Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Keeps Crashing! Virus?


  • This topic is locked This topic is locked
27 replies to this topic

#1 CrashCrashCrashCrash

CrashCrashCrashCrash

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 16 September 2009 - 09:51 AM

Help!
I have had a crash while trying to post so I am making this quick! Even changes microsoft system date and time but not bios. has stopped this but is still crashing. will not run stinger, reinstalled McAfee. shows double ATI caytyst graphic on task bar for couple seconds!
Help! gotta post this fast!

DDS (Ver_09-07-30.01) - FAT32x86
Run by Ian at 10:26:34.95 on Tue 09/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1174 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\system32\svchost -k DcomLaunch
C:\WINDOWS2\system32\svchost -k rpcss
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\WINDOWS2\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\System32\svchost.exe -k NetworkService
C:\WINDOWS2\System32\svchost.exe -k LocalService
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS2\System32\alg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Ian.KILLERROBOT\Desktop\dds.scr
C:\WINDOWS2\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197495474812
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197819881687
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows2\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows2\system32\drivers\xfilt.sys [2006-10-18 17920]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows2\system32\drivers\mfehidk.sys [2009-7-8 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-10 144704]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows2\system32\drivers\AtiHdmi.sys [2009-4-1 93184]
R3 DrmRDriverV32;DrmRDriverV32;c:\windows2\system32\drivers\DrmRDriverV32.sys [2008-3-6 513152]
R3 DrmRVideo32;DrmRVideo32;c:\windows2\system32\drivers\DrmRVideo32.sys [2008-3-6 3768]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows2\system32\drivers\mfeavfk.sys [2009-9-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows2\system32\drivers\mfebopk.sys [2009-9-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows2\system32\drivers\mfesmfk.sys [2009-9-10 40552]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [1980-1-1 305936]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 WMOptimizer;Windows Media Optimizer;c:\windows2\system32\svchost.exe -k wmosvr [2001-8-18 14336]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
S3 hidmini;Filter Driver Service for HID-KMDF Interface layer;c:\windows2\system32\drivers\hidmini.sys [2008-12-19 3712]
S3 hidtopgun;HID Minidriver for EMS TopGun;c:\windows2\system32\drivers\hidtopgun.sys [2008-12-19 25728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows2\system32\drivers\mferkdk.sys [2009-9-10 34248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows2\system32\drivers\npf.sys [2003-4-4 30336]
S3 PCAlertDriver;PCAlertDriver;c:\program files\msi\pc alert 4\NTGLM7X.sys [2007-11-6 28160]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 RTCore32;RTCore32;\??\c:\documents and settings\ian.killerrobot\my documents\my documents\my documents\rmclock\rtcore32.sys --> c:\documents and settings\ian.killerrobot\my documents\my documents\my documents\rmclock\RTCore32.sys [?]
S3 SRTSERVERDAEMON;Titan FTP Server Daemon;c:\windows2\system32\srxTitan.exe [2008-4-27 3461120]
S3 tap0801;Smarthide TAP driver;c:\windows2\system32\drivers\tap0801.sys [2008-2-4 55808]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-09-14 23:26 <DIR> --d----- c:\program files\DAZ 3D
2009-09-10 04:27 8,487 a------- c:\windows2\system32\Config.MPF
2009-09-10 04:16 79,816 a------- c:\windows2\system32\drivers\mfeavfk.sys
2009-09-10 04:16 40,552 a------- c:\windows2\system32\drivers\mfesmfk.sys
2009-09-10 04:16 35,272 a------- c:\windows2\system32\drivers\mfebopk.sys
2009-09-10 04:16 120,136 a------- c:\windows2\system32\drivers\Mpfp.sys
2009-09-10 04:12 <DIR> --d----- c:\program files\common files\McAfee
2009-09-10 04:12 <DIR> --d----- c:\program files\McAfee.com
2009-09-10 04:12 <DIR> --d----- c:\program files\McAfee
2009-09-10 04:08 34,248 a------- c:\windows2\system32\drivers\mferkdk.sys
2009-09-10 04:00 <DIR> --d----- C:\mfe
2009-09-10 03:15 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Citrix
2009-09-10 03:09 61,224 a------- c:\documents and settings\ian.killerrobot\GoToAssistDownloadHelper.exe
2009-09-10 02:01 <DIR> --dsh--- C:\FOUND.007
2009-09-10 01:45 <DIR> --d----- c:\windows2\system32\wbem\Repository
2009-09-10 01:44 <DIR> --d----- c:\program files\common files\ATI Technologies
2009-09-10 01:44 <DIR> --d----- C:\ATI Demos
2009-09-09 13:11 153,088 -------- c:\windows2\system32\dllcache\triedit.dll
2009-09-09 05:33 <DIR> --dsh--- C:\FOUND.006
2009-09-04 21:44 <DIR> --dsh--- C:\FOUND.005
2009-08-20 14:15 <DIR> --dsh--- C:\FOUND.004
2009-08-18 16:30 <DIR> --d----- C:\VueScan
2009-08-16 23:19 <DIR> --dsh--- C:\FOUND.003

