Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

All browsers (except Chrome) disabled !

Started by very worry , Dec 14 2009 05:56 AM

  • This topic is locked This topic is locked
7 replies to this topic

#1 very worry

very worry

  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:06:57 AM

Posted 14 December 2009 - 05:56 AM

This morning, IE, FF, Opera are all dead. Only Google Chrome works !

I scanned the system with RootRepeal, Hijackthis and DDS

Please help !

Thanks !!

Here are the reports:

= = =============================

Root Repeal

= = =============================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 13:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: BIOS.sys
Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
Address: 0xF557B000 Size: 13696 File Visible: - Signed: No
Status: -

Name: cpuz132_x32.sys
Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
Address: 0xF0205000 Size: 12672 File Visible: - Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFAD5000 Size: 49152 File Visible: No Signed: No
Status: -

Name: rtqj.sys
Image Path: rtqj.sys
Address: 0xF5DD8000 Size: 54016 File Visible: No Signed: No
Status: -

Name: tap0901.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Address: 0xF6138000 Size: 25216 File Visible: - Signed: No
Status: -

Name: uyowfi.sys
Image Path: uyowfi.sys
Address: 0xF5DC8000 Size: 54016 File Visible: No Signed: No
Status: -

==EOF==


= = =============================

DDS

= = =============================


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 12:53:18.71 on Mon 12/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2772 [GMT -12:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\HousecallLauncher.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zS22.tmp\setup.exe
C:\Documents and Settings\Administrator\Desktop\avast_home_setup.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [openvpn-gui] c:\program files\ultravpn\bin\openvpn-gui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {D3D6DBB7-7AE8-47E2-A68D-004688814060} = 202.188.0.133 202.188.1.5
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - c:\program files\free extended task manager\extensions\taskmanager\ExtensionsTaskManager32.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4x3ekcqo.default\
FF - prefs.js: browser.startup.homepage - google.com.au
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4x3ekcqo.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-9-9 13696]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-31 12672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-7 38224]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-10-28 30880]
S0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-3-26 16896]
S0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2007-3-26 52224]
S3 FXDrv32;FXDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]
S3 GPUTool;GPUTool;\??\c:\docume~1\admini~1\locals~1\temp\gputool.sys --> c:\docume~1\admini~1\locals~1\temp\GPUTool.sys [?]
S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-10-31 4608]

=============== Created Last 30 ================

2009-12-08 00:41:38 0 d-----w- c:\windows\system32\drivers\NSS
2009-12-08 00:41:38 0 d-----w- c:\program files\Norton Security Scan
2009-12-08 00:37:32 0 d-----w- c:\program files\NortonInstaller
2009-12-08 00:32:24 0 d-----w- c:\program files\CCleaner
2009-12-08 00:30:23 0 d-----w- c:\program files\Trend Micro
2009-12-08 00:28:15 0 d--h--w- c:\windows\PIF
2009-12-08 00:13:06 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-12-08 00:13:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 00:13:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 00:13:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 00:13:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 18:15:03 0 d--h--w- c:\windows\system32\GroupPolicy
2009-12-06 18:54:58 63957 ----a-w- C:\xyz.png
2009-12-05 04:37:29 53784 ----a-w- C:\DNS.png
2009-11-26 09:14:22 0 d-----w- c:\program files\Free Download Manager
2009-11-23 21:24:59 0 d-----w- c:\windows\system32\Adobe
2009-11-22 22:20:59 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2009-11-22 19:04:01 0 d-----w- c:\windows\system32\oodag
2009-11-14 15:39:50 0 d-----w- c:\program files\LopeSoft
2009-11-11 11:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 11:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-10 19:29:47 0 d-----w- c:\program files\UltraVPN
2009-11-08 16:14:48 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-10-29 04:48:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-29 04:48:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-21 07:08:02 69632 ----a-w- c:\windows\system32\XXPBAR.EXE
2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPYSU.EXE
2009-10-21 07:08:02 450560 ----a-w- c:\windows\system32\XXCOPY.EXE
2009-10-21 07:08:02 2321 ----a-w- c:\windows\system32\UIXXCOPY.BAT
2009-10-21 07:08:02 230377 ----a-w- c:\windows\system32\XXCOPY16.EXE
2009-10-21 07:08:02 146936 ----a-w- c:\windows\system32\XXCONSOLE.EXE
2009-10-11 16:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 06:20:04 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-28 06:20:00 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-28 06:19:52 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-28 06:19:50 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-28 06:19:48 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-28 06:19:48 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-28 06:19:48 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-28 06:19:46 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-28 06:19:46 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-28 06:19:46 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-28 06:19:46 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-28 06:19:46 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-28 06:19:40 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-28 04:12:22 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-28 04:12:22 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-28 04:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-28 04:12:22 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-28 04:12:22 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-28 04:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-28 04:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-28 04:12:22 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-28 04:12:22 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-26 04:35:00 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-09-24 21:24:18 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-23 22:39:28 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38:26 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2009-09-23 22:21:32 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-23 22:21:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-23 22:21:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-23 22:20:36 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-09-23 22:19:14 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-09-23 22:17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-09-23 22:09:18 3506080 ----a-w- c:\windows\system32\ati3duag.dll
2009-09-23 21:58:16 12644352 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-23 21:53:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
2009-09-23 21:53:26 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-23 21:32:20 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-09-23 21:31:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-23 21:31:18 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-23 21:30:08 167936 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-23 21:29:42 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-09-23 21:29:36 3489792 ----a-w- c:\windows\system32\aticaldd.dll
2009-09-23 21:27:50 401408 ----a-w- c:\windows\system32\atiok3x2.dll
2009-09-23 21:23:08 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-09-11 12:01:57 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-11 11:56:39 5334 ----a-w- c:\windows\system32\unins000.dat
2009-09-11 11:56:31 716153 ----a-w- c:\windows\system32\unins000.exe
2009-09-11 11:12:54 249856 ------w- c:\windows\Setup1.exe
2009-09-11 11:12:53 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-10 13:29:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-10 04:24:52 315392 ----a-w- c:\windows\HideWin.exe
2008-03-09 19:25:10 236 ----a-w- c:\program files\common files\dx.reg

