Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Freezes When Started & Firefox Freezes/crashes On Some Websites


  • This topic is locked This topic is locked
61 replies to this topic

#1 Bodhi Bloodwave

Bodhi Bloodwave

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 03 April 2008 - 08:40 AM

I got a rather irritating Virtumundo problem earlier and while i did manage to remove it or so the virtumunodbegone program claims, my browsers are not working properly so i would like some help in fixing them if possible. (and gods know what other old stuff is on my computer as aside from some scans and such i haven't done any serious cleaning o.O)

Here is my highjackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:23, on 03.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programfiler\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programfiler\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6A3A1B52-F1D2-4FA6-B06D-689DF25E4CDE} - C:\WINDOWS\system32\vtutq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\Programfiler\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\Programfiler\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Programfiler\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Microsoft Office] lserv.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] ngazfyc.exe
O4 - HKLM\..\Run: [Systesms.exe] Systesms.exe
O4 - HKLM\..\Run: [Microsoft Java Windows Update] aikjez.exe
O4 - HKLM\..\Run: [start_forbruksmåler] C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe C:\Programfiler\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Sys Ren] C:\WINDOWS\SysRen.exe /S
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [wnif] C:\WINDOWS\wnif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Update Emulator] winmfg.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Oxcrlt] C:\Program Files\Twcyth\Jlnw.exe
O4 - HKLM\..\Run: [csairh] c:\windows\system32\vczyrtf.exe r
O4 - HKLM\..\Run: [eigffo] C:\WINDOWS\System32\vncluau.exe r
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Emulator] winmfg.exe
O4 - HKLM\..\RunServices: [Microsoft Office] lserv.exe
O4 - HKLM\..\RunServices: [Systesms.exe] Systesms.exe
O4 - HKLM\..\RunServices: [Microsoft Java Windows Update] aikjez.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Office] lserv.exe
O4 - HKCU\..\Run: [Microsoft Java Windows Update] aikjez.exe
O4 - HKCU\..\Run: [Systesms.exe] Systesms.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] ngazfyc.exe
O4 - HKCU\..\Run: [oriz] C:\PROGRA~1\COMMON~1\oriz\orizm.exe
O4 - HKCU\..\Run: [Microsoft Update Emulator] winmfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Office] lserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] ngazfyc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Systesms.exe] Systesms.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Java Windows Update] aikjez.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programfiler\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to ZapEasy... - file:///c:\programfiler\smartlink as\zapeasy\Smartplugin.htm
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programfiler\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programfiler\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programfiler\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programfiler\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ZapEasy - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} - http://www.smartlink.no/smartserver/about (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programfiler\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1023_EN_XP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093604928327
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.icanal.no/spill/commerce/catalo...es/ExentCtl.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131673587890
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/er...eInstall_no.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/er...eInstall_no.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A7799A6-2415-4EF1-B321-2402D6C59907}: NameServer = 193.213.112.4 130.67.60.68
O20 - Winlogon Notify: HxP - HxP (file missing)
O20 - Winlogon Notify: winbhg32 - winbhg32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 16124 bytes

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 06:33 AM

Hello and welcome to BleepingComputer. :blink:

One or more of the identified infections is a backdoor trojan. :thumbsup:

You have a very severely infected system -- likely because of the lack of antivirus & firewall software.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee it will be 100% secure afterwards. Let me know what you decide to do.
Hi there, stranger!

#3 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 06:50 AM

Cleaning it should be enough, i don't really use it for any banking or other financial transactions, and there is very little else of 'sensitive' value on my computer

Besides, i can't really reinstall the OS as i bought my computer used and no windows cd followed with the purchase

Edited by Bodhi Bloodwave, 06 April 2008 - 06:53 AM.


#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 06:57 AM

Well, that figures. Let's get started! :thumbsup:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support. (PersonalEdition Premium now free license for 183 days here)
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

Setup / installation guide for Avast! 4 Home Edition.
Setup / installation guide for AVG Anti-Virus Free Edition.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

------

Then, please follow the instructions for downloading & running ComboFix here. Post back with it's log. :blink:
Hi there, stranger!

#5 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 11:19 AM

Well that took a bit longer then expected, Avast found something on my computer and rebooted wanting a very very detailed scan so i let it do that, was also forced to restart the comboprogram since it froze for some reason: here is the log

Sidenote: for some reason after running avast and this combofix its also a lot slower for some reason

ComboFix 08-04-04.1 - pitbull 2008-04-06 17:59:44.3 - NTFSx86
Running from: C:\Documents and Settings\pitbull\Skrivebord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\d.exe
C:\Documents and Settings\pitbull\Mine dokumenter\CROSOF~1.NET
C:\Programfiler\Fellesfiler\uninstall information
C:\Programfiler\pedevice
C:\Programfiler\pedevice\communication.xml
C:\Programfiler\pedevice\Domain.Watchlist.txt
C:\Programfiler\pedevice\fixit2.exe
C:\Programfiler\pedevice\pae-options.xml
C:\Programfiler\pedevice\pae_url.xml
C:\Programfiler\pedevice\PeDev.dll
C:\Programfiler\pedevice\pedevPS.dll
C:\Programfiler\pedevice\search.watchlist.txt
C:\Programfiler\pedevice\statistic.xml
C:\Programfiler\pedevice\tmp\tmp.html
C:\Programfiler\pedevice\watchlist.xml
C:\WINDOWS\Downloaded Program Files\egauth.inf
C:\WINDOWS\Downloaded Program Files\nethv32.inf
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\tmlpcert2005

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POOF
-------\Legacy_{FBE1D620-5418-4AAE-A0F0-316D590663A1}
-------\Service_{FBE1D620-5418-4aae-A0F0-316D590663A1}
-------\Service_hhlmken


