Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys


  • This topic is locked This topic is locked
20 replies to this topic

#1 MikeWater

MikeWater

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 06 July 2009 - 09:36 PM

For a detailed description of my problem and what I've tried to fix it with, please go to this thread

DDS (Ver_09-06-26.01) - NTFSx86
Run by Mr. Roboto at 22:05:53.05 on Mon 07/06/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1054 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Users\Mr. Roboto\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mr. Roboto\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101760&l=dis
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {DF4E7A0C-E233-4906-B4C1-A404356541FF} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [BitTorrent DNA] "c:\users\mr. roboto\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/fdu/support/plugins/ebraryRdr.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://meetings.webex.com/client/T26L10NSP49/webex/ieatgpc1.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\mrdd4a~1.rob\appdata\roaming\mozilla\firefox\profiles\wiay3q1s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.nytimes.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\mr. roboto\appdata\roaming\mozilla\firefox\profiles\wiay3q1s.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\mr. roboto\program files\dna\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-3 101936]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-05 20:25 8,028 a------- c:\windows\system32\tmp.reg
2009-07-05 19:02 --d----- c:\users\mrdd4a~1.rob\appdata\roaming\Malwarebytes
2009-07-05 19:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 19:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 19:02 --d----- c:\programdata\Malwarebytes
2009-07-05 19:02 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 19:02 --d----- c:\progra~2\Malwarebytes
2009-07-04 13:25 --d----- c:\users\mr. roboto\DoctorWeb
2009-07-03 21:59 --d----- c:\program files\Uniblue
2009-07-03 15:59 --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-03 15:59 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-03 15:58 --d----- c:\users\mrdd4a~1.rob\appdata\roaming\SUPERAntiSpyware.com
2009-07-03 15:58 --d----- c:\program files\SUPERAntiSpyware
2009-07-03 15:57 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-01 14:45 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-07-01 14:45 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-01 14:44 --d----- c:\program files\iPod
2009-07-01 14:44 --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 14:44 --d----- c:\program files\iTunes
2009-07-01 14:44 --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 14:42 --d----- c:\program files\Bonjour
2009-06-15 18:16 --d----- c:\users\mrdd4a~1.rob\appdata\roaming\webex
2009-06-15 18:02 --d----- c:\programdata\webex
2009-06-15 18:02 --d----- c:\progra~2\webex
2009-06-13 16:34 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 16:34 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 16:34 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 16:33 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 16:33 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 02:57 160,415 a------- c:\windows\hpqins00.dat
2009-06-11 02:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-11 02:43 636,928 a------- c:\windows\system32\localspl.dll
2009-06-11 02:43 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-08 03:22 197,848,029 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-07-05 18:51 55,444 a------- c:\programdata\nvModes.dat
2009-07-05 18:51 55,444 a------- c:\progra~2\nvModes.dat
2009-07-04 13:02 130,349 a------- c:\windows\hpoins13.dat
2009-07-01 13:45 51,200 a------- c:\windows\inf\infpub.dat
2009-07-01 13:45 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-01 13:45 86,016 a------- c:\windows\inf\infstor.dat
2009-05-21 10:48 25,604 a------- c:\users\mrdd4a~1.rob\appdata\roaming\nvModes.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-09-15 21:15 174 a--sh--- c:\program files\desktop.ini
2008-09-15 20:52 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:07:03.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 10 July 2009 - 01:35 PM

Hello MikeWater,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ SE Runtime Environment 6
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
*************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec AntiVirus and Windows Defender before running ComboFix, as they will prevent it from running.


To disable Windows Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.After all of the fixes are complete it is very important that you enable Real-time Protection again.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 11 July 2009 - 03:21 PM

HELP!

Okay, I just ran ComboFix following the exact instructions provided, and after it completed stage 50, it deleted a few things (unfortunately I cannot remember offhand what they were, though a couple said "Recycler" in the name). Next I expected to see a screen indicating that it was preparing a log report, but I didn't. Instead, it promptly went to a blue error/failure screen (again, it was all going too quick for me to really capture what the error was) and restarted. I was then met with a black windows error recovery screen notifying me that windows failed to start, and I tried starting windows normally but couldn't. This is the exact message I get:

File: \Windows\system32\config\system

Status: 0xc000014c

Info: Windows failed to load because the system registry file is missing, or corrupt.


When I opt for windows to start in its last known good configuration, I get the very same error message.

I haven't tried starting it in Safe Mode yet, but please let me know what I should do to remedy the situation as soon as possible.

Thank you for helping me.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 11 July 2009 - 04:46 PM

Hi Mike,

I have contacted my team members to have a look, so hang in there.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 11 July 2009 - 08:03 PM

Hi Mike,


I think you should use Vista's Starup Repair tool.
You need to boot from the Vista DVD and launch Startup Repair

Follow the directions in this tutorial:
How to automatically repair Windows Vista using Startup Repair

Edited by SifuMike, 11 July 2009 - 08:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 11 July 2009 - 09:48 PM

*Phew*

Okay, thank you for the prompt response. I wasn't sure if my Vista DVD would work because I got it as a free upgrade promotion for a Windows Vista capable machine rather than purchasing it for a new computer altogether. Everything seems to be restored to the state it was in before I downloaded the ComboFix software.