==================== Find3M ====================

2009-08-08 13:31 53,464 a------- c:\windows2\system32\GDIPFONTCACHEV1.DAT
2009-08-05 05:01 204,800 a------- c:\windows2\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows2\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows2\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows2\system32\dllcache\ieframe.dll
2009-07-19 09:19 5,937,152 -------- c:\windows2\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows2\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows2\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows2\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows2\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows2\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows2\system32\dllcache\msoe.dll
2009-07-03 13:09 915,456 a------- c:\windows2\system32\wininet.dll
2009-07-03 13:09 206,848 a------- c:\windows2\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows2\system32\dllcache\urlmon.dll
2009-07-03 13:09 915,456 -------- c:\windows2\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows2\system32\dllcache\xpshims.dll
2009-07-03 13:09 594,432 a------- c:\windows2\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows2\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 184,320 a------- c:\windows2\system32\dllcache\iepeers.dll
2009-07-03 13:09 1,985,536 -------- c:\windows2\system32\dllcache\iertutil.dll
2009-07-03 13:09 246,272 -------- c:\windows2\system32\dllcache\ieproxy.dll
2009-07-03 13:09 25,600 -------- c:\windows2\system32\dllcache\jsproxy.dll
2009-07-03 13:09 386,048 -------- c:\windows2\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows2\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows2\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows2\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows2\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows2\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows2\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows2\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows2\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows2\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows2\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows2\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows2\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows2\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows2\system32\dllcache\ksecdd.sys
2009-06-22 02:44 726,528 a------- c:\windows2\system32\dllcache\jscript.dll
2008-06-18 22:50 32,768 a--sh--- c:\windows2\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061820080619\index.dat
2043-07-22 13:21 245,760 a--sh--- c:\windows2\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 10:28:09.10 ===============



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 10:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: abevtpo1.SYS
Image Path: C:\WINDOWS2\System32\Drivers\abevtpo1.SYS
Address: 0xB93C0000 Size: 303104 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP2032
Image Path: \Driver\PCI_NTPNP2032
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS2\system32\drivers\rootrepeal.sys
Address: 0xA9EE1000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xb9ece0b0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xb9ed3a92

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xb9ed3e20

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xb9ece090

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xb9ed3ef8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xb9ed3d78

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xb9ed3f8a

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a25fda8]
Process: System Address: 0x8a30e2a0 Size: 292

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a7511e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_CREATE]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_CLOSE]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_POWER]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: abevtpo1ࠅ浍瑓ഠ널ࠂఈ浍浓벐話Ā, IRP_MJ_PNP]
Process: System Address: 0x8a4281e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a5601e8 Size: 194

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a51e320 Size: 386

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a7c71e8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a54b980 Size: 383

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a7531e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a5a51e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a4081e8 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_READ]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x8a268980 Size: 463

Object: Hidden Code [Driver: CdfsЅఈ浗灩, IRP_MJ_PNP]
Process: System Address: 0x8a268980 Size: 463

==EOF==

Edited by CrashCrashCrashCrash, 16 September 2009 - 10:39 AM.