((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 14:11 . 2008-04-06 14:11 <DIR> d-------- C:\Programfiler\Alwil Software
2008-04-06 14:11 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-06 14:11 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-06 14:11 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-06 14:11 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-06 14:11 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-06 14:11 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-06 14:11 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-06 14:11 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-06 14:11 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-03 13:12 . 2004-08-04 10:03 130,048 --a------ C:\WINDOWS\system32\intl.cpl
2008-04-03 13:12 . 2004-08-04 10:03 130,048 --a--c--- C:\WINDOWS\system32\dllcache\intl.cpl
2008-04-03 11:58 . 2005-08-23 16:00 90,112 --a------ C:\WINDOWS\system32\sysadm.sys
2008-03-27 15:35 . 2008-03-27 17:40 <DIR> d-------- C:\Documents and Settings\pitbull\Programdata\Command & Conquer 3 Kane's Wrath
2008-03-22 23:57 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-22 23:57 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-22 23:57 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-22 23:56 . 2008-03-22 23:56 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-03-22 23:53 . 2008-03-22 23:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-22 23:53 . 2008-03-22 23:54 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-22 04:20 . 2008-03-22 06:07 <DIR> d-------- C:\Documents and Settings\pitbull\.housecall6.6
2008-03-22 04:01 . 2008-03-22 04:01 <DIR> d-------- C:\Programfiler\Trend Micro
2008-03-21 09:55 . 2008-03-21 18:05 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP
2008-03-21 09:51 . 2008-03-21 09:51 <DIR> d-------- C:\Programfiler\SpywareBlaster
2008-03-20 20:34 . 2008-03-21 18:45 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-03-20 20:33 . 2008-03-20 20:33 19,968 -r-h----- C:\WINDOWS\system32\svch7t.exe
2008-03-20 20:33 . 2008-03-20 20:33 19,968 --a------ C:\cysdos.exe
2008-03-20 20:33 . 2008-03-20 20:33 2 --a------ C:\-536543998
2008-03-15 04:21 . 2008-03-15 04:21 53,760 --a------ C:\WINDOWS\system32\drivers\SSHDRV76.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 18:25 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-04-03 12:11 --------- d-----w C:\Programfiler\MSN Messenger
2008-03-26 03:12 --------- d-----w C:\Programfiler\TVUPlayer
2008-03-22 16:01 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-03-22 15:56 --------- d-----w C:\Programfiler\Spybot - Search & Destroy
2008-03-22 03:57 --------- d-----w C:\Programfiler\DAEMON Tools Pro
2008-03-22 03:57 --------- d-----w C:\Programfiler\CureROM
2008-03-22 03:57 --------- d-----w C:\Programfiler\ArtMoney
2008-03-21 17:50 --------- d-----w C:\Programfiler\AdVantage
2008-03-20 19:19 --------- d-----w C:\Programfiler\SpywareGuard
2008-03-15 16:44 --------- d-----w C:\Programfiler\Cheat Engine
2008-03-15 00:11 --------- d-----w C:\Documents and Settings\pitbull\Programdata\OpenOffice.org2
2008-03-02 17:15 --------- d-----w C:\Programfiler\TibEd 2
2008-03-02 17:14 --------- d-----w C:\Programfiler\TibEd
2008-02-24 09:37 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2008-02-23 08:01 --------- d-----w C:\Documents and Settings\pitbull\Programdata\Imperium Romanum
2008-02-23 08:00 159,319 ----a-w C:\WINDOWS\Imperium Romanum Uninstaller.exe
2008-02-23 07:46 --------- d-----w C:\Programfiler\ProtectDisc Driver Installer
2008-02-19 22:36 --------- d-----w C:\Programfiler\OpenAL
2008-02-08 16:04 --------- d-----w C:\Documents and Settings\All Users\Programdata\DAEMON Tools Pro
2008-02-08 15:56 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-08 15:24 --------- d-----w C:\Programfiler\DaemonTools_WhenUSave_Installer
2008-02-08 15:23 --------- d-----w C:\Documents and Settings\pitbull\Programdata\DAEMON Tools Pro
2004-09-26 19:53 56 --sh--r C:\WINDOWS\system32\46FEC201D8.sys
2007-04-28 23:30 605,317 --sh--w C:\WINDOWS\system32\bbeeg.bak1
2007-04-28 00:21 607,912 --sh--w C:\WINDOWS\system32\bbeeg.bak2
2007-05-01 15:17 628,333 --sh--w C:\WINDOWS\system32\bbeeg.ini2
2004-09-27 10:27 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_17.05.28.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-06 15:50:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A3A1B52-F1D2-4FA6-B06D-689DF25E4CDE}]
C:\WINDOWS\system32\vtutq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"Microsoft Office"="lserv.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Update Machine"="ngazfyc.exe" []
"oriz"="C:\PROGRA~1\COMMON~1\oriz\orizm.exe" [ ]
"Microsoft Update Emulator"="winmfg.exe" []
"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2002-12-19 08:59 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 10:03 11776 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Programfiler\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"CTStartup"="C:\Programfiler\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04 49152]
"Microsoft Office"="lserv.exe" []
"Microsoft Update Machine"="ngazfyc.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []
"start_forbruksmåler"="C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe" [ ]
"ISUSPM Startup"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"Sys Ren"="C:\WINDOWS\SysRen.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50 155648]
"wnif"="C:\WINDOWS\wnif.exe" [ ]
"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Microsoft Update Emulator"="winmfg.exe" []
"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"Oxcrlt"="C:\Program Files\Twcyth\Jlnw.exe" [ ]
"csairh"="c:\windows\system32\vczyrtf.exe" [ ]
"eigffo"="C:\WINDOWS\System32\vncluau.exe" [ ]
"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [ ]
"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update"="msconfg.exe" []
"Microsoft Update Emulator"="winmfg.exe" []
"Microsoft Office"="lserv.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]
"Microsoft Update"="msconfg.exe" []
"Microsoft Update Emulator"="kernel-mon.exe" []
"Microsoft Office"="lserv.exe" []
"Microsoft Update Machine"="ngazfyc.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []

C:\Documents and Settings\pitbull\Start-meny\Programmer\Oppstart\
SpywareGuard.lnk - C:\Programfiler\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-01-24 01:31:04 25214]
WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2005-07-08 23:28:33 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HxP]
HxP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbhg32]
winbhg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"vidc.VP60"= C:\WINDOWS\system32\vp6vfw.dll
"vidc.VP61"= C:\WINDOWS\system32\vp6vfw.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.WMV3"= wmv9vcm.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"msacm.ac3acm"= ac3acm.acm
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\spill\\SecondLife\\SecondLife.exe"=
"C:\\Programfiler\\Messenger\\msmsgs.exe"=
"C:\\Programfiler\\BitLord\\BitLord.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programfiler\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"C:\\Programfiler\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=
"E:\\ZMUD\\zmud555_Loader.exe"=
"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=
"C:\\Programfiler\\TVUPlayer\\TVUPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44494:TCP"= 44494:TCP:@xpsp2res.dll,-22005
"15037:TCP"= 15037:TCP:@xpsp2res.dll,-22005
"22608:TCP"= 22608:TCP:@xpsp2res.dll,-22005
"62327:TCP"= 62327:TCP:@xpsp2res.dll,-22005