Clearly there is a problem with my computer since ComboFix didn't run properly. I don't know if it is related to that MSIV hidden service or what it is.


--Mike

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 11 July 2009 - 10:00 PM

Hi Mike,

Glad to hear it is up an running again. :thumbup2:

Sorry to give you premature white hair. LOL

I have sent a message to the ComboFix author, so he may want to see some files in order to track the problem.

Let me look in my tool box and find another tool.

Edited by SifuMike, 11 July 2009 - 10:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 12 July 2009 - 12:16 PM

Hi Mike,

Time to use a different tool.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
    If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTS.exe to your Desktop and double-click on it to extract the files. It will create a program named OTS on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTS folder and double-click on OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the File age section click on 90 days.
  • Under Additional Scans click the EXTRAS button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it.
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/239473/cwindowssystem32driversmsivxjtxqgsqppimmmrtirhetwbskrwcydbmhsys/
  • Click Browse and select the OTS log
  • Under the comments section, say that SifuMike asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.

Edited by SifuMike, 12 July 2009 - 04:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 12 July 2009 - 04:12 PM

Hey Mike,

Okay, I have uploaded the log for you.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 12 July 2009 - 04:49 PM

Hi Mike,

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.
  • I think you have already downloaded RootRepeal, if not then download RootRepeal.zip and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:[list]
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Edited by SifuMike, 12 July 2009 - 04:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 12 July 2009 - 07:44 PM

Attached is my root repeal report.

--Mike

Attached Files



#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 12 July 2009 - 11:19 PM

Hi Mike,


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 13 July 2009 - 04:37 PM

Hey Mike, here is the contents of the log created by GMER. One thing I should note is that the one .sys listed under "Service" was the only line that was in red bold.


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-13 17:32:36
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 87147090 ZwAlertResumeThread
SSDT 87147170 ZwAlertThread
SSDT 8712C4C8 ZwAllocateVirtualMemory
SSDT 8714C8B8 ZwConnectPort
SSDT 87147D50 ZwCreateMutant
SSDT 8714B268 ZwCreateThread
SSDT 87127DA8 ZwFreeVirtualMemory
SSDT 87147E30 ZwImpersonateAnonymousToken
SSDT 87147F10 ZwImpersonateThread
SSDT 871451A0 ZwMapViewOfSection
SSDT 87147C70 ZwOpenEvent
SSDT 8714A0B0 ZwOpenProcessToken
SSDT 87147638 ZwOpenThreadToken
SSDT 8702A220 ZwResumeThread
SSDT 87147558 ZwSetContextThread
SSDT 87147008 ZwSetInformationProcess
SSDT 87147478 ZwSetInformationThread
SSDT 87147A10 ZwSuspendProcess
SSDT 871472B8 ZwSuspendThread
SSDT 87156970 ZwTerminateProcess
SSDT 87147398 ZwTerminateThread
SSDT 871455D8 ZwUnmapViewOfSection
SSDT 8713BD30 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 81CFD914 8 Bytes [90, 70, 14, 87, 70, 71, 14, ...] {NOP ; JO 0x17; XCHG [EAX+0x71], ESI; ADC AL, 0x87}
.text ntkrnlpa.exe!KeSetTimerEx + 364 81CFD928 4 Bytes [C8, C4, 12, 87] {ENTER 0x12c4, 0x87}
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81CFD9B8 4 Bytes JMP 9698923E
.text ntkrnlpa.exe!KeSetTimerEx + 428 81CFD9EC 4 Bytes [50, 7D, 14, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81CFDA18 4 Bytes [68, B2, 14, 87]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74F97BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74FD98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74F9D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74F8F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74F97599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74F8E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74FCB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74F9D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74F9012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74F90095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74F871F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7501D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74FB75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74F8DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74F8668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74F866BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74F91E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system

---- EOF - GMER 1.0.15 ----

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:22 PM

Posted 13 July 2009 - 05:59 PM

Hi Mike,

Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.



Download The Avenger by Swandog46, and save it to your Desktop.
Click on Avenger.zip to open the file
Right click and extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it, right clicking and selecting Copy (Do not include the word Code):



Drivers to disable:
MSIVXserv.sys

Drivers to delete:
MSIVXserv.sys

Files to delete: 
C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys




Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start the Avenger by clicking on its icon on your desktop.
Click Posted Image
 to paste the script from the clipboard.
Click the Execute button
Answer Yes twice when prompted.The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengers actions.
This log file will be located at C:\avenger.txt (considering your operating drive is C:).
Post back with it in your next reply.

Edited by SifuMike, 13 July 2009 - 08:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 13 July 2009 - 10:01 PM

Hey Mike,

For some reason I am unable to paste the log file here, so I am attaching it.

Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com

Platform: Windows Vista
******************* Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger

******************* Beginning to process script file: Rootkit scan active.
No rootkits found!
Driver "MSIVXserv.sys" disabled successfully.
Driver "MSIVXserv.sys" deleted successfully.

Error: file "C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys" not found! Deletion of file "C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing.

******************* Finished! Terminate.

Attached Files


Edited by SifuMike, 13 July 2009 - 10:07 PM.
insert Avenger log





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users