============= FINISH: 12:53:33.01 ===============


= = =============================

Hijackthis

= = =============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:22 PM, on 12/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Free Extended Task Manager\Extensions\TaskManager\ExtensionsTaskManager32.exe
C:\Program Files\Norton Security Scan\Engine\2.3.0.44\NSS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\UltraVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D6DBB7-7AE8-47E2-A68D-004688814060}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 5032 bytes

= = =============================

Attached Files


BC AdBot (Login to Remove)

 

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 AM

Posted 14 December 2009 - 08:49 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 very worry

very worry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:06:57 AM

Posted 14 December 2009 - 10:29 AM

Okay !

Download it now !

Will upload the result when it's ready !

Thanks in advance !!

BTW, that thing is eating up 95% of my CPU resources.

I just scanned it with GMER, took 8 hours !

Dunno if it will help, report is as followed:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-07 18:53:38
Windows 5.1.2600 Service Pack 3
Running: hgnokzt1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF1B6F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF1B6F574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF1B6FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF1B6F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF1B6F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF1B6F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF1B6F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF1B6F76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF1B6F72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF1B6F8AE]

INT 0x62 ? FCC112AC
INT 0x63 ? FC8B2634
INT 0x73 ? FC8B19B4
INT 0x83 ? FCC61E54
INT 0x93 ? FC89F754
INT 0xA3 ? FC89AE54
INT 0xA4 ? FCA1A6EC
INT 0xB1 ? FCCAD2AC
INT 0xB4 ? FCA4F6DC

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF55E4000, 0x21F557, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@MinEncryptionLevel 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@Comment System Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@InputBufferLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@KeyboardName \REGISTRY\Machine\System\CurrentControlSet\Services\Kbdclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@MouseName \REGISTRY\Machine\System\CurrentControlSet\Services\Mouclass
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@OutBufCount 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@OutBufDelay 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@OutBufLength 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@PdClass 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@PdDll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@PdFlag 30
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@PdName console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@UserName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@WdDll wdcon
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@WdFlag 36
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@WdName Console
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritAutoLogon 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritCallbackNumber 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritInitialProgram 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritMaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritMaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritMaxSessionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fInheritShadow 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fPromptForPassword 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@TraceClass 268435465
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@TraceDebugger 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@TraceEnable 12
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@WdFlag 52
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@WdName Microsoft RDP 5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CfgDll RDPCFGEX.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fEnableWinStation 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@MaxInstanceCount -1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@PdName tcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@PdClass 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@PdDLL tdtcp
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@PdFlag 78
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@OutBufLength 530
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@OutBufCount 6
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@OutBufDelay 100
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@InteractiveDelay 50
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@PortNumber 3389
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@KeepAliveTimeout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@LanAdapter 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WdName Microsoft RDP 5.1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WdDLL rdpwd
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WsxDLL rdpwsx
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WdFlag 54
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@InputBufferLength 2048
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CdClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CdName
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CdDLL
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CdFlag 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Comment
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritAutoLogon 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritResetBroken 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritReconnectSame 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritInitialProgram 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritCallback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritCallbackNumber 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritShadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritMaxSessionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritMaxDisconnectionTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritMaxIdleTime 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritAutoClient 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritSecurity 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fInheritColorDepth 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fPromptForPassword 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fResetBroken 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fReconnectSame 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fLogonDisabled 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fAutoClientDrives 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fAutoClientLpts 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fForceClientLptDef 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableEncryption 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fHomeDirectoryMapRoot 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fUseDefaultGina 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableCpm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableCdm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableCcm 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableLPT 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableClip 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableExe 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@fDisableCam 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Username
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Domain
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Password
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WorkDirectory
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@InitialProgram
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@CallbackNumber
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Callback 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@Shadow 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@MaxConnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@MaxDisconnectionTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@MaxIdleTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@KeyboardLayout 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@MinEncryptionLevel 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@NWLogonServer
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WFProfilePath
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@WdPrefix RDP
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@TraceEnable 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@TraceDebugger 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@TraceClass 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp@ColorDepth 3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 0C04FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794BA7FD869164D67949280D8D7302FCC58A748D546B25B4C46155CF1082839BBB035AF617C9A29E1029A17F42D6BA01A6D4C9CB21ED020702B0FA16D77ECFB4387C0CC76F86CF57FBE40C9DB3B38225F246CDD34483FA247A72CC483FC3EB1AA1B87E022C1ACF580D2D53F3E88A52DCB0EF3656E27F3A3B23991724AF89B00A2F50B8F99D482D40877D4AF954F2292143173213A5247371753086F197EE4DD6097EB8F56637B8E3BD758E51DFE0373EE852011B196F7C4DC5C7F100F5863979FF1722D98D305F646151F43D1390147987852CB35F12608702B093F0C02BF509BEC88C6DF3FF131D6430FBBF8D53759D0EA08796A18D810C390D97BB5AA87FA98E23ECFF4737BB8A0E82F5818DC26C7DA3161D739F1784149CD4CD6F5392FE0D92445CF6070BB5AD903ABB37B1033857E9424B8CC195255FB995EF6F8440C1F2A72746270EE3339BC81D380B15F275807D3B77F965F96D3579C3217301AD8A6D605C735B7D444C987481C808E722C5CC49DA9A849C55DA05BF50D85CFB9B3BBB208DD0D8C423756FE309D8D29A355818A182C3EDD859E6D0E365924D2D71FF69119F842088736FCE60411935B81948631DC1263118938C