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys [2001-08-17 21:13]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2008-03-15 04:21]
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 10:19]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:08]
R2 DiCapi;Eicon CAPI 2.0-driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi20.sys [2001-08-17 21:13]
R2 X4HS32;X4HS32;C:\Programfiler\EXEtender\X4HS32.Sys [2003-12-02 13:26]
R2 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\XPROTECTOR.SYS [2005-02-12 00:36]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2003-01-06 09:24]
R3 DiWan;Eicon-driver for alle DIVA PnP-kort;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys [2001-08-17 21:14]
S3 efipsk;efipsk;C:\DOCUME~1\pitbull\LOKALE~1\Temp\efipsk.sys [2001-11-07 17:48]
S3 SetupNTGLM7X;SetupNTGLM7X;F:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a17c3d3b-2c77-11da-9d39-000c763f2d11}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 18:04:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE" /run??Z?A~d???*?A~????????RE??????h?@?x?????B~D??????sx??s????????y??w????@@@????|D@@?????>??w????h97?H??????|???|???????|L(?sh97??????/?s????????D???????????????????+????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 18:08:03
ComboFix-quarantined-files.txt 2008-04-06 16:07:06
Pre-Run: 12,031,168,512 byte ledig
Post-Run: 12,014,669,824 byte ledig
.
2008-04-03 11:38:30 --- E O F ---

Edited by Bodhi Bloodwave, 06 April 2008 - 11:21 AM.


#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 01:37 PM

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SDFix and save it to your desktop.
  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear.
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a fresh ComboFix log from a new scan. :thumbsup:
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Hi there, stranger!

#7 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 03:11 PM

Well, that ran a lot smoother this time around :blink: for that matter so does my computer speed-wise :thumbsup:

here is the SDFix report:

SDFix: Version 1.167
Run by pitbull on 06.04.2008 at 21:45

Microsoft Windows XP [Versjon 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\RBKBWAH.EXE - Deleted
C:\-53654~1 - Deleted
C:\TIMESTMP.TMP - Deleted
C:\Documents and Settings\All Users\Start-meny\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Skrivebord\Security Troubleshooting.url - Deleted
C:\Documents and Settings\All Users\Start-meny\Security Troubleshooting.url - Deleted
C:\WINDOWS\system32\TFTP2752 - Deleted
C:\WINDOWS\system32\TFTP3988 - Deleted
C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:52:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000000
"hdf12"=hex:74,00,4a,34,61,c5,9c,4e,ad,ec,f2,cf,d6,4e,fc,b3,de,12,fc,27,51,..
"u0"=hex:03,00,00,00,00,00,00,00
"p0"="C:\Programfiler\DAEMON Tools Pro\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"hdf12"=hex:9e,ab,d1,87,53,fd,b5,2d,0a,51,41,68,9f,2e,bc,df,c7,44,f0,7b,25,..
"a0"=hex:20,01,00,00,71,a3,7a,6d,70,54,39,e4,51,3d,7e,dc,af,0e,fd,eb,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e3,9c,5f,9b,31,f5,b7,df,f9,c7,43,f2,03,33,d2,6d,db,04,34,a6,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:e3,fc,4d,18,49,48,78,91,75,72,69,43,ce,4e,62,5c,50,12,c2,f3,aa,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,df,20,a4,0c,9c,0f,3a,e7,c3,bb,10,4e,cc,c5,02,7a,29,..
"hj34z0"=hex:d0,98,3e,48,6c,e6,06,3a,da,88,15,0e,bb,fd,9b,4c,89,d1,1e,f1,d8,..
"hj34z1"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z2"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z3"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z4"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,df,20,a4,0c,f6,11,50,16,c3,bb,10,4e,cc,c5,02,7a,29,..
"hj34z0"=hex:d0,98,3e,48,6c,e6,06,3a,da,88,15,0e,bb,fd,9b,4c,89,d1,1e,f1,b0,..
"hj34z1"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z2"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z3"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
"hj34z4"=hex:5d,98,3e,48,14,e6,06,3a,db,88,14,0e,ba,fd,9b,4c,89,d1,1e,f1,d0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:06a90097
"s2"=dword:4bf62f5e
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000000
"hdf12"=hex:74,00,4a,34,61,c5,9c,4e,ad,ec,f2,cf,d6,4e,fc,b3,de,12,fc,27,51,..
"u0"=hex:03,00,00,00,00,00,00,00
"p0"="C:\Programfiler\DAEMON Tools Pro\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"hdf12"=hex:9e,ab,d1,87,53,fd,b5,2d,0a,51,41,68,9f,2e,bc,df,c7,44,f0,7b,25,..
"a0"=hex:20,01,00,00,71,a3,7a,6d,70,54,39,e4,51,3d,7e,dc,af,0e,fd,eb,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e3,9c,5f,9b,31,f5,b7,df,f9,c7,43,f2,03,33,d2,6d,db,04,34,a6,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:e3,fc,4d,18,49,48,78,91,75,72,69,43,ce,4e,62,5c,50,12,c2,f3,aa,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000000
"hdf12"=hex:74,00,4a,34,61,c5,9c,4e,ad,ec,f2,cf,d6,4e,fc,b3,de,12,fc,27,51,..
"u0"=hex:03,00,00,00,00,00,00,00
"p0"="C:\Programfiler\DAEMON Tools Pro\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"hdf12"=hex:9e,ab,d1,87,53,fd,b5,2d,0a,51,41,68,9f,2e,bc,df,c7,44,f0,7b,25,..
"a0"=hex:20,01,00,00,71,a3,7a,6d,70,54,39,e4,51,3d,7e,dc,af,0e,fd,eb,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e3,9c,5f,9b,31,f5,b7,df,f9,c7,43,f2,03,33,d2,6d,db,04,34,a6,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:e3,fc,4d,18,49,48,78,91,75,72,69,43,ce,4e,62,5c,50,12,c2,f3,aa,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000000
"TracesSuccessful"=dword:00000000
"LastTraceFailure"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\0 \xc4]
"Order"=hex:08,00,00,00,02,00,00,00,0e,01,00,00,01,00,00,00,02,00,00,00,80,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :


files associated with the MBR Rootkit have been found, use GMER from http://www.gmer.net/gmer.zip to scan for Rootkits!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\spill\\SecondLife\\SecondLife.exe"="D:\\spill\\SecondLife\\SecondLife.exe:*:Enabled:Second Life"
"C:\\Programfiler\\Messenger\\msmsgs.exe"="C:\\Programfiler\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programfiler\\BitLord\\BitLord.exe"="C:\\Programfiler\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Programfiler\\Yahoo!\\Messenger\\YPager.exe"="C:\\Programfiler\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:YServer Module"
"C:\\Programfiler\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"="C:\\Programfiler\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"C:\\Programfiler\\Shareaza\\Shareaza.exe"="C:\\Programfiler\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"E:\\ZMUD\\zmud555_Loader.exe"="E:\\ZMUD\\zmud555_Loader.exe:*:Enabled:zmud555_Loader"
"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"="C:\\Programfiler\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Programfiler\\TVUPlayer\\TVUPlayer.exe"="C:\\Programfiler\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programfiler\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe"
Sun 26 Sep 2004 56 ..SHR --- "C:\WINDOWS\system32\46FEC201D8.sys"
Fri 20 Apr 2007 571,295 ..SH. --- "C:\WINDOWS\system32\bbeeg.tmp"
Sun 29 Apr 2007 605,317 ..SH. --- "C:\WINDOWS\system32\bbeeg.bak1"
Sat 28 Apr 2007 607,912 ..SH. --- "C:\WINDOWS\system32\bbeeg.bak2"
Mon 27 Sep 2004 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 20 Mar 2008 19,968 ...HR --- "C:\WINDOWS\system32\svch7t.exe"
Sat 28 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 6 Sep 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 6 Sep 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 6 Sep 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Sat 22 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 22 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 18 Mar 2003 1,060,864 A.SH. --- "C:\Programfiler\MegaDev\MD-Trainers\MegaTrainer XL\mfc71.dll"
Tue 18 Mar 2003 1,047,552 A.SH. --- "C:\Programfiler\MegaDev\MD-Trainers\MegaTrainer XL\mfc71u.dll"
Fri 21 Feb 2003 348,160 A.SH. --- "C:\Programfiler\MegaDev\MD-Trainers\MegaTrainer XL\msvcr71.dll"
Sat 28 Aug 2004 4,348 ...H. --- "C:\Documents and Settings\pitbull\Mine dokumenter\Min musikk\License Backup\drmv1key.bak"
Mon 12 Sep 2005 20 A..H. --- "C:\Documents and Settings\pitbull\Mine dokumenter\Min musikk\License Backup\drmv1lic.bak"
Mon 12 Sep 2005 488 A.SH. --- "C:\Documents and Settings\pitbull\Mine dokumenter\Min musikk\License Backup\drmv2key.bak"
Fri 4 Apr 2008 4,316 ...HR --- "C:\Documents and Settings\pitbull\Programdata\SecuROM\UserData\securom_v7_01.bak"
Fri 11 Nov 2005 6,008,862 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c4410bda4fba7c3fa99ac7b13cf68f64\BIT1.tmp"

Finished!


And here is the ComboFix

ComboFix 08-04-04.1 - pitbull 2008-04-06 21:59:49.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.202 [GMT 2:00]
Running from: C:\Documents and Settings\pitbull\Skrivebord\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 21:42 . 2008-04-06 21:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 21:37 . 2008-04-06 21:57 <DIR> d-------- C:\SDFix
2008-04-06 17:40 . 2004-08-04 10:03 130,048 --a------ C:\WINDOWS\system32\intl.cpl
2008-04-06 17:40 . 2004-08-04 10:03 130,048 --a--c--- C:\WINDOWS\system32\dllcache\intl.cpl
2008-04-06 16:30 . 2005-08-23 16:00 90,112 --a------ C:\WINDOWS\system32\sysadm.sys
2008-04-06 14:11 . 2008-04-06 14:11 <DIR> d-------- C:\Programfiler\Alwil Software
2008-04-06 14:11 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-06 14:11 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-06 14:11 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-06 14:11 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-06 14:11 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-06 14:11 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-06 14:11 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-06 14:11 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-06 14:11 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-27 15:35 . 2008-03-27 17:40 <DIR> d-------- C:\Documents and Settings\pitbull\Programdata\Command & Conquer 3 Kane's Wrath
2008-03-22 23:57 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-22 23:57 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-22 23:57 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-22 23:56 . 2008-03-22 23:56 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-03-22 23:53 . 2008-03-22 23:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-22 23:53 . 2008-03-22 23:54 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-22 04:20 . 2008-03-22 06:07 <DIR> d-------- C:\Documents and Settings\pitbull\.housecall6.6
2008-03-22 04:01 . 2008-03-22 04:01 <DIR> d-------- C:\Programfiler\Trend Micro
2008-03-21 09:55 . 2008-03-21 18:05 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP
2008-03-21 09:51 . 2008-03-21 09:51 <DIR> d-------- C:\Programfiler\SpywareBlaster
2008-03-20 20:33 . 2008-03-20 20:33 19,968 -r-h----- C:\WINDOWS\system32\svch7t.exe
2008-03-20 20:33 . 2008-03-20 20:33 19,968 --a------ C:\cysdos.exe
2008-03-15 04:21 . 2008-03-15 04:21 53,760 --a------ C:\WINDOWS\system32\drivers\SSHDRV76.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 16:26 --------- d-----w C:\Programfiler\SpywareGuard
2008-04-05 18:25 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-04-05 12:54 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-03 12:11 --------- d-----w C:\Programfiler\MSN Messenger
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2008-03-27 13:34 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-26 03:12 --------- d-----w C:\Programfiler\TVUPlayer
2008-03-22 16:01 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-03-22 15:56 --------- d-----w C:\Programfiler\Spybot - Search & Destroy
2008-03-22 03:57 --------- d-----w C:\Programfiler\DAEMON Tools Pro
2008-03-22 03:57 --------- d-----w C:\Programfiler\CureROM
2008-03-22 03:57 --------- d-----w C:\Programfiler\ArtMoney
2008-03-21 17:50 --------- d-----w C:\Programfiler\AdVantage
2008-03-15 16:44 --------- d-----w C:\Programfiler\Cheat Engine
2008-03-15 00:11 --------- d-----w C:\Documents and Settings\pitbull\Programdata\OpenOffice.org2
2008-03-02 17:15 --------- d-----w C:\Programfiler\TibEd 2
2008-03-02 17:14 --------- d-----w C:\Programfiler\TibEd
2008-02-24 09:37 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2008-02-23 08:01 --------- d-----w C:\Documents and Settings\pitbull\Programdata\Imperium Romanum
2008-02-23 08:00 159,319 ----a-w C:\WINDOWS\Imperium Romanum Uninstaller.exe
2008-02-23 07:46 --------- d-----w C:\Programfiler\ProtectDisc Driver Installer
2008-02-19 22:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-19 22:36 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-19 22:36 --------- d-----w C:\Programfiler\OpenAL
2008-02-08 16:04 --------- d-----w C:\Documents and Settings\All Users\Programdata\DAEMON Tools Pro
2008-02-08 15:56 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-08 15:24 --------- d-----w C:\Programfiler\DaemonTools_WhenUSave_Installer
2008-02-08 15:23 --------- d-----w C:\Documents and Settings\pitbull\Programdata\DAEMON Tools Pro
2004-09-26 19:53 56 --sh--r C:\WINDOWS\system32\46FEC201D8.sys
2007-04-28 23:30 605,317 --sh--w C:\WINDOWS\system32\bbeeg.bak1
2007-04-28 00:21 607,912 --sh--w C:\WINDOWS\system32\bbeeg.bak2
2007-05-01 15:17 628,333 --sh--w C:\WINDOWS\system32\bbeeg.ini2
2004-09-27 10:27 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_17.05.28.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-06 08:18:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-06 19:43:01 17,166,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-06 19:43:02 1,343,488 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-06 08:18:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-06 19:42:44 17,166,336 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-06 19:42:44 1,343,488 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-04-06 19:51:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A3A1B52-F1D2-4FA6-B06D-689DF25E4CDE}]
C:\WINDOWS\system32\vtutq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"Microsoft Java Windows Update"="aikjez.exe" []
"Systesms.exe"="Systesms.exe" []
"oriz"="C:\PROGRA~1\COMMON~1\oriz\orizm.exe" [ ]
"Microsoft Update Emulator"="winmfg.exe" []
"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2002-12-19 08:59 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 10:03 11776 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Programfiler\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"CTStartup"="C:\Programfiler\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04 49152]
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []
"start_forbruksmåler"="C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe" [ ]
"ISUSPM Startup"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"Sys Ren"="C:\WINDOWS\SysRen.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50 155648]
"wnif"="C:\WINDOWS\wnif.exe" [ ]
"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Microsoft Update Emulator"="winmfg.exe" []
"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"Oxcrlt"="C:\Program Files\Twcyth\Jlnw.exe" [ ]
"csairh"="c:\windows\system32\vczyrtf.exe" [ ]
"eigffo"="C:\WINDOWS\System32\vncluau.exe" [ ]
"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [ ]
"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update Emulator"="winmfg.exe" []
"Microsoft Office"="lserv.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]
"Microsoft Update Emulator"="kernel-mon.exe" []
"Microsoft Office"="lserv.exe" []
"Microsoft Update Machine"="ngazfyc.exe" []
"Systesms.exe"="Systesms.exe" []
"Microsoft Java Windows Update"="aikjez.exe" []

