs are starting). But other than the that everything else is fine on this account and I can use my computer normally.

However, other accounts on this computer are unusable. If I log on to those the ComboFix box pops up but it keeps flickering and I can't do anything but alt+ctrl+del and log off or restart.

Re: Possible garrys mod virus?17th July 2011, 4:12 pm

Hello.
Sorry for the delay, been busy.

Did you get a full log?

Re: Possible garrys mod virus?18th July 2011, 12:29 am

Hi

There was no ComboFix.txt in C:\ but there was a ComboFix2.txt in C:\Qoobox. Hopefully this is the correct file:

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\jdk\bin\jusched.exe" [2009-05-10 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-8-8 1011320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"\\\\GOLLUM\\SID MEIER'S CIVILIZATION 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft II BNE\\Warcraft II BNE.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\JDK\\bin\\java.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\EA Games\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\counter-strike\\hl.exe"=
"c:\\Program Files\\Unreal Anthology\\UnrealTournament\\System\\UnrealTournament.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [8/8/2008 5:17 AM 96376]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [8/8/2008 5:17 AM 843384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 2:10 PM 32512]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/9/2009 3:04 AM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
FF - plugin: c:\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\jdk\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wudfhost.exe
c:\jdk\bin\jqs.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\jdk\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-07 12:52:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-07 19:51
ComboFix2.txt 2010-06-22 03:16
ComboFix3.txt 2010-06-21 19:37
ComboFix4.txt 2010-06-20 18:16
ComboFix5.txt 2010-07-07 19:31

Pre-Run: 83,780,628,480 bytes free
Post-Run: 84,274,728,960 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - FE2D4B1395587D79CA219BD92D6C10B0

Re: Possible garrys mod virus?20th July 2011, 1:10 am

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Check (tick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

Re: Possible garrys mod virus?21st July 2011, 7:23 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=545800214e767c44919dba26d77e7bcd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-21 07:21:41
# local_time=2011-07-21 12:21:41 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=350176
# found=5
# cleaned=5
# scan_time=7257
C:\Documents and Settings\All Users\Application Data\eAp06504aLlMj06504\eAp06504aLlMj06504.exe a variant of Win32/Kryptik.MNK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\memoirs\Application Data\Sun\Java\Deployment\cache\6.0\60\e8267fc-651627af probably a variant of Win32/Agent.LMMBFXF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\G-Programs\G-Addon\G-Addon.exe probably a variant of Win32/Agent.CNGGIXJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E6D0EFC5-8EBF-48C0-B25D-A38E76BFF896}\RP7\A0013013.exe a variant of Win32/Kryptik.MNK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E6D0EFC5-8EBF-48C0-B25D-A38E76BFF896}\RP7\A0013014.exe probably a variant of Win32/Agent.CNGGIXJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Re: Possible garrys mod virus?21st July 2011, 11:47 am

Hello.

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:files
C:\Documents and Settings\All Users\Application Data\eAp06504aLlMj06504

:commands
[emptytemp]
[clearallrestorepoints]
[reboot]
Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re: Possible garrys mod virus?22nd July 2011, 1:11 am

All processes killed
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\eAp06504aLlMj06504 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: abe
->Temp folder emptied: 710567 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Guest
->Temp folder emptied: 1483637774 bytes
->Temporary Internet Files folder emptied: 3683971 bytes
->Java cache emptied: 1852842 bytes
->FireFox cache emptied: 560512528 bytes
->Flash cache emptied: 104943 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: memoirs
->Temp folder emptied: 35499563 bytes
->Temporary Internet Files folder emptied: 4933920 bytes
->Java cache emptied: 16940407 bytes
->FireFox cache emptied: 280532132 bytes
->Google Chrome cache emptied: 337605728 bytes
->Flash cache emptied: 2571521 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 163840 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 214128880 bytes

Total Files Cleaned = 2,807.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.26.1 log created on 07212011_174356

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Re: Possible garrys mod virus?23rd July 2011, 8:33 pm

How is the machine running now?

Re: Possible garrys mod virus?24th July 2011, 1:21 am

As good as ever but that un-deletable folder is still on my desktop. Since we cleaned out the viruses and malware do you think the problem is that my hard drive is just malfunctioning?

Re: Possible garrys mod virus?25th July 2011, 8:16 pm

Alright I assume that's a yes, haha.

Thanks again for everything Belahzur Smile...

Re: Possible garrys mod virus?27th July 2011, 1:32 am

Can you take a screenshot of that folder? I want to see it.