BC AdBot (Login to Remove)

 


#2 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 24 September 2009 - 07:16 AM

Help! still crashing!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 24 September 2009 - 09:46 PM.


#3 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 26 September 2009 - 08:19 AM

Thank you:)

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:39 PM

Posted 30 September 2009 - 06:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 01 October 2009 - 10:30 AM

Ok, Thanks. I am going to run the DDS again.

#6 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 01 October 2009 - 12:45 PM

DDS (Ver_09-09-29.01) - FAT32x86
Run by Ian at 11:32:14.15 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\WINDOWS2\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS2\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Ian.KILLERROBOT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\audiod~1.lnk - c:\program files\via technologies, inc\via audio driver setup program\audiodeck\AudioDeck.exe
uPolicies-explorer: NoToolbarsCustomize = 0 (0x0)
uPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: NoTrayItemsDisplay = 00000000
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197495474812
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197819881687
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows2\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows2\system32\drivers\xfilt.sys [2006-10-18 17920]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows2\system32\drivers\mfehidk.sys [2009-9-10 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-10 144704]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows2\system32\drivers\AtiHdmi.sys [2009-4-1 93184]
R3 DrmRDriverV32;DrmRDriverV32;c:\windows2\system32\drivers\DrmRDriverV32.sys [2008-3-6 513152]
R3 DrmRVideo32;DrmRVideo32;c:\windows2\system32\drivers\DrmRVideo32.sys [2008-3-6 3768]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows2\system32\drivers\mfeavfk.sys [2009-9-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows2\system32\drivers\mfebopk.sys [2009-9-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows2\system32\drivers\mfesmfk.sys [2009-9-10 40552]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 WMOptimizer;Windows Media Optimizer;c:\windows2\system32\svchost.exe -k wmosvr [2001-8-18 14336]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
S3 hidmini;Filter Driver Service for HID-KMDF Interface layer;c:\windows2\system32\drivers\hidmini.sys [2008-12-19 3712]
S3 hidtopgun;HID Minidriver for EMS TopGun;c:\windows2\system32\drivers\hidtopgun.sys [2008-12-19 25728]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows2\system32\drivers\mferkdk.sys [2009-9-10 34248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows2\system32\drivers\npf.sys [2003-4-4 30336]
S3 rootrepeal;rootrepeal;\??\c:\windows2\system32\drivers\rootrepeal.sys --> c:\windows2\system32\drivers\rootrepeal.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 RTCore32;RTCore32;\??\c:\documents and settings\ian.killerrobot\my documents\my documents\my documents\rmclock\rtcore32.sys --> c:\documents and settings\ian.killerrobot\my documents\my documents\my documents\rmclock\RTCore32.sys [?]
S3 SRTSERVERDAEMON;Titan FTP Server Daemon;c:\windows2\system32\srxTitan.exe [2008-4-27 3461120]
S3 tap0801;Smarthide TAP driver;c:\windows2\system32\drivers\tap0801.sys [2008-2-4 55808]