C:\Documents and Settings\pitbull\Start-meny\Programmer\Oppstart\
SpywareGuard.lnk - C:\Programfiler\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-01-24 01:31:04 25214]
WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2005-07-08 23:28:33 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HxP]
HxP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbhg32]
winbhg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"vidc.VP60"= C:\WINDOWS\system32\vp6vfw.dll
"vidc.VP61"= C:\WINDOWS\system32\vp6vfw.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.WMV3"= wmv9vcm.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"msacm.ac3acm"= ac3acm.acm
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\spill\\SecondLife\\SecondLife.exe"=
"C:\\Programfiler\\Messenger\\msmsgs.exe"=
"C:\\Programfiler\\BitLord\\BitLord.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programfiler\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"C:\\Programfiler\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=
"E:\\ZMUD\\zmud555_Loader.exe"=
"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=
"C:\\Programfiler\\TVUPlayer\\TVUPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44494:TCP"= 44494:TCP:@xpsp2res.dll,-22005
"15037:TCP"= 15037:TCP:@xpsp2res.dll,-22005
"22608:TCP"= 22608:TCP:@xpsp2res.dll,-22005
"62327:TCP"= 62327:TCP:@xpsp2res.dll,-22005

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys [2001-08-17 21:13]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2008-03-15 04:21]
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 10:19]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:08]
R2 DiCapi;Eicon CAPI 2.0-driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi20.sys [2001-08-17 21:13]
R2 X4HS32;X4HS32;C:\Programfiler\EXEtender\X4HS32.Sys [2003-12-02 13:26]
R2 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\XPROTECTOR.SYS [2005-02-12 00:36]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2003-01-06 09:24]
R3 DiWan;Eicon-driver for alle DIVA PnP-kort;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys [2001-08-17 21:14]
S3 efipsk;efipsk;C:\DOCUME~1\pitbull\LOKALE~1\Temp\efipsk.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;F:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a17c3d3b-2c77-11da-9d39-000c763f2d11}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 22:01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE" /run??Z?A~d???*?A~????????jn??????h?@?x?????B~D??????sx??s?"??????y??w????@@@????|D@@?????>??w????h97?H??????|???|???????|L(?sh97??????/?s????????D???????????????????+????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 22:02:00
ComboFix-quarantined-files.txt 2008-04-06 20:01:56
ComboFix2.txt 2008-04-06 16:08:07
Pre-Run: 13,115,211,776 byte ledig
Post-Run: 13,097,254,912 byte ledig
.
2008-04-03 11:38:30 --- E O F ---

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 03:47 PM

Please download http://www2.gmer.net/mbr/mbr.exe to your desktop and double-click to run it.

If it produces a log, or otherwise informs you of it's findings, please post them here....

Along with that, please download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply.

Hi there, stranger!

#9 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 03:56 PM

Just to make sure, i assume you want me to mark all my drives and not just the defaulted marked C: ?

Also the mbr file didn't seem to do anything

Edited by Bodhi Bloodwave, 06 April 2008 - 03:56 PM.


#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 04:00 PM

Leave the settings to the defaults.. Make sure "Show All" isn't checkmarked though.
Hi there, stranger!