Re: Possible garrys mod virus?27th July 2011, 3:41 am

Sure. Here it is along with the message I get when I try to open or delete it.

Possible garrys mod virus? Nywimu

Re: Possible garrys mod virus?30th July 2011, 6:38 am

Hi,

Open up command prompt and type: CHKDSK /r then hit enter.

Re: Possible garrys mod virus?13th August 2011, 1:20 am

Haha! It worked!

Thank you! I was able to delete it. Smile...

Re: Possible garrys mod virus?13th August 2011, 1:39 am

You're welcome, glad to help. Do you require anymore assistance?

Re: Possible garrys mod virus?13th August 2011, 9:36 am

No, everything is running fine. However, somebody did steal my credit card info and tried to purchase something last week and I don't have any of that information saved on my hard drive.

Could this have been from one of the trojans Belahzur helped me remove that could've include a key logger? Should we do another scan?

Re: Possible garrys mod virus?14th August 2011, 4:17 am

Hi,

Actually, lets do some deeper checks to make sure. Be sure you change all of your passwords from a clean machine. Try and cancel that credit card as well because people who steal them have no heart when it comes to charging them when making purchases online.

Please download ComboFix Possible garrys mod virus? Combofix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Re: Possible garrys mod virus?14th August 2011, 10:27 am