S3 Vsp;Vsp;c:\windows2\system32\drivers\vsp.sys [2009-10-1 3351]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-10-01 01:39 32,768 a------- c:\windows2\system32\UnAudioNT.dll
2009-10-01 01:39 3,351 a------- c:\windows2\system32\drivers\vsp.sys
2009-10-01 01:39 765,952 a------- c:\windows2\system\Crlds3d.dll
2009-10-01 01:39 720,896 a------- c:\windows2\system32\a3d.dll
2009-10-01 01:39 98,304 a------- c:\windows2\system32\dllcache\a3d.dll
2009-10-01 01:39 <DIR> --d----- c:\program files\VIA Technologies, Inc
2009-10-01 01:37 36,864 a------- c:\windows2\system32\drivers\AmdK8.sys
2009-09-30 08:17 <DIR> --dsh--- C:\FOUND.002
2009-09-26 09:40 <DIR> --dsh--- C:\FOUND.001
2009-09-26 08:44 <DIR> --dsh--- C:\FOUND.000
2009-09-26 07:59 1,105 a------- c:\windows2\ATICIM.INI
2009-09-23 03:41 593,920 -------- c:\windows2\system32\ati2sgag.exe
2009-09-23 03:04 <DIR> --d----- c:\program files\common files\ATI Technologies
2009-09-23 02:52 10 a------- c:\windows2\WININIT.INI
2009-09-21 09:49 <DIR> --d----- C:\Diamond
2009-09-16 09:47 6,322 a------- c:\windows2\system32\Config.MPF
2009-09-15 10:37 15 a------- c:\windows2\system32\settings.dat
2009-09-14 23:26 <DIR> --d----- c:\program files\DAZ 3D
2009-09-10 04:16 79,816 a------- c:\windows2\system32\drivers\mfeavfk.sys
2009-09-10 04:16 40,552 a------- c:\windows2\system32\drivers\mfesmfk.sys
2009-09-10 04:16 35,272 a------- c:\windows2\system32\drivers\mfebopk.sys
2009-09-10 04:16 214,024 a------- c:\windows2\system32\drivers\mfehidk.sys
2009-09-10 04:16 120,136 a------- c:\windows2\system32\drivers\Mpfp.sys
2009-09-10 04:12 <DIR> --d----- c:\program files\common files\McAfee
2009-09-10 04:12 <DIR> --d----- c:\program files\McAfee.com
2009-09-10 04:12 <DIR> --d----- c:\program files\McAfee
2009-09-10 04:08 34,248 a------- c:\windows2\system32\drivers\mferkdk.sys
2009-09-10 04:00 <DIR> --d----- C:\mfe
2009-09-10 03:15 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Citrix
2009-09-10 03:09 61,224 a------- c:\documents and settings\ian.killerrobot\GoToAssistDownloadHelper.exe
2009-09-10 01:45 <DIR> --d----- c:\windows2\system32\wbem\Repository
2009-09-09 13:11 153,088 -------- c:\windows2\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-04 17:44 515,416 a------- c:\windows2\system32\XAudio2_5.dll
2009-09-04 17:44 238,936 a------- c:\windows2\system32\xactengine3_5.dll
2009-09-04 17:44 69,464 a------- c:\windows2\system32\XAPOFX1_3.dll
2009-09-04 17:29 453,456 a------- c:\windows2\system32\d3dx10_42.dll
2009-09-04 17:29 235,344 a------- c:\windows2\system32\d3dx11_42.dll
2009-09-04 17:29 5,501,792 a------- c:\windows2\system32\d3dcsx_42.dll
2009-09-04 17:29 1,974,616 a------- c:\windows2\system32\D3DCompiler_42.dll
2009-09-04 17:29 1,892,184 a------- c:\windows2\system32\D3DX9_42.dll
2009-08-14 00:27 4,485,632 a------- c:\windows2\system32\drivers\ati2mtag.sys
2009-08-13 22:28 446,464 a------- c:\windows2\system32\ATIDEMGX.dll
2009-08-13 22:27 345,600 a------- c:\windows2\system32\ati2dvag.dll
2009-08-13 22:10 204,800 a------- c:\windows2\system32\atipdlxx.dll
2009-08-13 22:10 155,648 a------- c:\windows2\system32\Oemdspif.dll
2009-08-13 22:09 26,112 a------- c:\windows2\system32\Ati2mdxx.exe
2009-08-13 22:09 43,520 a------- c:\windows2\system32\ati2edxx.dll
2009-08-13 22:09 155,648 a------- c:\windows2\system32\ati2evxx.dll
2009-08-13 22:08 602,112 a------- c:\windows2\system32\ati2evxx.exe