---- EOF - GMER 1.0.15 ----

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report

  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.
=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


#4 very worry

very worry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:06:57 AM

Posted 14 December 2009 - 06:31 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report

  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.
=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


After hours and hours the computer finally finish

The OTL files are large so I am attaching them to this message.

Thanks again !

Attached Files


#5 very worry

very worry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:06:57 AM

Posted 14 December 2009 - 09:01 PM

I found 2 more RootRepeal report on the root dir of my C drive, which is very surprising.

Here they are:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 13:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: BIOS.sys
Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
Address: 0xF557B000 Size: 13696 File Visible: - Signed: No
Status: -

Name: cpuz132_x32.sys
Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
Address: 0xF0205000 Size: 12672 File Visible: - Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFAD5000 Size: 49152 File Visible: No Signed: No
Status: -

Name: rtqj.sys
Image Path: rtqj.sys
Address: 0xF5DD8000 Size: 54016 File Visible: No Signed: No
Status: -

Name: tap0901.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Address: 0xF6138000 Size: 25216 File Visible: - Signed: No
Status: -

Name: uyowfi.sys
Image Path: uyowfi.sys
Address: 0xF5DC8000 Size: 54016 File Visible: No Signed: No
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\administrator\local settings\temp\etilqs_pkdtwtsk5bfqrmjeeitj
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\etilqs_wgpgxzttwsxg3tin406j
Status: Allocation size mismatch (API: 32768, Raw: 0)

==EOF==


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/07 13:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: BIOS.sys
Image Path: C:\WINDOWS\system32\drivers\BIOS.sys
Address: 0xF557B000 Size: 13696 File Visible: - Signed: No
Status: -

Name: cpuz132_x32.sys
Image Path: C:\WINDOWS\system32\drivers\cpuz132_x32.sys
Address: 0xF0205000 Size: 12672 File Visible: - Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFAD5000 Size: 49152 File Visible: No Signed: No
Status: -

Name: rtqj.sys
Image Path: rtqj.sys
Address: 0xF5DD8000 Size: 54016 File Visible: No Signed: No
Status: -

Name: tap0901.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Address: 0xF6138000 Size: 25216 File Visible: - Signed: No
Status: -

Name: uyowfi.sys
Image Path: uyowfi.sys
Address: 0xF5DC8000 Size: 54016 File Visible: No Signed: No
Status: -

==EOF==

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 AM

Posted 15 December 2009 - 08:04 AM

The reason why your log is too large is that you you changed the file age to 90 days.
Please change it to 14 days and then run the scan as directed.

Do not attach files. Just copy and paste them directly into your post.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 AM

Posted 15 December 2009 - 08:05 AM

Please do not post logs that I don't ask for. I don't need to see a rootrepeal log and it just clutters up the space with unnecessary information.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 AM

Posted 26 December 2009 - 08:20 PM

Unfortunately there has been no response. :(
This topic will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·