#11 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 04:11 PM

Heres is the results from the default scan:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-06 23:10:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF52E4D98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF52E4CB8]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF8373C70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF52E512A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF52E48AA]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF83744FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF837FD50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF52E4D2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF52E47C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF52E483C]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF837451E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF52E4E42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF52E4E02]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF837F4F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF52E4F84]

---- Kernel code sections - GMER 1.0.14 ----

? spdr.sys Systemet finner ikke angitt fil. !
? dimaint.sys Systemet finner ikke angitt fil. !
.text USBPORT.SYS!DllUnload F6B7862C 5 Bytes JMP 82AF41D8
.text ac85zbrj.SYS F68F7384 1 Byte [ 20 ]
.text ac85zbrj.SYS F68F7386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ac85zbrj.SYS F68F73AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ac85zbrj.SYS F68F73C4 3 Bytes [ 00, 00, 00 ]
.text ac85zbrj.SYS F68F73C9 1 Byte [ 00 ]
.text ...
? C:\DOCUME~1\pitbull\LOKALE~1\Temp\mbr.sys Systemet finner ikke angitt fil. !

---- User code sections - GMER 1.0.14 ----

.text C:\Programfiler\MSN Messenger\msnmsgr.exe[2744] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Programfiler\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FDE2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F840893C] spdr.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8408990] spdr.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82AF42D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F83E8D92] spdr.sys
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlInitUnicodeString] 9252D2DB
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!swprintf] [804FC5C0] \WINDOWS\system32\ntoskrnl.exe (NT kjerne og system/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeSetEvent] 8E44C8C9
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoCreateSymbolicLink] A475EBF6
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoGetConfigurationInformation] AA7EE6FF
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] B863F1E4
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmFreeMappingAddress] B668FCED
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 0CB1670A
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 02BA6A03
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmUnmapIoSpace] 10A77D18
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 1EAC7011
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IofCompleteRequest] 349D532E
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 3A965E27
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IofCallDriver] 288B493C
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 26804435
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 7CE90F42
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoConnectInterrupt] 72E2024B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoDetachDevice] 60FF1550
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeWaitForSingleObject] 6EF41859
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInitializeEvent] 44C53B66
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 4ACE366F
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlInitAnsiString] 58D32174
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 56D82C7D
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoQueueWorkItem] 377A0CA1
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmMapIoSpace] 397101A8
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2B6C16B3
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoReportDetectedDevice] 25671BBA
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0F563885
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 015D358C
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!NlsMbCodePageTag] 13402297
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!PoRequestPowerIrp] 1D4B2F9E
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 472264E9
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 492969E0
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!sprintf] 5B347EFB
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 553F73F2
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ObfDereferenceObject] 7F0E50CD
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 71055DC4
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 63184ADF
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ZwClose] 6D1347D6
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] D7CADC31
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] D9C1D138
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CBDCC623
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C5D7CB2A
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!PoCallDriver] EFE6E815
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoCreateDevice] E1EDE51C
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] F3F0F207
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlQueryRegistryValues] FDFBFF0E
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ZwOpenKey] A792B479
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlFreeUnicodeString] A999B970
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoStartTimer] BB84AE6B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInitializeTimer] B58FA362
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoInitializeTimer] 9FBE805D
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInitializeDpc] 91B58D54
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInitializeSpinLock] 83A89A4F
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoInitializeIrp] 8DA39746
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ZwCreateKey] 00000063
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 0000007C
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000077
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ZwSetValueKey] 0000007B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000F2
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 0000006B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoStartPacket] 0000006F
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000C5
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 00000030
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoFreeMdl] 00000001
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmUnlockPages] 00000067
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 0000002B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000FE
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 000000D7
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000AB
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000076
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoStartNextPacket] 000000CA
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeBugCheckEx] 00000082
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 000000C9
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeSetTimer] 0000007D
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeCancelTimer] 000000FA
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!_allmul] 00000059
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000047
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!_except_handler3] 000000F0
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!PoSetPowerState] 000000AD
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000D4
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000A2
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!_aulldiv] 000000AF
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!strstr] 0000009C
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!_strupr] 000000A4
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeQuerySystemTime] 00000072
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000C0
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!KeTickCount] 000000B7
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 000000FD
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoDeleteDevice] 00000093
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 00000026
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000036
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAllocateIrp] 0000003F
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoAllocateMdl] 000000F7
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000CC
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00000034
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000A5
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000E5
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F1
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoFreeIrp] 00000071
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000D8
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!InitSafeBootMode] 00000031
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlCompareMemory] 00000015
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 00000004
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!memmove] 000000C7
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000023
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\ac85zbrj.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[784] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[784] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018F73CC] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programfiler\Mozilla Firefox\firefox.exe[3164] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [018F7376] C:\PROGRA~1\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82F6D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{FC912E63-5FB3-4852-B0E7-2EAE9445788F} FF5751F8
Device \Driver\usbuhci \Device\USBPDO-0 8289B500
Device \Driver\usbuhci \Device\USBPDO-1 8289B500
Device \Driver\usbuhci \Device\USBPDO-2 8289B500
Device \Driver\usbehci \Device\USBPDO-3 827D0500

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP9394 \Device\00000062 spdr.sys
Device \Driver\PCI_PNP9394 \Device\00000062 spdr.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82FDC1F8
Device \FileSystem\Rdbss \Device\FsWrap FFBB7450
Device \Driver\Ftdisk \Device\HarddiskVolume3 82FDC1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82AB2680
Device \Driver\atapi \Device\Ide\IdePort0 82AB2680
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82AB2680
Device \Driver\atapi \Device\Ide\IdePort1 82AB2680
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82AB2680
Device \Driver\NetBT \Device\NetBt_Wins_Export FF5751F8
Device \Driver\NetBT \Device\NetbiosSmb FF5751F8
Device \Driver\sptd \Device\881098144 spdr.sys
Device \FileSystem\Srv \Device\LanmanServer FD9472D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7A7799A6-2415-4EF1-B321-2402D6C59907} FF5751F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 8289B500
Device \Driver\usbuhci \Device\USBFDO-1 8289B500
Device \Driver\usbuhci \Device\USBFDO-2 8289B500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF4CA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 826A4798
Device \Driver\usbehci \Device\USBFDO-3 827D0500
Device \FileSystem\MRxSmb \Device\LanmanRedirector FF4CA1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 826A4798
Device \FileSystem\Npfs \Device\NamedPipe 826FDA60
Device \Driver\Ftdisk \Device\FtControl 82FDC1F8
Device \FileSystem\Msfs \Device\Mailslot FFBAD440
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 829E3930
Device \Driver\Vax347s \Device\Scsi\Vax347s1 8280A008
Device \Driver\ac85zbrj \Device\Scsi\ac85zbrj1 82A64828
Device \Driver\ac85zbrj \Device\Scsi\ac85zbrj1Port4Path0Target0Lun0 82A64828
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target1Lun0 829E3930
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port3Path0Target0Lun0 8280A008
Device \Driver\d347prt \Device\Scsi\d347prt1 829E3930
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 829F7238
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 829F7238
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 829F7238
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 829F7238
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 829F7238
Device \FileSystem\Cdfs \Cdfs FF5781F8