ComboFix 11-08-14.02 - memoirs 08/14/2011 3:11.7.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2752 [GMT -7:00]
Running from: c:\documents and settings\memoirs\desktop\commy.exe
Command switches used :: /stepdel
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Steam\steam.exe
.
---- Previous Run -------
.
c:\documents and settings\memoirs\Application Data\Local
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\2.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\3.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\4.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\5.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\6.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi(2).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi(3).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan.DVD.SCR.100thMonkey_ns.avi.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Black.Swan_2010_DVDSCR.XviD.AC3-Rx.avi.ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi(2).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi(3).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan.DVD.SCR.100thMonkey_ns.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Black.Swan_2010_DVDSCR.XviD.AC3-Rx.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi(2).ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\video.avi.ddp
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\video.avi(2).ddr
c:\documents and settings\memoirs\Application Data\Local\Temp\DDM\Settings\video.avi.ddr
c:\documents and settings\memoirs\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-13 01:18 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6F1EBDDF-1178-49AC-BAC6-6D4B14DCF1B4}\mpengine.dll
2011-08-12 08:35 . 2011-08-12 08:35 -------- d-----w- c:\documents and settings\memoirs\Application Data\.minecraft
2011-08-11 10:00 . 2011-08-11 10:00 -------- d-----w- C:\NVIDIA
2011-08-11 09:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 09:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\UpdatusUser
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-08-03 23:18 . 2011-08-03 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-08-03 23:18 . 2011-08-03 11:49 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-08-03 23:18 . 2011-08-11 10:20 280276 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-08-03 23:18 . 2011-08-11 10:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-08-03 23:18 . 2011-08-11 10:02 280276 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-08-03 23:17 . 2011-08-03 11:49 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-08-03 23:17 . 2011-08-03 11:49 2387560 ----a-w- c:\windows\system32\nvcuvid.dll
2011-08-03 23:17 . 2011-08-03 11:49 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-08-03 23:17 . 2011-08-03 11:49 17186816 ----a-w- c:\windows\system32\nvcompiler.dll
2011-08-03 23:17 . 2011-05-25 06:09 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-07-16 01:26 . 2011-07-16 01:26 -------- d-----w- c:\documents and settings\abe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 23:38 . 2008-11-15 04:52 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-08-03 23:38 . 2010-07-11 23:01 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-08-03 23:38 . 2008-11-15 04:52 280736 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-08-03 23:26 . 2008-11-15 04:52 280768 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-08-03 11:49 . 2010-12-29 06:19 875112 ----a-w- c:\windows\system32\nvgenco32.dll
2011-07-15 19:49 . 2009-05-10 06:25 313208 ----a-w- c:\windows\system32\TubeFinder.exe
2011-07-15 13:29 . 2004-08-03 23:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 03:39 . 2009-06-07 17:24 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-08 14:02 . 2004-12-01 10:46 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-11-03 13:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-03 22:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2004-08-03 22:59 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 00:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 00:02 . 2008-11-30 03:20 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-06-16 00:02 . 2008-11-30 03:20 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2004-08-03 23:17 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 16:11 . 2010-06-19 03:42 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-06-19 03:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2010-06-13 14:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-16 04:17 . 2011-03-23 05:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\ERDNT\cache\wuauclt.exe
[-] 2009-08-07 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[-] 2009-08-07 . 0B6DABD6FFF1AD42A3CD65A1C7EE8F35 . 68832 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
.
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2005-04-07 . 45757077A47C68A603A79B03A1A836AB . 1032192 . . [6.00.2900.2649] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB884883$\explorer.exe
.
[-] 2008-04-14 . 0B720CAE71F51A2B93811816F187BC0A . 224256 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[-] 2008-04-14 . 0B720CAE71F51A2B93811816F187BC0A . 224256 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe
[7] 2004-08-04 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regedit.exe
.
[-] 2008-04-14 . AAC9DAE0E7C43BD26C43FC7436E2F1B0 . 832512 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\program files\Core Temp\Core Temp.exe" [2010-10-03 470544]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MDS_Menu"="c:\program files\Olympus\ib\MUITransfer\MUIStartMenu.exe" [2010-07-01 220336]
"RTHDCPL"="RTHDCPL.EXE" [2011-03-22 20053096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
.
c:\documents and settings\memoirs\Start Menu\Programs\Startup\
nvidiaInspector.lnk - c:\documents and settings\memoirs\Desktop\nvidia Inspector\nvidiaInspector.exe [2011-1-25 530432]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^memoirs^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\memoirs\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^memoirs^Start Menu^Programs^Startup^Shortcut to steamstart.lnk]
path=c:\documents and settings\memoirs\Start Menu\Programs\Startup\Shortcut to steamstart.lnk
backup=c:\windows\pss\Shortcut to steamstart.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\pchelpforum\CF26829.cfxxe [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager]
2010-12-08 21:15 63360 ----a-w- c:\program files\DivX\DivX Plus Web Player\DDMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-01-10 23:25 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-24 04:25 136176 ----atw- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 16:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Olympus ib]
2010-09-30 18:47 93360 ------w- c:\program files\Olympus\ib\olycamdetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 20:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneBusEnum"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"MBAMService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.patch.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\pirates, vikings, and knights ii\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Microsoft Games\\Rome at War\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\ricochet\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fate of the world\\bin\\fotw.exe"=
"c:\\Program Files\\Ubisoft\\Dawn of Discovery\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dino d-day\\dinodday.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dino d-day\\srcds.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\SteamApps\\adrianwar\\garrysmod\\hl2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8380:TCP"= 8380:TCP:*:Disabled:League of Legends Launcher
"8380:UDP"= 8380:UDP:*:Disabled:League of Legends Launcher
"6892:TCP"= 6892:TCP:*:Disabled:League of Legends Launcher
"6892:UDP"= 6892:UDP:*:Disabled:League of Legends Launcher
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8/3/2011 4:18 PM 2255464]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\memoirs\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\memoirs\LOCALS~1\Temp\ALSysIO.sys [?]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/24/2010 6:30 PM 1691480]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/15/2009 1:07 PM 25832]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/18/2010 8:42 PM 22712]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 1:57 PM 268528]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/18/2010 8:42 PM 366640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007Core.job
- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-24 04:25]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1454471165-839522115-1007UA.job
- c:\documents and settings\memoirs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-24 04:25]
.
2011-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\documents and settings\memoirs\Application Data\Mozilla\Firefox\Profiles\0a4zo8ah.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol 120\axcmd.exe
MSConfigStartUp-Steam - c:\program files\Steam\steam.exe
AddRemove-SimCity 3000 - c:\program files\Maxis\SimCity 3000\Uninst.isu
AddRemove-Steam App 130 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17510 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17570 - c:\program files\Steam\steam.exe
AddRemove-Steam App 17700 - c:\program files\Steam\steam.exe
AddRemove-Steam App 20 - c:\program files\Steam\steam.exe
AddRemove-Steam App 215 - c:\program files\Steam\steam.exe
AddRemove-Steam App 218 - c:\program files\Steam\steam.exe
AddRemove-Steam App 220 - c:\program files\Steam\steam.exe
AddRemove-Steam App 22380 - c:\program files\Steam\steam.exe
AddRemove-Steam App 24400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 30 - c:\program files\Steam\steam.exe
AddRemove-Steam App 380 - c:\program files\Steam\steam.exe
AddRemove-Steam App 400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 41700 - c:\program files\Steam\steam.exe
AddRemove-Steam App 420 - c:\program files\Steam\steam.exe
AddRemove-Steam App 43110 - c:\program files\Steam\steam.exe
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4500 - c:\program files\Steam\steam.exe
AddRemove-Steam App 50 - c:\program files\Steam\steam.exe
AddRemove-Steam App 500 - c:\program files\Steam\steam.exe
AddRemove-Steam App 550 - c:\program files\Steam\steam.exe
AddRemove-Steam App 57300 - c:\program files\Steam\steam.exe
AddRemove-Steam App 60 - c:\program files\Steam\steam.exe
AddRemove-Steam App 620 - c:\program files\Steam\steam.exe
AddRemove-Steam App 67000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 70000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 80200 - c:\program files\Steam\steam.exe
AddRemove-Steam App 8930 - c:\program files\Steam\steam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 03:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-1454471165-839522115-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c9,8d,dc,fa,21,f9,1b,5d,d9,77,1f,99,cb,a7,cc,f7,05,88,12,3d,7b,77,b1,
4e,0b,7e,ca,eb,d7,0b,24,68,c3,b7,e7,08,0d,91,35,ce,4f,1a,41,32,00,2a,8d,16,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-1123561945-1454471165-839522115-1007\Software\SecuROM\License information*]
"datasecu"=hex:c5,27,bd,de,1a,73,7c,f6,df,77,56,df,7a,35,ec,ef,53,a2,eb,9c,8c,
af,dc,3a,38,17,48,1f,5e,aa,34,f7,bc,6b,21,59,00,a8,84,2b,63,31,4c,77,1d,b8,\
"rkeysecu"=hex:d6,d6,4e,6f,9d,d6,91,1f,67,26,d8,e2,98,68,ce,07
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\nvLsp.dll
.
Completion time: 2011-08-14 03:23:34
ComboFix-quarantined-files.txt 2011-08-14 10:23
ComboFix2.txt 2010-07-07 19:52
.
Pre-Run: 31,268,020,224 bytes free
Post-Run: 31,287,857,152 bytes free
.
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 917258D82BFDD1753C05AA2A832DB405