2009-08-13 22:06 53,248 a------- c:\windows2\system32\ATIDDC.DLL
2009-08-13 22:00 311,296 a------- c:\windows2\system32\atiiiexx.dll
2009-08-13 21:58 3,492,576 a------- c:\windows2\system32\ati3duag.dll
2009-08-13 21:47 12,959,744 a------- c:\windows2\system32\atioglxx.dll
2009-08-13 21:42 2,081,920 a------- c:\windows2\system32\ativvaxx.dll
2009-08-13 21:42 887,724 a------- c:\windows2\system32\ativva6x.dat
2009-08-13 21:25 49,664 a------- c:\windows2\system32\atimpc32.dll
2009-08-13 21:25 49,664 a------- c:\windows2\system32\amdpcom32.dll
2009-08-13 21:21 561,152 a------- c:\windows2\system32\atikvmag.dll
2009-08-13 21:21 45,056 a------- c:\windows2\system32\aticalrt.dll
2009-08-13 21:20 45,056 a------- c:\windows2\system32\aticalcl.dll
2009-08-13 21:19 3,469,312 a------- c:\windows2\system32\aticaldd.dll
2009-08-13 21:19 163,840 a------- c:\windows2\system32\atiadlxx.dll
2009-08-13 21:18 17,408 a------- c:\windows2\system32\atitvo32.dll
2009-08-13 21:17 53,248 a------- c:\windows2\system32\drivers\ati2erec.dll
2009-08-13 21:17 376,832 a------- c:\windows2\system32\atiok3x2.dll
2009-08-13 21:12 614,400 a------- c:\windows2\system32\ati2cqag.dll
2009-08-08 13:31 53,464 a------- c:\windows2\system32\GDIPFONTCACHEV1.DAT
2009-08-05 05:01 204,800 a------- c:\windows2\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows2\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows2\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows2\system32\dllcache\ieframe.dll
2009-07-19 09:19 5,937,152 -------- c:\windows2\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows2\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows2\system32\dllcache\atl.dll
2009-07-14 11:09 197,654 a------- c:\windows2\system32\atiicdxx.dat
2009-07-13 23:43 286,208 a------- c:\windows2\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows2\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows2\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows2\system32\dllcache\msoe.dll
2009-07-03 13:09 915,456 a------- c:\windows2\system32\wininet.dll
2009-07-03 13:09 206,848 a------- c:\windows2\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows2\system32\dllcache\urlmon.dll
2009-07-03 13:09 915,456 -------- c:\windows2\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows2\system32\dllcache\xpshims.dll
2009-07-03 13:09 594,432 a------- c:\windows2\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows2\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 184,320 a------- c:\windows2\system32\dllcache\iepeers.dll
2009-07-03 13:09 1,985,536 -------- c:\windows2\system32\dllcache\iertutil.dll
2009-07-03 13:09 246,272 -------- c:\windows2\system32\dllcache\ieproxy.dll
2009-07-03 13:09 25,600 -------- c:\windows2\system32\dllcache\jsproxy.dll
2009-07-03 13:09 386,048 -------- c:\windows2\system32\dllcache\iedkcs32.dll
2008-06-18 22:50 32,768 a--sh--- c:\windows2\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061820080619\index.dat
2043-07-22 13:21 245,760 a--sh--- c:\windows2\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 11:32:57.48 ===============
Computer freezes on using firefox or ie or any program. sometimes gets bsod. just flashes not time to read it. renistalled drivers for 4650 ati agp just bought. and update amd chip drivers. killed mcaffee and kept changing windows time but not bios time so not battery. help!