---- Modules - GMER 1.0.14 ----

Module _________ F82EA000-F8302000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x00 0x4A 0x34 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programfiler\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9E 0xAB 0xD1 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE3 0x9C 0x5F 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE3 0xFC 0x4D 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xB0 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z1 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z2 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z3 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z4 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0 0xB0 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z1 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z2 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z3 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z4 0x3D 0x98 0x25 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 111739031
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1274425182
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x00 0x4A 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programfiler\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9E 0xAB 0xD1 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE3 0x9C 0x5F 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE3 0xFC 0x4D 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x00 0x4A 0x34 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programfiler\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9E 0xAB 0xD1 0x87 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE3 0x9C 0x5F 0x9B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE3 0xFC 0x4D 0x18 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\0 Ä
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\0 Ä@Order 0x08 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.14 ----

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 04:46 PM

Your system is nicely infected .. :thumbsup:

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once we're finished.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
When disabled, please download ResetTeaTimer.bat.
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

Please disable SpywareGuard.
Double-click the red SG icon in your system tray.
Click Options.
Under General, uncheck all 3 options, then click "Save Settings"
Close SpywareGuard.
We will re-enable it once your system is clean.

Then, please open notepad and copy/paste the text in the quotebox into it

Driver::
ac85zbrj
efipsk

File::
C:\WINDOWS\System32\vncluau.exe
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\wnif.exe
C:\WINDOWS\SysRen.exe
C:\WINDOWS\system32\svch7t.exe
C:\cysdos.exe
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini2

Folder::
C:\PROGRAM FILES\COMMON FILES\oriz
C:\Program Files\Twcyth

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A3A1B52-F1D2-4FA6-B06D-689DF25E4CDE}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Office"=-
"Microsoft Java Windows Update"=-
"Systesms.exe"=-
"Microsoft Update Machine"=-
"oriz"=-
"Microsoft Update Emulator"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Office"=-
"Microsoft Update Machine"=-
"Systesms.exe"=-
"Microsoft Java Windows Update"=-
"Sys Ren"=-
"wnif"=-
"Oxcrlt"=-
"csairh"=-
"eigffo"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update"=-
"Microsoft Update Emulator"=-
"Microsoft Office"=-
"Systesms.exe"=-
"Microsoft Java Windows Update"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"=-
"Microsoft Update Emulator"=-
"Microsoft Office"=-
"Microsoft Update Machine"=-
"Systesms.exe"=-
"Microsoft Java Windows Update"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbhg32]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------

Along with the ComboFix log,

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :blink:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#13 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 05:24 PM

*chuckles wryly* Must have been quite bad for you to call in another helper to look at my log as well :thumbsup:

Sidenote: my computer has crashed to a blue screen of death twice now, both times just after getting an Combofix log, is that a problem that happens at times?

Here is the Combo log:

ComboFix 08-04-04.1 - pitbull 2008-04-07 0:03:22.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.214 [GMT 2:00]
Running from: C:\Documents and Settings\pitbull\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\pitbull\Skrivebord\CFScript.txt
* Created a new restore point

FILE ::
C:\cysdos.exe
C:\WINDOWS\SysRen.exe
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\svch7t.exe
C:\WINDOWS\System32\vncluau.exe
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\wnif.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cysdos.exe
C:\Program Files\Twcyth
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\svch7t.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EFIPSK
-------\Service_efipsk


((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 23:58 . 2008-04-06 23:58 <DIR> d-------- C:\Documents and Settings\pitbull\Programdata\Malwarebytes
2008-04-06 23:57 . 2008-04-06 23:57 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware
2008-04-06 23:57 . 2008-04-06 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes
2008-04-06 22:53 . 2008-04-06 22:53 <DIR> d-------- C:\gmer
2008-04-06 22:53 . 2008-04-06 23:01 250 --a------ C:\WINDOWS\gmer.ini
2008-04-06 21:42 . 2008-04-06 21:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 21:37 . 2008-04-06 21:57 <DIR> d-------- C:\SDFix
2008-04-06 21:29 . 2004-08-04 10:03 130,048 --a------ C:\WINDOWS\system32\intl.cpl
2008-04-06 21:29 . 2004-08-04 10:03 130,048 --a--c--- C:\WINDOWS\system32\dllcache\intl.cpl
2008-04-06 20:20 . 2005-08-23 16:00 90,112 --a------ C:\WINDOWS\system32\sysadm.sys
2008-04-06 14:11 . 2008-04-06 14:11 <DIR> d-------- C:\Programfiler\Alwil Software
2008-04-06 14:11 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-06 14:11 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-06 14:11 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-06 14:11 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-06 14:11 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-06 14:11 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-06 14:11 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-06 14:11 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-06 14:11 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-27 15:35 . 2008-03-27 17:40 <DIR> d-------- C:\Documents and Settings\pitbull\Programdata\Command & Conquer 3 Kane's Wrath
2008-03-22 23:57 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-22 23:57 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-22 23:57 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-22 23:56 . 2008-03-22 23:56 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-03-22 23:53 . 2008-03-22 23:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-22 23:53 . 2008-03-22 23:54 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-22 04:20 . 2008-03-22 06:07 <DIR> d-------- C:\Documents and Settings\pitbull\.housecall6.6
2008-03-22 04:01 . 2008-03-22 04:01 <DIR> d-------- C:\Programfiler\Trend Micro
2008-03-21 09:55 . 2008-03-21 18:05 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP
2008-03-21 09:51 . 2008-03-21 09:51 <DIR> d-------- C:\Programfiler\SpywareBlaster
2008-03-15 04:21 . 2008-03-15 04:21 53,760 --a------ C:\WINDOWS\system32\drivers\SSHDRV76.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 16:26 --------- d-----w C:\Programfiler\SpywareGuard
2008-04-05 18:25 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-04-03 12:11 --------- d-----w C:\Programfiler\MSN Messenger
2008-03-26 03:12 --------- d-----w C:\Programfiler\TVUPlayer
2008-03-22 16:01 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-03-22 15:56 --------- d-----w C:\Programfiler\Spybot - Search & Destroy
2008-03-22 03:57 --------- d-----w C:\Programfiler\DAEMON Tools Pro
2008-03-22 03:57 --------- d-----w C:\Programfiler\CureROM
2008-03-22 03:57 --------- d-----w C:\Programfiler\ArtMoney
2008-03-21 17:50 --------- d-----w C:\Programfiler\AdVantage
2008-03-15 16:44 --------- d-----w C:\Programfiler\Cheat Engine
2008-03-15 00:11 --------- d-----w C:\Documents and Settings\pitbull\Programdata\OpenOffice.org2
2008-03-02 17:15 --------- d-----w C:\Programfiler\TibEd 2
2008-03-02 17:14 --------- d-----w C:\Programfiler\TibEd
2008-02-24 09:37 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2008-02-23 08:01 --------- d-----w C:\Documents and Settings\pitbull\Programdata\Imperium Romanum
2008-02-23 08:00 159,319 ----a-w C:\WINDOWS\Imperium Romanum Uninstaller.exe
2008-02-23 07:46 --------- d-----w C:\Programfiler\ProtectDisc Driver Installer
2008-02-19 22:36 --------- d-----w C:\Programfiler\OpenAL
2008-02-08 16:04 --------- d-----w C:\Documents and Settings\All Users\Programdata\DAEMON Tools Pro
2008-02-08 15:56 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-08 15:24 --------- d-----w C:\Programfiler\DaemonTools_WhenUSave_Installer
2008-02-08 15:23 --------- d-----w C:\Documents and Settings\pitbull\Programdata\DAEMON Tools Pro
2004-09-26 19:53 56 --sh--r C:\WINDOWS\system32\46FEC201D8.sys
2004-09-27 10:27 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_17.05.28.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-06 08:18:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-06 19:43:01 17,166,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-06 19:43:02 1,343,488 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-06 08:18:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-06 19:42:44 17,166,336 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-06 19:42:44 1,343,488 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-04-06 20:53:53 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 18:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2008-04-06 20:53:53 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-04-06 22:07:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Programfiler\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Programfiler\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2002-12-19 08:59 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 10:03 11776 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Programfiler\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"CTStartup"="C:\Programfiler\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04 49152]
"start_forbruksmåler"="C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe" [ ]
"ISUSPM Startup"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50 155648]
"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Microsoft Update Emulator"="winmfg.exe" []
"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [ ]
"SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