Re: Possible garrys mod virus?15th August 2011, 3:52 am

Hi,

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
c:\qoobox\quarantine\c\program files\Steam\steam.exe.vir
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Possible garrys mod virus?

descriptionPossible garrys mod virus?10th July 2011, 1:56 am

descriptionRe: Possible garrys mod virus?10th July 2011, 1:59 am

descriptionRe: Possible garrys mod virus?10th July 2011, 2:00 am

descriptionRe: Possible garrys mod virus?10th July 2011, 2:03 am

descriptionRe: Possible garrys mod virus?10th July 2011, 2:03 am

descriptionRe: Possible garrys mod virus?12th July 2011, 2:11 am

descriptionRe: Possible garrys mod virus?13th July 2011, 12:23 am

descriptionRe: Possible garrys mod virus?13th July 2011, 7:39 am

descriptionRe: Possible garrys mod virus?13th July 2011, 8:35 am

descriptionRe: Possible garrys mod virus?15th July 2011, 9:52 am

descriptionRe: Possible garrys mod virus?17th July 2011, 4:12 pm

descriptionRe: Possible garrys mod virus?18th July 2011, 12:29 am

descriptionRe: Possible garrys mod virus?20th July 2011, 1:10 am

descriptionRe: Possible garrys mod virus?21st July 2011, 7:23 am

descriptionRe: Possible garrys mod virus?21st July 2011, 11:47 am

descriptionRe: Possible garrys mod virus?22nd July 2011, 1:11 am

descriptionRe: Possible garrys mod virus?23rd July 2011, 8:33 pm

descriptionRe: Possible garrys mod virus?24th July 2011, 1:21 am

descriptionRe: Possible garrys mod virus?25th July 2011, 8:16 pm

descriptionRe: Possible garrys mod virus?27th July 2011, 1:32 am

descriptionRe: Possible garrys mod virus?27th July 2011, 3:41 am

descriptionRe: Possible garrys mod virus?30th July 2011, 6:38 am

descriptionRe: Possible garrys mod virus?13th August 2011, 1:20 am

descriptionRe: Possible garrys mod virus?13th August 2011, 1:39 am

descriptionRe: Possible garrys mod virus?13th August 2011, 9:36 am

descriptionRe: Possible garrys mod virus?14th August 2011, 4:17 am

descriptionRe: Possible garrys mod virus?14th August 2011, 10:27 am

descriptionRe: Possible garrys mod virus?15th August 2011, 3:52 am

descriptionRe: Possible garrys mod virus?