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 AM

Posted 08 October 2009 - 02:43 AM

Hi CrashCrashCrashCrash,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Do you have any idea what this file is?: antiwpa.dll

  • Please run DDS again and post the second log (attach.txt), not the one you have already posted.


#8 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 08 October 2009 - 07:13 AM

Hi FarBar, I don't know what antiwpa.dll is.
I ran the dds and made a zip file. I dont think the antiwpa.dll is the problem. I think it has either to do with the ati 4650 agp card. The drivers seem screwy. Or Firefoxbug/virus. Firefox always startsup with the update page no matter what. The computer just randomly freezes and the screen goes dead. somtime when I restart I get chckdsk telling me mcaffee antivirus files are corupt. once in a while its boots up and then give me bsod then reboots and gives me chckdsk. I don't know if it is hardware or software. Help and thank you.Attached File  Attach3.zip   5.26KB   11 downloads

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 AM

Posted 08 October 2009 - 09:58 AM

Hi again,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p (uTorrent, etc...) download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You have Java™ 6 Update 15 and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 3
    Java™ 6 Update 3
    Java™ 6 Update 4
    Java™ 6 Update 5
    Java™ 6 Update 7


  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 AM

Posted 12 October 2009 - 07:33 PM

Are you still there?

#11 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 13 October 2009 - 10:11 AM

Hi, I keep getting crashes when ever I try to use this. I did everything you asked and its still crashing. Thanks for your help.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 AM

Posted 13 October 2009 - 01:39 PM

I don't know what you mean with you have done anything, I have just started and you have kept me waiting.
If you don't have time for this we can close the topic. I have just posted my initial fix 5 days back and up to now have not seen you have done what I have asked unless you don't read the post.

So if this is the way you want to go on we can better stop here. I wait one more day and would like you to commit yourself or make clear you don't have time for this. We have about 800 unanswered logs. It is not nice to ask assistance and don't come back to your post and keep the helper hanging. The volunteers here keep limited open log as we have also a life to live.

Edited by farbar, 13 October 2009 - 01:49 PM.


#13 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 14 October 2009 - 01:29 AM

I have uploaded the report. I am sorry that I have taken so long to reply. everytime i have tried my computer has frozen. Attached is the log of the mbam report that found and removed supicious files. Thanks again and sorry.

Attached Files



#14 CrashCrashCrashCrash

CrashCrashCrashCrash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 14 October 2009 - 01:31 AM

Here's the log again ..

Malwarebytes' Anti-Malware 1.41
Database version: 2928
Windows 5.1.2600 Service Pack 3

10/9/2009 8:17:24 AM
mbam-log-2009-10-09 (08-17-24).txt

Scan type: Quick Scan
Objects scanned: 153388
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\oobe\AntiWPA_Crypt.dll (Hacktool) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\svchost.exf (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 AM

Posted 14 October 2009 - 03:51 AM

No worries for the delay any more and thanks for the log. If there is any difficultly please post back because feedback about any problem you are facing when running the tools can help us to diagnose the problem.
  • Go to start > right-click My Computer > Properties > under Advanced tab > under Startup and Recovery section click Settings > (the option Automatically restart should be unchecked and the other two options should be checked) under Write debugging information section > under Small dump directory: the path to the mini dump folder is given. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). After a crash you should go to that folder and find the mini dump file inside it to upload it.

    Note: %systemroot% usually means Windows so %systemroot%\Minidump is C:\Windows\Minidump

  • If still you could not find the file set Windows to show hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Put a check mark in the box nest to search system folders, search hidden files and folders and search sub-folders.
    • Make sure Case Sensitive box in not checked.
    • Type mini*.dmp in the upper box and click on search.
  • Zip the file and attach the it to your reply. To attach the file:
    • When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
    • Highlight the zip-file and click Open then press the green UPLOAD button.
    Alternatively, instead of zipping and attaching, you can upload the file to the following site and give me the link to the file:
    http://www.mediafire.com/

    Note: The old mini dump files might have already been removed and you have to wait for the next crash and find the file before using cleanup utilities.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Open CCleaner.
    • Click Run Cleaner.
    • Close CCleaner.
  • It seems that chkdsk is already done a couple of times. Do you have the Windows CD so that we do another kind of scan to check the integrity of system files? They can sometime cause freezing or crashes if they get corrupted.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users