C:\Documents and Settings\pitbull\Start-meny\Programmer\Oppstart\
SpywareGuard.lnk - C:\Programfiler\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-01-24 01:31:04 25214]
WinZip Quick Pick.lnk - C:\Programfiler\WinZip\WZQKPICK.EXE [2005-07-08 23:28:33 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HxP]
HxP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"vidc.VP60"= C:\WINDOWS\system32\vp6vfw.dll
"vidc.VP61"= C:\WINDOWS\system32\vp6vfw.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.WMV3"= wmv9vcm.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"msacm.ac3acm"= ac3acm.acm
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\spill\\SecondLife\\SecondLife.exe"=
"C:\\Programfiler\\Messenger\\msmsgs.exe"=
"C:\\Programfiler\\BitLord\\BitLord.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Programfiler\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programfiler\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"C:\\Programfiler\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=
"E:\\ZMUD\\zmud555_Loader.exe"=
"C:\\Programfiler\\Mozilla Firefox\\firefox.exe"=
"C:\\Programfiler\\TVUPlayer\\TVUPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44494:TCP"= 44494:TCP:@xpsp2res.dll,-22005
"15037:TCP"= 15037:TCP:@xpsp2res.dll,-22005
"22608:TCP"= 22608:TCP:@xpsp2res.dll,-22005
"62327:TCP"= 62327:TCP:@xpsp2res.dll,-22005

R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys [2001-08-17 21:13]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2008-03-15 04:21]
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 10:19]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:08]
R2 DiCapi;Eicon CAPI 2.0-driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi20.sys [2001-08-17 21:13]
R2 X4HS32;X4HS32;C:\Programfiler\EXEtender\X4HS32.Sys [2003-12-02 13:26]
R2 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\XPROTECTOR.SYS [2005-02-12 00:36]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2003-01-06 09:24]
R3 DiWan;Eicon-driver for alle DIVA PnP-kort;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys [2001-08-17 21:14]
S3 SetupNTGLM7X;SetupNTGLM7X;F:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a17c3d3b-2c77-11da-9d39-000c763f2d11}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 00:07:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Programfiler\Creative\Splash Screen\CTEaxSpl.EXE" /run??Z?A~d???*?A~?????????s??????h?@?x?????B~D??????sx??s?8??????y??w????@@@????|D@@?????>??w????h97?H??????|???|???????|L(?sh97??????/?s????????D???????????????????+????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-04-07 0:11:05 - machine was rebooted [pitbull]
ComboFix-quarantined-files.txt 2008-04-06 22:11:00
ComboFix2.txt 2008-04-06 20:02:02
ComboFix3.txt 2008-04-06 16:08:07
Pre-Run: 13,029,945,344 byte ledig
Post-Run: 13,013,065,728 byte ledig
.
2008-04-03 11:38:30 --- E O F ---

And the mbam log:

Malwarebytes' Anti-Malware 1.10
Database version: 597

Scan type: Quick Scan
Objects scanned: 28976
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:48 AM

Posted 06 April 2008 - 05:38 PM

Sidenote: my computer has crashed to a blue screen of death twice now, both times just after getting an Combofix log, is that a problem that happens at times?

*Rawe hopes he didn't break anything ....

We are going to need to keep an eye on that one. If it was a BSOD just after running ComboFix, probably because of the infections.

However, THAT log is looking much better. :thumbsup:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the contents of the ActiveScan report.

Hi there, stranger!

#15 Bodhi Bloodwave

Bodhi Bloodwave
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:48 AM

Posted 06 April 2008 - 05:44 PM

hmm, when clicking the 'Scan your PC' i get a new window with the options of 'scan now' and 'register' the register doesn't have any country, zip code and such, only want an email and password, i assume the whole country et al means you want me to register

Edit: never mind, obviously the check now is scan now :thumbsup: i was just being to literal

edit 2: since it wouldn't run, I've registered and have the choice between a quick scan(5 min) and full scan(1 hour) i'm guessing quick scan is what you want?

Edited by Bodhi Bloodwave, 06 April 2008 - 05:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users